Maurice,
I have a couple more questions. In my MySwarmStrategy hasPermission(...)
method I only have to look up the principals that have the denied permission
in them, correct? Here is my overide hasPermission(...) method:
public boolean hasPermission(Permission p)
{
if (!super.hasPermission(p))
{
if
(getHive().getClass().isInstance(MySimpleCachingHive.class))
{
Set<Principal> hivePrincipals =
((MySimpleCachingHive)getHive()).getPrincipals(p);
// Place Set of Principals in the requestcycle
or should I just place
the Principal names in // requestcycle ?
}
return false;
}
return true;
}
I had to copy the whole PolicyFileHiveFactory I don't think I could get to
"private Set inputStreams" or "private Set inputReaders" correctly. Here is
my createHive() method:
public Hive createHive()
{
BasicHive hive;
if (isUsingHiveCache())
hive = new MySimpleCachingHive();
else
hive = new BasicHive();
...
}
I only changed the one line above. In my app I am doing this:
MyPolicyFileHiveFactory factory = new MyPolicyFileHiveFactory();
factory.useHiveCache(true);
Will the line above make sure that my MySimpleCachingHive will be used or is
it possible for useHiveCache(false) to be used somewhere else?
Last question. I am not quite sure what to do in MySimpleCachingHive. I know
this is an unrelated question, but I am not sure how to use your
ManyToManyMap. I also am not sure when the addPrincipal(...) and
addPermission(...) methods are called. Do one or the other get called per
Principal that is in the hive? And, will I Load up the ManyToManyMap within
these two methods ending up with this ManyToManyMap that will have all the
Pricipals of the hive with their associated Permissions in them?
Here is my MySimpleCachingHive:
public class MySimpleCachingHive extends SimpleCachingHive
{
...
private ManyToManyMap hivePrincipalsAndPermissions;
public void addPrincipal(Principal principal, Collection permissions)
{
super.addPrincipal(principal, permissions);
// Load hivePrincipalsAndPermissions ?
}
public void addPermission(Principal principal, Permission permission)
{
super.addPermission(principal, permission);
// Load hivePrincipalsAndPermissions ?
}
public Set<Principal> getPrincipals(Permission p)
{
// Return Set of Principals related to permission
}
}
Thank you for your time, you have been a great help.
Warren,
> -----Original Message-----
> From: Maurice Marrink [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, February 13, 2008 11:57 PM
> To: users@wicket.apache.org
> Subject: Re: wicket-security Custom Access Denied Page
>
>
> Use cache is default true (i think by the constructor but i don't have
> the code with me right now)
>
> So you don't have to worry about that.
>
> Maurice
> thod
> On Thu, Feb 14, 2008 at 4:04 AM, Warren
> <[EMAIL PROTECTED]> wrote:
> > I have started implementing your sugestions and I have a
> question. When I
> > overide the method createHive() in PolicyFileHiveFactory do I
> need to set
> > useHiveCache(true) if I am extending SimpleCachingHive.
> >
> > public Hive createHive()
> > {
> > // Do I need to do this
> > super.useHiveCache(true);
> > BasicHive hive = new MySimpleCachingHive();
> > ...
> > }
> >
> > Or should I set this method in my app after I create the factory.
> >
> > MyPolicyFileHiveFactory factory = new MyPolicyFileHiveFactory();
> > factory.useHiveCache(true);
> >
> > Or should I even worry about this?
> >
> >
> >
> > > -----Original Message-----
> > > From: Warren [mailto:[EMAIL PROTECTED]
> > > Sent: Wednesday, February 13, 2008 4:30 PM
> > > To: users@wicket.apache.org
> >
> >
> > > Subject: RE: wicket-security Custom Access Denied Page
> > >
> > >
> > > I think I am following your example correctly. What I will
> end up with is
> > > the names of one or more principals that have the permission that was
> > > denied. Those one or more principals will not belong to the
> > > current subject.
> > > Then I can use the names of those principals to construct a
> message. You
> > > could end up with a permission that does not belong to any
> > > principal. Strike
> > > that, that would mean that no one would be able to access that
> > > component. I
> > > will give this a try. I am sure I will have more questions.
> > >
> > > Thanks,
> > >
> > > > -----Original Message-----
> > > > From: Maurice Marrink [mailto:[EMAIL PROTECTED]
> > > > Sent: Wednesday, February 13, 2008 2:56 PM
> > > > To: users@wicket.apache.org
> > > > Subject: Re: wicket-security Custom Access Denied Page
> > > >
> > > >
> > > > It actually is a bit more trickier then that.
> > > > Swarm does not check for principals it checks for permissions.
> > > > The same permission might be shared by multiple principals.
> > > > To get that information you need to dig deep.
> > > > You can't wait for the wicket UnAuthorizedActionException
> since all it
> > > > will tell you is the component and what wicket action was not
> > > > authorized (although if you have a really simple policy you might
> > > > figure it out with this information).
> > > > Swarm can tell you, but truthfull the api lacks in that
> area, i'll see
> > > > if i can fix this for 1.3.1.
