incubator-isis-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From danhayw...@apache.org
Subject svn commit: r1091590 [4/4] - in /incubator/isis/trunk: ./ applib/src/docbkx/guide/ core/commons/src/main/java/org/apache/isis/core/commons/authentication/ core/commons/src/main/java/org/apache/isis/core/commons/components/ core/commons/src/main/java/or...
Date Tue, 12 Apr 2011 22:37:17 GMT
Modified: incubator/isis/trunk/progmodels/wrapper/src/site/site.xml
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/progmodels/wrapper/src/site/site.xml?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/progmodels/wrapper/src/site/site.xml (original)
+++ incubator/isis/trunk/progmodels/wrapper/src/site/site.xml Tue Apr 12 22:37:15 2011
@@ -22,11 +22,6 @@
             <item name="Metamodel" href="./metamodel/index.html" />
         </menu>
 
-		<menu name="Documentation">
-			<item name="${docbkxGuideTitle} (PDF)" href="docbkx/pdf/${docbkxGuideName}.pdf" />
-			<item name="${docbkxGuideTitle} (HTML)" href="docbkx/html/guide/${docbkxGuideName}.html" />
-		</menu>
-
         <menu name="Maven Reports" ref="reports" />
 	</body>
 </project>

Modified: incubator/isis/trunk/runtimes/dflt/bytecode/dflt/src/main/java/org/apache/isis/runtimes/dflt/bytecode/dflt/objectfactory/internal/ObjectResolveAndObjectChangedEnhancer.java
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/runtimes/dflt/bytecode/dflt/src/main/java/org/apache/isis/runtimes/dflt/bytecode/dflt/objectfactory/internal/ObjectResolveAndObjectChangedEnhancer.java?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/runtimes/dflt/bytecode/dflt/src/main/java/org/apache/isis/runtimes/dflt/bytecode/dflt/objectfactory/internal/ObjectResolveAndObjectChangedEnhancer.java (original)
+++ incubator/isis/trunk/runtimes/dflt/bytecode/dflt/src/main/java/org/apache/isis/runtimes/dflt/bytecode/dflt/objectfactory/internal/ObjectResolveAndObjectChangedEnhancer.java Tue Apr 12 22:37:15 2011
@@ -30,7 +30,6 @@ import net.sf.cglib.proxy.MethodIntercep
 import net.sf.cglib.proxy.MethodProxy;
 
 import org.apache.isis.core.commons.lang.ArrayUtils;
-import org.apache.isis.core.metamodel.facets.ImperativeFacet;
 import org.apache.isis.core.metamodel.facets.ImperativeFacetUtils;
 import org.apache.isis.core.metamodel.facets.ImperativeFacetUtils.ImperativeFacetFlags;
 import org.apache.isis.core.metamodel.spec.SpecificationLoader;

Modified: incubator/isis/trunk/runtimes/dflt/profilestores/xml/src/main/java/org/apache/isis/runtimes/dflt/profilestores/xml/XmlUserProfileStoreInstaller.java
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/runtimes/dflt/profilestores/xml/src/main/java/org/apache/isis/runtimes/dflt/profilestores/xml/XmlUserProfileStoreInstaller.java?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/runtimes/dflt/profilestores/xml/src/main/java/org/apache/isis/runtimes/dflt/profilestores/xml/XmlUserProfileStoreInstaller.java (original)
+++ incubator/isis/trunk/runtimes/dflt/profilestores/xml/src/main/java/org/apache/isis/runtimes/dflt/profilestores/xml/XmlUserProfileStoreInstaller.java Tue Apr 12 22:37:15 2011
@@ -41,16 +41,6 @@ public class XmlUserProfileStoreInstalle
 	}
 
 
-	@Override
-	public Module getModule() {
-		return new AbstractModule() {
-			@Override
-			protected void configure() {
-				bind(UserProfileStore.class).to(XmlUserProfileStore.class);
-			}
-		};
-	}
-	
     public List<Class<?>> getTypes() {
     	return listOf(UserProfileStore.class);
     }

Modified: incubator/isis/trunk/runtimes/dflt/src/docbkx/guide/isis-default-runtime.xml
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/runtimes/dflt/src/docbkx/guide/isis-default-runtime.xml?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/runtimes/dflt/src/docbkx/guide/isis-default-runtime.xml (original)
+++ incubator/isis/trunk/runtimes/dflt/src/docbkx/guide/isis-default-runtime.xml Tue Apr 12 22:37:15 2011
@@ -1375,6 +1375,109 @@ isis.fixtures=ExpenseTypes, Employees, E
       <para></para>
 
