Hi,
thanks for the test example. With the help of that I found the error in the
policy file:
the permission of the page must not contain the inherit action, when there are
secure components on the page, which are not permitted.
grant principal org.apache.wicket.security.hive.authorization.SimplePrincipal
"APPL_TEST"
{
permission ${ComponentPermission} "${front}.ProductAreaListPage", "render";
permission ${ComponentPermission} "${front}.ProductAreaListPage", "enable";
};
Now a user with permission "APPL_TEST" can open the page ProductAreaListPage,
but he cannot see the secure component "resultHiddenPanel".
When the action "inherit" is added to the first line, the "resultHiddenPanel"
is visible.
I need the second line, because the user calls the page via the menu (link).
grant principal org.apache.wicket.security.hive.authorization.SimplePrincipal
"APPL_ADMIN"
{
permission ${ComponentPermission}
"${front}.ProductAreaListPage:resultHiddenPanel", "inherit, render";
permission ${ComponentPermission} "${front}.ProductAreaListPage", "enable";
};
A user who has the permission "APPL_ADMIN" can see the page and the secure
component "resultHiddenPanel".
So am I right, that the first line implies the security permission for the page
?
I have changed to 1.3-SNAPSHOT and I will go on working with that.
Andrea
*Von:* [email protected]
*Gesendet:* 14.05.08 00:07:49
*An:* [email protected]
*Betreff:* Re: Swarm: Authorization for WebMarkupContainer
Ok, so i did some testing (and in the process found another bug,
unrelated to your issue :)), but i could not reproduce your permission
denied.
Here is my simple setup:
public class ContainerPage2 extends SecureWebPage
{
/**
* Construct.
*/
public ContainerPage2()
{
add(new Label("label", "always visible"));
SecureMarkupContainer container = new SecureMarkupContainer("secure");
container.add(new Label("hidden", "hidden label"));
add(container);
}
/**
* Simple secure container.
*
* @author marrink
*/
private static final class SecureMarkupContainer extends WebMarkupContainer
implements
ISecureComponent
{
/**
*
*/
private static final long serialVersionUID = 1L;
/**
*
* Construct.
*
* @param id
*/
public SecureMarkupContainer(String id)
{
super(id);
setSecurityCheck(new ContainerSecurityCheck(this));
}
/**
*
* @see org.apache.wicket.security.components.ISecureComponent#getSecurityCheck()
*/
public ISecurityCheck getSecurityCheck()
{
return SecureComponentHelper.getSecurityCheck(this);
}
/**
*
* @see
org.apache.wicket.security.components.ISecureComponent#isActionAuthorized(java.lang.String)
*/
public boolean isActionAuthorized(String waspAction)
{
return SecureComponentHelper.isActionAuthorized(this, waspAction);
}
/**
*
* @see
org.apache.wicket.security.components.ISecureComponent#isActionAuthorized(org.apache.wicket.security.actions.WaspAction)
*/
public boolean isActionAuthorized(WaspAction action)
{
return SecureComponentHelper.isActionAuthorized(this, action);
}
/**
*
* @see org.apache.wicket.security.components.ISecureComponent#isAuthenticated()
*/
public boolean isAuthenticated()
{
return SecureComponentHelper.isAuthenticated(this);
}
/**
*
* @see
org.apache.wicket.security.components.ISecureComponent#setSecurityCheck(org.apache.wicket.security.checks.ISecurityCheck)
*/
public void setSecurityCheck(ISecurityCheck check)
{
SecureComponentHelper.setSecurityCheck(this, check);
}
}
}
and my policy file looks like this:
grant principal ${SimplePrincipal} "container4"
{
//this does not permit secure components on a ContainerPage2 to be visible
permission ${ComponentPermission} "${myPackage}.ContainerPage2", "render";
permission ${ComponentPermission} "${myPackage}.ContainerPage2", "enable";
};
grant principal ${SimplePrincipal} "container5"
{
//this grants the permission to any component with id "secure" on a
ContainerPage2
permission ${ComponentPermission}
"${myPackage}.ContainerPage2:secure", "inherit, render";
permission ${ComponentPermission} "${myPackage}.ContainerPage2", "enable";
};
grant principal ${SimplePrincipal} "container6"
{
//this grants the permission to any SecureMarkupContainer inside a
ContainerPage2
permission ${ComponentPermission}
"${myPackage}.ContainerPage2:${myPackage}.ContainerPage2$SecureMarkupContainer",
"inherit, render";
permission ${ComponentPermission} "${myPackage}.ContainerPage2", "enable";
};
grant principal ${SimplePrincipal} "container7"
{
//this grants the permission to any SecureMarkupContainer, even when
placed on other pages (if it wasn't a private class)
permission ${ComponentPermission}
"${myPackage}.ContainerPage2$SecureMarkupContainer", "inherit,
render";
permission ${ComponentPermission} "${myPackage}.ContainerPage2", "enable";
};
Argh, i am only just reading you are using 1.3.1-SNAPSHOT. You should
be using 1.3-SNAPSHOT. That does it i am deleting those jars.
