Yes, this would work if you did not need to give the user any type of
indication why they can not go to that page. My app is very flexible in that
an administrator can adjust security settings based on their company's
policies. Say for instance, I have a whole ordering section of my app where
a user can go and place orders for product. A user in the user group
Cashiers can not order in one company but can in another. The Administrator
would simply add or exclude the ordering permission for the Cashier's group
based on what the companies policies are. The Administrator does this in
another stand alone app. My app reads these permissions from the other app's
database and converts them to Principals and then adds those Principals to
the Subject thru a loop. One permission in the other app will equal one or
more permissions in one Principal in my app.
DefaultSubject subject = new DefaultSubject();
for (Map<String, String> securityLevel :
user.getUserGroup().getSecurityLevels())
{
subject.addPrincipal(new ScanManPrincipal(securityLevel.get("level")));
}
return subject;
You may wonder, why doesn't the cashier simply say "Hey I can't order". Well
in that situation maybe, but in other situations it's not so clear why a
user was denied access, and in my experience, the users of my app are not
the brightest. Now a permission like "Show Cost", you would just show or not
show the cost with no explanation.
> -----Original Message-----
> From: Maurice Marrink [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, February 20, 2008 8:28 AM
> To: [email protected]
> Subject: Re: Wicket-security wish list
>
>
> Johan is correct, you should use SecurePageLinks or other Links that
> are protected to prevent users from ever seeing or clicking the link.
>
> Maurice
>
> On Feb 20, 2008 5:21 PM, Johan Compagner <[EMAIL PROTECTED]> wrote:
> > Why do you get access denied pages a lot in your app?
> > I would say a user shouldnt be abe to click on that link in the first
> > place. Only maybe when he tampers with it. But if you have session
> > pages that that shouldnt be a problem. (only bookmakrable pages where
> > a user has to first login for)
> >
> >
> > On 2/19/08, Warren <[EMAIL PROTECTED]> wrote:
> > > Maurice,
> > >
> > > I was thinking about this "Access Denied" message problem I have been
> > > working on and thought up some features that might be useful in future
> > > releases. It would be nice to be able to configure "Access
> Denied" messages
> > > directly into the hive like this:
> > >
> > > grant principal
> com.scanman.security.authorization.ScanManPrincipal "ScanMan
> > > Receiving" "Principal Access Denied Message Here"
> > > {
> > > permission ${ComponentPermission} "${RecvMenu}",
> "inherit, render, enable",
> > > "Permission Access Denied Message Here";
> > > };
> > > grant principal
> com.scanman.security.authorization.ScanManPrincipal "ScanMan
> > > Ordering" "Principal Access Denied Message Here"
> > > {
> > > permission ${ComponentPermission} "${OrderMenu}",
> "inherit, render,
> > > enable", "Permission Access Denied Message Here";
> > > };
> > >
> > > I believe you are following some kind of standard for how the hive is
> > > set-up, so I am not sure this would work. But anyway, you
> could then set-up
> > > the configuration of how these messages were used in the
> > > SwarmWebApplication. For Example, put them into the error
> queue, or take
> > > advantage of message resources, message keys and localization
> and so on. I
> > > ended up putting these messages into the error queue from
> MySwarmStrategy
> > > and it works great.
> > >
> > > I can't imagine that a feature like this would not be of some
> value to other
> > > users. My app has a lot of different levels of security and
> permissions that
> > > the Administrative user can configure within a separate
> "Point of Sale" app.
> > > Messages of this sort are valuable to a user so that security
> levels and
> > > permissions can be tweaked to best suit a companies policies. A simple
> > > "Access Denied" message gives little clue as to why access was denied.
> > >
> > > That's my two cents. Thanks for all the help you have given
> me. Your project
> > > surely deserves a lot of credit.
> > >
> > > Thanks,
> > >
> > > Warren Bell
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
