I am not sure i follow you.
According to the log the user does not have the datapermission for the dropdown.
> I tried to set the permissions like in the explanation below, but that didn't
> work:
>
> // Welcome page
> permission ${ComponentPermission} "${front}.Welcome", "inherit, render,
> global";
> permission ${ComponentPermission} "${front}.Welcome", "enable, global";
What is not working?
In general adding custom actions to your pages is only useful if the
page has a securitycheck that actually checks for those actions. In
the case of a welcome page that is probably overkill but for a page
showing for example customer info it would be very useful to check if
the user has global permissions and thus can see any user or local
permissions and this only is the customer is affiliated with one of
his locations. Such a check could be implemented like this.
public boolean isActionAuthorized(WaspAction action)
{
WaspAction combined = null;
WaspAction additional;
ActionFactory factory = getActionFactory();
additional = factory.getAction(Global.class);
combined = action.add(additional);
//wrapped is another isecuritycheck like a component- or
classsecuritycheck
if (wrapped.isActionAuthorized(combined))
return true; //global so everything is allowed
additional = factory.getAction(Location.class);
combined = action.add(additional);
if (wrapped.isActionAuthorized(combined))
return
verifyCustomerLocationMatchesUserLocations(someCustomer, theUser);
return false;
}
The custom security check in the examples simply overrides an existing
check where this check could extend AbstractSecurityCheck but the
principal is the same. You need to check your custom actions yourself.
Not sure if that at all answers your question.
Maurice
>
> Debug logging:
> 2008-05-22 14:47:57,515 DEBUG
> org.apache.wicket.security.hive.BasicHive.addPrincipal(BasicHive.java:111) -
> Adding
> org.apache.wicket.security.hive.authorization.permissions.ComponentPermission
> "xxx.yyy.zzz.front.Welcome" "access, render, enable, location, global" to
> everybody
> 2008-05-22 14:47:57,515 DEBUG
> org.apache.wicket.security.hive.BasicHive.addPrincipal(BasicHive.java:111) -
> Adding
> org.apache.wicket.security.hive.authorization.permissions.ComponentPermission
> "xxx.yyy.zzz.front.Welcome" "access, inherit, render, location, global" to
> everybody
>
> 2008-05-22 14:48:13,046 DEBUG
> org.apache.wicket.Component.render(Component.java:2284) - Begin render
> [MarkupContainer [Component id = selectLocation, page =
> xxx.yyy.zzz.front.Welcome, path =
> 1:formLocation:selectLocation.DropDownChoice, isVisible = true, isVersioned =
> false]]
> 2008-05-22 14:48:13,046 DEBUG
> org.apache.wicket.security.hive.BasicHive.hasPermission(BasicHive.java:224) -
> Subjects[HashKey: -1185945692, sortOrder 0 = [EMAIL PROTECTED] [mailto:[EMAIL
> PROTECTED] does not have or implies
> org.apache.wicket.security.hive.authorization.permissions.DataPermission
> "LocationListModel" "global"
>
> Andrea
>
> -----------------
> On Sun, May 18, 2008 at 7:26 PM, Igor Vaynberg <[EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]> wrote:
>> something like this should probably be filter inside the database not
>> by some external filter which forces you to load the entire dataset.
>
> No that would be foolish, but that wasn't suggested.
>
>>
>> -igor
>>
>> On Sun, May 18, 2008 at 9:39 AM, Andrea Jahn <[EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED]> wrote:
>>>
>>>
>>>
>>>
>>> Hi,
>>>
>>> in our application locations are administered. A user has only rights on
>>> some of the locations, e.g. Munich, Berlin. He should be able to select one
>>> of the allowed locations in a selection box. Then on the different pages
>>> all data are depending on the actually selected location. For example a
>>> DataView shows only the items, which belong to this location.
>>>
>>> Could Swarm support data filtering ?
