I just tried to reproduce the problem, why the resultHiddenPanel was not
visible, when I used the ContainerSecurityCheck in the class
SecureWebMarkupContainer (what I do now also). I used the old policy file, the
PolicyFileHiveFactory instead of the SwarmPolicyFileHiveFactory, ... but I
cannot reproduce the permission denied.
Now it always works correct ;-)
I think the reason is eliminated in 1.3-SNAPSHOT .
Now I will try to secure other types of components on the pages, test the
different settings for the permissions you explained below and after that I
have to find out how to set data permissions.
Andrea
*Von:* users@wicket.apache.org
*Gesendet:* 14.05.08 12:35:11
*An:* users@wicket.apache.org
*Betreff:* Re: Swarm: Authorization for WebMarkupContainer
On Wed, May 14, 2008 at 11:53 AM, Andrea Jahn <[EMAIL PROTECTED]> wrote:
>
>
>
>
> Hi,
>
> thanks for the test example. With the help of that I found the error in the
> policy file:
> the permission of the page must not contain the inherit action, when there
> are secure components on the page, which are not permitted.
Thats why i asked :)
>
>
>
> grant principal org.apache.wicket.security.hive.authorization.SimplePrincipal
> "APPL_TEST"
> {
> permission ${ComponentPermission} "${front}.ProductAreaListPage", "render";
> permission ${ComponentPermission} "${front}.ProductAreaListPage", "enable";
> };
>
> Now a user with permission "APPL_TEST" can open the page ProductAreaListPage,
> but he cannot see the secure component "resultHiddenPanel".
> When the action "inherit" is added to the first line, the "resultHiddenPanel"
> is visible.
>
> I need the second line, because the user calls the page via the menu (link).
Correct, however you can shorten it to one permission with a "render,
enable" action.
The reason i always split my permissions "inherit, render" and
"enable" is because i often want all child components to be visible
but not all of them editable (enabled)
In this case there is no inherit action and thus you can put
everything in 1 permission.
>
>
>
> grant principal org.apache.wicket.security.hive.authorization.SimplePrincipal
> "APPL_ADMIN"
> {
> permission ${ComponentPermission}
> "${front}.ProductAreaListPage:resultHiddenPanel", "inherit, render";
> permission ${ComponentPermission} "${front}.ProductAreaListPage", "enable";
> };
>
> A user who has the permission "APPL_ADMIN" can see the page and the secure
> component "resultHiddenPanel".
> So am I right, that the first line implies the security permission for the
> page ?
Both do actually. "inherit render" is for visibility and to allow
users to instantiate that page. (page instantiation is actually the
"access" action but it is implied by every other action and therefore
can be omitted from the policy. It is used internally though).
"enable" is used by SecurePageLinks. For example if i have a
SecurePageLink "link" on a Page A pointing to Page B and i want only
specific users to have access to B then i would add permission
${ComponentPermission} "B", "enable";
for those users. every other user will not see the link. although it
is logical if you think about it it is different from other components
where a permission ${ComponentPermission} "A:link", "render"; or
permission ${ComponentPermission} "A", "inherit, render"; would be
required. This behavior can be changed though :)
Hmm reading back the above i can see how you might get a bit confused.
I was just trying to explain it, maybe a bit to condensed.
Anyhow most people require both permissions :)
Maurice
>
>
>
> I have changed to 1.3-SNAPSHOT and I will go on working with that.
>
>
> Andrea
>
>
> *Von:* users@wicket.apache.org
> *Gesendet:* 14.05.08 00:07:49
>
> *An:* users@wicket.apache.org
> *Betreff:* Re: Swarm: Authorization for WebMarkupContainer
>
>
>
>
>
> Ok, so i did some testing (and in the process found another bug,
> unrelated to your issue :)), but i could not reproduce your permission
> denied.
> Here is my simple setup:
>
> public class ContainerPage2 extends SecureWebPage
> {
>
> /**
> * Construct.
> */
> public ContainerPage2()
> {
> add(new Label("label", "always visible"));
> SecureMarkupContainer container = new SecureMarkupContainer("secure");
> container.add(new Label("hidden", "hidden label"));
> add(container);
> }
>
> /**
> * Simple secure container.
> *
> * @author marrink
> */
> private static final class SecureMarkupContainer extends WebMarkupContainer
> implements
> ISecureComponent
> {
> /**
> *
> */
> private static final long serialVersionUID = 1L;
>
> /**
> *
> * Construct.