> > > >
> > > > For now your best bet is probably to Subclass
> SwarmStrategy, override
> > > > hasPermission(Permission). Most checks use this method but it is
> > > > always possible for a custom ISecurityCheck to bypass this.
> > > > public boolean hasPermission(Permission p)
> > > > {
> > > > if(!super.hasPermission(p)
> > > > {
> > > > //now we now the permission and we can find out which
> > > principals have it
> > > > //since the hive api does not give that info we need to
> use a custom
> > > > hive, more on that later
> > > > //for now do something like getHive().getPrincipals(p);
> > > > //then we need to get the subject and check if it has
> any of those
> > > > principals, the one (or more) that are missing are the
> one(s) we are
> > > > interested in
> > > > //use getSubject().getPrincipals()
> > > > //store those principals somewhere in the requestcycle
> > > > return false;
> > > > }
> > > > return true;
> > > > }
> > > > In order to use this new Strategy you need to extend
> > > > SwarmStrategyFactory and overide newStrategy to return
> your subclass.
> > > > Then you need to override setupStrategyFactory in your
> application to
> > > > do setStrategyFactory(new MySwarmStrategyFactory(getHiveKey()));
> > > >
> > > > Next we need to extend our hive so we can ask it which principals
> > > > belong to which permission (offcourse the hive already has this
> > > > information but you can not access it)
> > > > If you are using 1.3.0 rc1 you are probably using the
> > > > SimpleCachingHive, extend it and override 2 methods
> > > > addPrincipal(Principal , Collection ) and addPermission(Principal ,
> > > > Permission )
> > > > to record which principal has which permissions you can use a
> > > > ManyToManyMap for this, it is also used internally the information
> > > > recorded can then be exposed in a method like public Set<Principal>
> > > > getPrincipals(Permission)
> > > > This will duplicate all recordings but your other option is to copy
> > > > BasicHive and SimpleCachingHive entirely and create the
> getPrincipals
> > > > method.
> > > >
> > > > Either way you will need to use this new hive and to do
> that we need
> > > > to extend PolicyFileHiveFactory (or
> SwarmPolicyFileHiveFactory if you
> > > > are using the latest 1.3-snapshots), override the
> createHive() method.
> > > > You can pretty much copy everything from
> PolicyFileHiveFactory except
> > > > for the first 5 lines you need to create your own hive there. Also
> > > > while copying you will run into a few private variables
> but you should
> > > > be able to replace those with there getters (although i might have
> > > > missed some, if that is the case you have to copy the
> entire class).
> > > > In your application's setupHive method you are already creating the
> > > > hivefactory, simply replace it with this custom one.
> > > >
> > > > And that should do the trick. Sorry the api is not more
> accommodating
> > > > to your needs i'll see if i can make some improvements anytime soon
> > > > for the 1.3-snapshot (1.3.1), but i also have to release
> 1.3.0 final
> > > > sometime soon.
> > > >
> > > > Maurice
> > > >
> > > > P.S. i did not cover the part about providing the application with
> > > > your own requestcycle but just look for newRequestCycle in your
> > > > application ;)
> > > >
> > > >
> > > > On Feb 13, 2008 6:49 PM, Igor Vaynberg
> <[EMAIL PROTECTED]> wrote:
> > > > > stick that name into requestcycle's metadata, and pull
> it out in yoru
> > > > > implementation of access denied page
> > > > >
> > > > > -igor
> > > > >
> > > > >
> > > > >
> > > > > On Feb 13, 2008 8:31 AM, Warren
> <[EMAIL PROTECTED]> wrote:
> > > > > > I understand that, but what I want to do is create a message
> > > > on that page
> > > > > > that reads "Users in group xxx do not have access to yyy"
> > > > where yyy would be
> > > > > > the name of the principal that triggered the access denied. I
> > > > need to get
> > > > > > the name of that principal.
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Maurice Marrink [mailto:[EMAIL PROTECTED]
> > > > > > > Sent: Wednesday, February 13, 2008 12:12 AM
> > > > > > > To: users@wicket.apache.org
> > > > > > > Subject: Re: wicket-security Custom Access Denied Page
> > > > > > >
> > > > > > >
> > > > > > > In the init of your webapp do
> > > > > > > getApplicationSettings().setAccessDeniedPage(MyPage.class)
> > > > > > >
> > > > > > > This is a wicket setting and not related to the security
> > > framework.
> > > > > > >
> > > > > > > Maurice
> > > > > > >
> > > > > > > On Feb 12, 2008 7:50 PM, Warren
> > > <[EMAIL PROTECTED]> wrote:
> > > > > > > > How do you set-up a custom "access denied page" that has
> > > > a message on it
> > > > > > > > like "Users in group xxx do not have access to yyy"? I
> > > > also want to have
> > > > > > > > this page return to the previous page the user was on.
> > > I am using
> > > > > > > > wicket-security (wasp and swarm).
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > >
> > > > > > > > Warren Bell
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > >
> ---------------------------------------------------------------------
> > > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > > > > For additional commands, e-mail:
> [EMAIL PROTECTED]
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > >
> ---------------------------------------------------------------------
> > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > >
> > > > > >
> > > > >
> > > > >
> ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > >
> > > > >
> > > >
> > > >
> ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
