Re: Swarm: Authorization for WebMarkupContainer

Wed, 14 May 2008 04:36:34 -0700 

On Wed, May 14, 2008 at 1:10 PM, Andrea Jahn <[EMAIL PROTECTED]> wrote:
>
>
>
> I just tried to reproduce the problem, why the resultHiddenPanel was not 
> visible, when I used the ContainerSecurityCheck in the class 
> SecureWebMarkupContainer (what I do now also). I used the old policy file, 
> the PolicyFileHiveFactory instead of the SwarmPolicyFileHiveFactory, ... but 
> I cannot reproduce the permission denied.
>
> Now it always works correct ;-)
>
> I think the reason is eliminated in 1.3-SNAPSHOT .

Correct, the 1.3.1-SNAPSHOT contained old code.

>
> Now I will try to secure other types of components on the pages, test the 
> different settings for the permissions you explained below and after that I 
> have to find out how to set data permissions.

I just committed a DataSecurityCheck ( a very simple class) to help
you do just that. just use it like any other ISecurityCheck (e.g
ContainerSecurityCheck)

Maurice

>
> Andrea
>
> *Von:* users@wicket.apache.org
> *Gesendet:* 14.05.08 12:35:11
> *An:* users@wicket.apache.org
> *Betreff:* Re: Swarm: Authorization for WebMarkupContainer
>
>
>
> On Wed, May 14, 2008 at 11:53 AM, Andrea Jahn <[EMAIL PROTECTED]> wrote:
>>
>>
>>
>>
>> Hi,
>>
>> thanks for the test example. With the help of that I found the error in the 
>> policy file:
>> the permission of the page must not contain the inherit action, when there 
>> are secure components on the page, which are not permitted.
>
> Thats why i asked :)
>
>>
>>
>>
>> grant principal 
>> org.apache.wicket.security.hive.authorization.SimplePrincipal "APPL_TEST"
>> {
>> permission ${ComponentPermission} "${front}.ProductAreaListPage", "render";
>> permission ${ComponentPermission} "${front}.ProductAreaListPage", "enable";
>> };
>>
>> Now a user with permission "APPL_TEST" can open the page 
>> ProductAreaListPage, but he cannot see the secure component 
>> "resultHiddenPanel".
>> When the action "inherit" is added to the first line, the 
>> "resultHiddenPanel" is visible.
>>
>> I need the second line, because the user calls the page via the menu (link).
>
> Correct, however you can shorten it to one permission with a "render,
> enable" action.
> The reason i always split my permissions "inherit, render" and
> "enable" is because i often want all child components to be visible
> but not all of them editable (enabled)
> In this case there is no inherit action and thus you can put
> everything in 1 permission.
>
>>
>>
>>
>> grant principal 
>> org.apache.wicket.security.hive.authorization.SimplePrincipal "APPL_ADMIN"
>> {
>> permission ${ComponentPermission} 
>> "${front}.ProductAreaListPage:resultHiddenPanel", "inherit, render";
>> permission ${ComponentPermission} "${front}.ProductAreaListPage", "enable";
>> };
>>
>> A user who has the permission "APPL_ADMIN" can see the page and the secure 
>> component "resultHiddenPanel".
>> So am I right, that the first line implies the security permission for the 
>> page ?
>
> Both do actually. "inherit render" is for visibility and to allow
> users to instantiate that page. (page instantiation is actually the
> "access" action but it is implied by every other action and therefore
> can be omitted from the policy. It is used internally though).
> "enable" is used by SecurePageLinks. For example if i have a
> SecurePageLink "link" on a Page A pointing to Page B and i want only
> specific users to have access to B then i would add permission
> ${ComponentPermission} "B", "enable";
> for those users. every other user will not see the link. although it
> is logical if you think about it it is different from other components
> where a permission ${ComponentPermission} "A:link", "render"; or