> *
> * @param id
> */
> public SecureMarkupContainer(String id)
> {
> super(id);
> setSecurityCheck(new ContainerSecurityCheck(this));
> }
>
> /**
> *
> * @see
> org.apache.wicket.security.components.ISecureComponent#getSecurityCheck()
> */
> public ISecurityCheck getSecurityCheck()
> {
> return SecureComponentHelper.getSecurityCheck(this);
> }
>
> /**
> *
> * @see
> org.apache.wicket.security.components.ISecureComponent#isActionAuthorized(java.lang.String)
> */
> public boolean isActionAuthorized(String waspAction)
> {
> return SecureComponentHelper.isActionAuthorized(this, waspAction);
> }
>
> /**
> *
> * @see
> org.apache.wicket.security.components.ISecureComponent#isActionAuthorized(org.apache.wicket.security.actions.WaspAction)
> */
> public boolean isActionAuthorized(WaspAction action)
> {
> return SecureComponentHelper.isActionAuthorized(this, action);
> }
>
> /**
> *
> * @see
> org.apache.wicket.security.components.ISecureComponent#isAuthenticated()
> */
> public boolean isAuthenticated()
> {
> return SecureComponentHelper.isAuthenticated(this);
> }
>
> /**
> *
> * @see
> org.apache.wicket.security.components.ISecureComponent#setSecurityCheck(org.apache.wicket.security.checks.ISecurityCheck)
> */
> public void setSecurityCheck(ISecurityCheck check)
> {
> SecureComponentHelper.setSecurityCheck(this, check);
> }
>
> }
>
> }
>
> and my policy file looks like this:
>
> grant principal ${SimplePrincipal} "container4"
> {
> //this does not permit secure components on a ContainerPage2 to be visible
> permission ${ComponentPermission} "${myPackage}.ContainerPage2", "render";
> permission ${ComponentPermission} "${myPackage}.ContainerPage2", "enable";
> };
> grant principal ${SimplePrincipal} "container5"
> {
> //this grants the permission to any component with id "secure" on a
> ContainerPage2
> permission ${ComponentPermission}
> "${myPackage}.ContainerPage2:secure", "inherit, render";
> permission ${ComponentPermission} "${myPackage}.ContainerPage2", "enable";
> };
> grant principal ${SimplePrincipal} "container6"
> {
> //this grants the permission to any SecureMarkupContainer inside a
> ContainerPage2
> permission ${ComponentPermission}
> "${myPackage}.ContainerPage2:${myPackage}.ContainerPage2$SecureMarkupContainer",
> "inherit, render";
> permission ${ComponentPermission} "${myPackage}.ContainerPage2", "enable";
> };
> grant principal ${SimplePrincipal} "container7"
> {
> //this grants the permission to any SecureMarkupContainer, even when
> placed on other pages (if it wasn't a private class)
> permission ${ComponentPermission}
> "${myPackage}.ContainerPage2$SecureMarkupContainer", "inherit,
> render";
> permission ${ComponentPermission} "${myPackage}.ContainerPage2", "enable";
> };
>
>
> Argh, i am only just reading you are using 1.3.1-SNAPSHOT. You should
> be using 1.3-SNAPSHOT. That does it i am deleting those jars.
>
> Maurice
>
>
> On Tue, May 13, 2008 at 8:10 PM, Maurice Marrink <[EMAIL PROTECTED]> wrote:
> > On Tue, May 13, 2008 at 6:48 PM, Andrea Jahn <[EMAIL PROTECTED]> wrote:
> > >
> > > Hi,
> > >
> >
> > > I've changed to the 1.3.1-SNAPSHOT version. Therefore I have only
> > > replaced the constructor PolicyFileHiveFactory() by
> > > PolicyFileHiveFactory(ActionFactory).
> > > The result was the same as with version 1.3.0 (resultHiddenPanel not
> > > visible and the same output in the logfile).
> >
> > Are you using the SwarmPolicyFileHiveFactory? see
>
> > http://wicketstuff.org/confluence/display/STUFFWIKI/Wicket-Security+1.3.1#Wicket-Security1.3.1-migrateto1.3.1
> >
> >
> > >
>
> > > Then I changed the ContainerSecurityCheck with a ComponentSecurityCheck
> > > in the class SecureWebMarkupContainer.
> > > The resultHiddenPanel now is always visible (also when the user has not
> > > the permission).
> >
> > Well like i said earlier permission ${ComponentPermission}
> > "xxx.yyy.zzz.front.ProductAreaListPage", "inherit, render"; is
> > sufficient to allow the entire page to be rendered, does your policy
> > file contain another grant statement with a similar permission?
> >
> >
> > >
> > > Logfile:
> > >
> > > 2008-05-13 18:30:30,880 DEBUG
> > > org.apache.wicket.security.hive.BasicHive.hasPermission(BasicHive.java:214)
> > > - Subjects[HashKey: 821489378, sortOrder 0 = [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] implies
> > > org.apache.wicket.security.hive.authorization.permissions.ComponentPermission
> > > "xxx.yyy.zzz.front.ProductAreaListPage:resultHiddenPanel" "access,
> > > render"
> > >
> > > 2008-05-13 18:30:32,583 DEBUG
> > > org.apache.wicket.security.hive.BasicHive.hasPermission(BasicHive.java:188)
> > > - Subjects[HashKey: 821489378, sortOrder 0 = [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] has a cached match for
> > > org.apache.wicket.security.hive.authorization.permissions.ComponentPermission
> > > "xxx.yyy.zzz.front.ProductAreaListPage:resultHiddenPanel" "access,
> > > render", result true
> > >
> > >
> > > Perhaps I have made another mistake ?
> >
> > Hmm, the ContainerSecurityCheck should have worked, let me see if i
> > can reproduce that with a test.
> >
> >
> >
> > >
> > >
> > >
> > > Maurice,
> > >
> > > thank you very much for the quick replies !
> > > Should I (or could you) delete my first question from the "Getting
> > > started with SWARM" page, as it was the wrong place to post the question ?
> > >
> >
> > Deleted.
> >
> > Maurice
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
>
>
>
>
>
> Schon gehört? Der neue WEB.DE MultiMessenger kann`s mit allen:
> *http://www.produkte.web.de/messenger/?did=3016*
> [http://www.produkte.web.de/messenger/?did=3016]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
*http://smartsurfer.web.de/?mc=100071&distributionid=000000000066*
[http://smartsurfer.web.de/?mc=100071&distributionid=000000000066]