Maurice
On Tue, May 13, 2008 at 8:10 PM, Maurice Marrink <[EMAIL PROTECTED]> wrote:
> On Tue, May 13, 2008 at 6:48 PM, Andrea Jahn <[EMAIL PROTECTED]> wrote:
> >
> > Hi,
> >
>
> > I've changed to the 1.3.1-SNAPSHOT version. Therefore I have only replaced
> > the constructor PolicyFileHiveFactory() by
> > PolicyFileHiveFactory(ActionFactory).
> > The result was the same as with version 1.3.0 (resultHiddenPanel not
> > visible and the same output in the logfile).
>
> Are you using the SwarmPolicyFileHiveFactory? see
> http://wicketstuff.org/confluence/display/STUFFWIKI/Wicket-Security+1.3.1#Wicket-Security1.3.1-migrateto1.3.1
>
>
> >
> > Then I changed the ContainerSecurityCheck with a ComponentSecurityCheck in
> > the class SecureWebMarkupContainer.
> > The resultHiddenPanel now is always visible (also when the user has not the
> > permission).
>
> Well like i said earlier permission ${ComponentPermission}
> "xxx.yyy.zzz.front.ProductAreaListPage", "inherit, render"; is
> sufficient to allow the entire page to be rendered, does your policy
> file contain another grant statement with a similar permission?
>
>
> >
> > Logfile:
> >
> > 2008-05-13 18:30:30,880 DEBUG
> > org.apache.wicket.security.hive.BasicHive.hasPermission(BasicHive.java:214)
> > - Subjects[HashKey: 821489378, sortOrder 0 = [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] implies
> > org.apache.wicket.security.hive.authorization.permissions.ComponentPermission
> > "xxx.yyy.zzz.front.ProductAreaListPage:resultHiddenPanel" "access, render"
> >
> > 2008-05-13 18:30:32,583 DEBUG
> > org.apache.wicket.security.hive.BasicHive.hasPermission(BasicHive.java:188)
> > - Subjects[HashKey: 821489378, sortOrder 0 = [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] has a cached match for
> > org.apache.wicket.security.hive.authorization.permissions.ComponentPermission
> > "xxx.yyy.zzz.front.ProductAreaListPage:resultHiddenPanel" "access,
> > render", result true
> >
> >
> > Perhaps I have made another mistake ?
>
> Hmm, the ContainerSecurityCheck should have worked, let me see if i
> can reproduce that with a test.
>
>
>
> >
> >
> >
> > Maurice,
> >
> > thank you very much for the quick replies !
> > Should I (or could you) delete my first question from the "Getting started
> > with SWARM" page, as it was the wrong place to post the question ?
> >
>
> Deleted.
>
> Maurice
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Schon gehört? Der neue WEB.DE MultiMessenger kann`s mit allen:
*http://www.produkte.web.de/messenger/?did=3016*
[http://www.produkte.web.de/messenger/?did=3016]