> permission ${ComponentPermission} "A", "inherit, render"; would be
> required. This behavior can be changed though :)
>
> Hmm reading back the above i can see how you might get a bit confused.
> I was just trying to explain it, maybe a bit to condensed.
> Anyhow most people require both permissions :)
>
> Maurice
>>
>>
>>
>> I have changed to 1.3-SNAPSHOT and I will go on working with that.
>>
>>
>> Andrea
>>
>>
>> *Von:* users@wicket.apache.org
>> *Gesendet:* 14.05.08 00:07:49
>>
>> *An:* users@wicket.apache.org
>> *Betreff:* Re: Swarm: Authorization for WebMarkupContainer
>>
>>
>>
>>
>>
>> Ok, so i did some testing (and in the process found another bug,
>> unrelated to your issue :)), but i could not reproduce your permission
>> denied.
>> Here is my simple setup:
>>
>> public class ContainerPage2 extends SecureWebPage
>> {
>>
>> /**
>> * Construct.
>> */
>> public ContainerPage2()
>> {
>> add(new Label("label", "always visible"));
>> SecureMarkupContainer container = new SecureMarkupContainer("secure");
>> container.add(new Label("hidden", "hidden label"));
>> add(container);
>> }
>>
>> /**
>> * Simple secure container.
>> *
>> * @author marrink
>> */
>> private static final class SecureMarkupContainer extends WebMarkupContainer
>> implements
>> ISecureComponent
>> {
>> /**
>> *
>> */
>> private static final long serialVersionUID = 1L;
>>
>> /**
>> *
>> * Construct.
>> *
>> * @param id
>> */
>> public SecureMarkupContainer(String id)
>> {
>> super(id);
>> setSecurityCheck(new ContainerSecurityCheck(this));
>> }
>>
>> /**
>> *
>> * @see 
>> org.apache.wicket.security.components.ISecureComponent#getSecurityCheck()
>> */
>> public ISecurityCheck getSecurityCheck()
>> {
>> return SecureComponentHelper.getSecurityCheck(this);
>> }
>>
>> /**
>> *
>> * @see 
>> org.apache.wicket.security.components.ISecureComponent#isActionAuthorized(java.lang.String)
>> */
>> public boolean isActionAuthorized(String waspAction)
>> {
>> return SecureComponentHelper.isActionAuthorized(this, waspAction);
>> }
>>
>> /**
>> *
>> * @see 
>> org.apache.wicket.security.components.ISecureComponent#isActionAuthorized(org.apache.wicket.security.actions.WaspAction)
>> */
>> public boolean isActionAuthorized(WaspAction action)
>> {
>> return SecureComponentHelper.isActionAuthorized(this, action);
>> }
>>
>> /**
>> *
>> * @see 
>> org.apache.wicket.security.components.ISecureComponent#isAuthenticated()
>> */
>> public boolean isAuthenticated()
>> {
>> return SecureComponentHelper.isAuthenticated(this);
>> }
>>
>> /**
>> *
>> * @see 
>> org.apache.wicket.security.components.ISecureComponent#setSecurityCheck(org.apache.wicket.security.checks.ISecurityCheck)
>> */
>> public void setSecurityCheck(ISecurityCheck check)
>> {
>> SecureComponentHelper.setSecurityCheck(this, check);
>> }
>>
>> }
>>
>> }
>>
>> and my policy file looks like this:
>>
>> grant principal ${SimplePrincipal} "container4"
>> {
>> //this does not permit secure components on a ContainerPage2 to be visible
>> permission ${ComponentPermission} "${myPackage}.ContainerPage2", "render";
>> permission ${ComponentPermission} "${myPackage}.ContainerPage2", "enable";
>> };
>> grant principal ${SimplePrincipal} "container5"
>> {
>> //this grants the permission to any component with id "secure" on a
>> ContainerPage2
>> permission ${ComponentPermission}
>> "${myPackage}.ContainerPage2:secure", "inherit, render";
>> permission ${ComponentPermission} "${myPackage}.ContainerPage2", "enable";
>> };
>> grant principal ${SimplePrincipal} "container6"
>> {
>> //this grants the permission to any SecureMarkupContainer inside a
>> ContainerPage2
>> permission ${ComponentPermission}
>> "${myPackage}.ContainerPage2:${myPackage}.ContainerPage2$SecureMarkupContainer",
>> "inherit, render";