>
> Yes, especially in 1.3.1 this is a bit cleaner dependency wise. But
> there is no out of the box solution as there are lots of framework
> combinations possible. So get ready for some heavy duty programming :)
>
>>>
>>> I found the following related message.
>>>
>>> http://markmail.org/message/hb42u5xj7xlvumm7
>>> [http://markmail.org/message/hb42u5xj7xlvumm7]
>>> [http://markmail.org/message/hb42u5xj7xlvumm7] (subsection4)
>>>
>>> I like the idea, that the dataproviders get some filters (only the data
>>> which are needed should be read from the database), but where should I
>>> store the filters for the actual selected location in the security layer ?
>>>
>>> Perhaps does someone know examples for that issue (using Wicket, Spring and
>>> Hibernate) ?
>
> Not aware of any examples out there, but here is what we did,
> customized to your situation for as far as i understand it :)
> Suppose we have a searchpage with some filter criteria including a
> dropdown for the location. The data in this dropdown is filtered by
> the permissions the user has for this page. If he has "global"
> permissions the dropdown contains all locations. otherwise it only
> contains locations assigned to this user. The user is not required to
> select a location, if he does that location will be used but if he
> clears the selection the search will be over all allowed locations.
> clicking a row in the search results will bring him to a another page
> from where he can navigate to other pages to see different data. These
> pages can have different permissions as the search page. for example a
> user has "global" search and report permissions but only "location"
> permissions for administrative tasks.
>
> Note that if all pages behind the searchpage have the same permissions
> you might be able to skip using custom actions.
>
> To make the concept of locations clear to wasp you have to define your
> own custom actions (see the actions section in
> http://wicketstuff.org/confluence/display/STUFFWIKI/Getting+started+with+Swarm
>
> [http://wicketstuff.org/confluence/display/STUFFWIKI/Getting+started+with+Swarm]
> and the end about changes in 1.3.1)
> Might i suggest a "global" and a "location" action. where the global
> action could (probably should) imply the location action. Note you do
> not create an action for each location you have just 1 action called
> "location" the code will later decide which location(s) that will be.
>
> Because you now want to grant global or location permissions you will
> need to duplicate each principal making sure each has a different
> name, i suggest prefixing the principals with either global or
> location. So this will give you
>
> grant principal org.MyPrincipal "global.search.something"
> {
> permission ${ComponentPermission} "org.SearchSomethingPage",
> "inherit, render, global";
> permission ${ComponentPermission} "org.SearchSomethingPage", "enable, global";
> };
> grant principal org.MyPrincipal "location.search.something"
> {
> permission ${ComponentPermission} "org.SearchSomethingPage",
> "inherit, render, location";
> permission ${ComponentPermission} "org.SearchSomethingPage", "enable,
> location";
> };
>
> (On a side note: if you have a lot of principals or extra custom
> actions this can become quite a pain to maintain, but there are hooks
> to make this easier)
>
> For the location list model of your dropdown you can use a LDM
> implementing SwarmModel where the load will look something like this
>
> if (isAuthorized(null, getActionFactory().getAction(Global.class)))
> //return all locations
> else
> // return user locations
>
> Use the various isModel..... methods on WaspAuthorizationStrategy to
> implement SwarmModel.
> No need to add an ISecurityCheck to the component itself as swarm will
> detect the secure model and use that instead. Don't forget to add a
> DataPermission to your principals with the appropriate actions.
>
> The selection model for the dropdown could be any model it just needs
> to update a filter bean which you will pass to your dao, because the
> selection might be null the filter also needs to know about which
> locations are allowed, just use the list model for that. Then in your
> dao you need to either use the selected location or the list to return
> the search results.
>
> Maurice
>
>>>
>>> Thanks in advance
>>> Andrea
>>>
>>>
>>>
>
>
>
> EINE FÜR ALLE: die kostenlose WEB.DE-Plattform für Freunde und Deine
> Homepage mit eigenem Namen. Jetzt starten! *http://unddu.de/[EMAIL PROTECTED]
> [http://unddu.de/[EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