>> permission ${ComponentPermission} "${myPackage}.ContainerPage2", "enable";
>> };
>> grant principal ${SimplePrincipal} "container7"
>> {
>> //this grants the permission to any SecureMarkupContainer, even when
>> placed on other pages (if it wasn't a private class)
>> permission ${ComponentPermission}
>> "${myPackage}.ContainerPage2$SecureMarkupContainer", "inherit,
>> render";
>> permission ${ComponentPermission} "${myPackage}.ContainerPage2", "enable";
>> };
>>
>>
>> Argh, i am only just reading you are using 1.3.1-SNAPSHOT. You should
>> be using 1.3-SNAPSHOT. That does it i am deleting those jars.
>>
>> Maurice
>>
>>
>> On Tue, May 13, 2008 at 8:10 PM, Maurice Marrink <[EMAIL PROTECTED]> wrote:
>> > On Tue, May 13, 2008 at 6:48 PM, Andrea Jahn <[EMAIL PROTECTED]> wrote:
>> > >
>> > > Hi,
>> > >
>> >
>> > > I've changed to the 1.3.1-SNAPSHOT version. Therefore I have only 
>> > > replaced the constructor PolicyFileHiveFactory() by 
>> > > PolicyFileHiveFactory(ActionFactory).
>> > > The result was the same as with version 1.3.0 (resultHiddenPanel not 
>> > > visible and the same output in the logfile).
>> >
>> > Are you using the SwarmPolicyFileHiveFactory? see
>>
>> > http://wicketstuff.org/confluence/display/STUFFWIKI/Wicket-Security+1.3.1#Wicket-Security1.3.1-migrateto1.3.1
>> >
>> >
>> > >
>>
>> > > Then I changed the ContainerSecurityCheck with a ComponentSecurityCheck 
>> > > in the class SecureWebMarkupContainer.
>> > > The resultHiddenPanel now is always visible (also when the user has not 
>> > > the permission).
>> >
>> > Well like i said earlier permission ${ComponentPermission}
>> > "xxx.yyy.zzz.front.ProductAreaListPage", "inherit, render"; is
>> > sufficient to allow the entire page to be rendered, does your policy
>> > file contain another grant statement with a similar permission?
>> >
>> >
>> > >
>> > > Logfile:
>> > >
>> > > 2008-05-13 18:30:30,880 DEBUG 
>> > > org.apache.wicket.security.hive.BasicHive.hasPermission(BasicHive.java:214)
>> > >  - Subjects[HashKey: 821489378, sortOrder 0 = [EMAIL PROTECTED] 
>> > > [mailto:[EMAIL PROTECTED] implies 
>> > > org.apache.wicket.security.hive.authorization.permissions.ComponentPermission
>> > >  "xxx.yyy.zzz.front.ProductAreaListPage:resultHiddenPanel" "access, 
>> > > render"
>> > >
>> > > 2008-05-13 18:30:32,583 DEBUG 
>> > > org.apache.wicket.security.hive.BasicHive.hasPermission(BasicHive.java:188)
>> > >  - Subjects[HashKey: 821489378, sortOrder 0 = [EMAIL PROTECTED] 
>> > > [mailto:[EMAIL PROTECTED] has a cached match for 
>> > > org.apache.wicket.security.hive.authorization.permissions.ComponentPermission
>> > >  "xxx.yyy.zzz.front.ProductAreaListPage:resultHiddenPanel" "access, 
>> > > render", result true
>> > >
>> > >
>> > > Perhaps I have made another mistake ?
>> >
>> > Hmm, the ContainerSecurityCheck should have worked, let me see if i
>> > can reproduce that with a test.
>> >
>> >
>> >
>> > >
>> > >
>> > >
>> > > Maurice,
>> > >
>> > > thank you very much for the quick replies !
>> > > Should I (or could you) delete my first question from the "Getting 
>> > > started with SWARM" page, as it was the wrong place to post the question 
>> > > ?
>> > >
>> >
>> > Deleted.
>> >
>> > Maurice
>> >
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>>
>>
>>
>>
>>
>>
>> Schon gehört? Der neue WEB.DE MultiMessenger kann`s mit allen:
>> *http://www.produkte.web.de/messenger/?did=3016* 
>> [http://www.produkte.web.de/messenger/?did=3016]
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
>
>
>
> Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
> *http://smartsurfer.web.de/?mc=100071&distributionid=000000000066* 
> [http://smartsurfer.web.de/?mc=100071&distributionid=000000000066]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to