       <sect1>
+        <title>Component loggers</title>
+
+        <para>The NOF provides a set of component loggers that specifically
+        log the use of a component, adding additional log messages to the
+        Log4j log or write out to a separate file. Additional logger can also
+        be defined for other components. These logger are designed to log the
+        parameters passed to and the the results return from the requests to a
+        component and tend to be more verbose than the general logging just
+        discussed. At present the following components have loggers
+        available:-</para>
+
+        <itemizedlist>
+          <listitem>
+            <para>The object persistor -
+            <classname>ObjectPersistorLogger</classname></para>
+          </listitem>
+
+          <listitem>
+            <para>The object store -
+            <classname>ObjectStoreLogger</classname></para>
+          </listitem>
+
+          <listitem>
+            <para>The distibution interface -
+            <classname>DistributionLogger</classname></para>
+          </listitem>
+        </itemizedlist>
+
+        <para>To set up a logger create an instance of it passing in the
+        object you are logging. Then use the logger instance in place of the
+        original component. The constructors for each of the loggers are
+        overloaded so they take a component to decorate and possibly a file
+        name. If the filename is specified then the logging is done to that
+        file. If there is no file name then the events are logged via Log4j.
+        For example the object store persistor would logged by
+        replacing:</para>
+
+        <programlisting format="linespecific">ObjectAdapterPersistor persistor = new ObjectStorePersistor();
+isis.setObjectPersistor(persistor);</programlisting>
+
+        <para>with this, which will log request to the persistor the <filename
+        class="directory" moreinfo="none">sever-persistor.log</filename>
+        file:</para>
+
+        <programlisting format="linespecific">ObjectAdapterPersistor persistor = new ObjectStorePersistor();
+persistor = new ObjectManagerLogger(persistor, "server-persistor.log");
+isis.setObjectPersistor(persistor);</programlisting>
+
+        <para>Please note that the log files, when used, are created when the
+        logger is instantiated and will overwrite any exsiting file. This is
+        not normally a problem as we are interested in the activities during
+        an entire session. However on a stateless server where the component
+        is being recreated each time the continual recreation of the file
+        could be a problem.</para>
+
+        <sect2>
+          <title>Defining a logger</title>
+
+          <para>To define a logger extend the Logger class, providing a
+          suitable constructor, and implement the
+          <methodname>getDecoratedClass</methodname> so it passes back the
+          <classname>Class</classname> object of the class being decorated
+          (this allows the Log4j logger to log messages as that class rather
+          than as a separate class). Within the subclass you can use the
+          following methods:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para><emphasis> <methodname>void log(String
+              message)</methodname> </emphasis></para>
+
+              <para>output a log entry with the specified message.</para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis> <methodname>void log(String message, Object
+              result)</methodname> </emphasis></para>
+
+              <para>output a log entry with the specified message and the
+              specified result. This is useful when needing to show both the
+              entry and exit states, or the paramters and the return
+              value.</para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis> <methodname>void close()</methodname>
+              </emphasis></para>
+
+              <para>closes the file that is being written to.</para>
+            </listitem>
+          </itemizedlist>
+
+          <para></para>
+
+          <para></para>
+
+          <para></para>
+
+          <para></para>
+        </sect2>
+      </sect1>
+
+      <sect1>
         <title>Diagnostics (Logging)</title>
 
         <para></para>
@@ -1892,16 +1995,74 @@ $ mvn clean package</screen>
   </part>
 
   <appendix>
-    <title>***</title>
+    <title>*** Deployment Principles</title>
 
     <abstract>
-      <para>*** yada yada</para>
+      <para>*** yada yada (have just pasted this chapter in from elsewhere;
+      need to think about where it lives in this doc)</para>
     </abstract>
 
-    <sect1 id="sec.module-ui">
-      <title>***</title>
+    <sect1>
+      <title>Setting up perspectives</title>
+
+      <para></para>
+
+      <para></para>
+
+      <para></para>
+
+      <para>profilestore</para>
+
+      <para>x-ref alternatives/profilestore/xml</para>
+
+      <para></para>
+
+      <para>Perspectives allow the set of services available to a user (eg as
+      icons in the DnD viewer) to be customized for that user. Since these
+      services represent the "start points" for the user to interact with the
+      domain model, they in a sense define an application on a per-user
+      basis.</para>
+
+      <para>The perspectives are stored in user-profiles, which are a
+      persistence mechanism independent of the object store. (The intent is
+      for user profiles to store additional information for use by viewers,
+      for example allowing a user to reskin an application or change colors or
+      fonts. As of NOF 4.0 the functionality provided is still limited,
+      however).</para>
+
+      <para>The key here is that if a user logs in and no perspective exists
+      for that user then one will be created for them. The new perspective
+      will be a copy of the 'template' perspective, or, if none was defined, a
+      perspective containing all the known services. To create a template
+      perspective add a perspective fixture that calls
+      <methodname>saveAsDefault()</methodname>, rather than
+      <methodname>saveForUser()</methodname> for a named user, as shown
+      below.</para>
+
+      <programlisting>public class PerspectivesFixture extends UserProfileFixture {
+    @Override
+    protected void installProfiles() {
+        Profile profile = newUserProfile();
+        Perspective perspective = profile.newPerspective("ECS");
+        perspective.addToServices(LocationFactory.class);
+        perspective.addToServices(CustomerRepository.class);
+        perspective.addToServices(PaymentMethodFactory.class);
+        
+        saveAsDefault(profile);
+    }
+}
+</programlisting>
 
-      <para>*** yada yada</para>
+      <para>With that set up, when a new user now logs in they will see three
+      service icons on the screen for locations, customers and payment
+      methods. On the drag and drop user interface the user can add and remove
+      services from their perspective. To remove a service icon right-click on
+      the grey border and select the close option. To add a service select the
+      Services... option from the application menu (accessed by right-clicking
+      on the application background) and drag the required service onto the
+      desktop. Unfortunately there is no similar mechanism available on the
+      HTML user interface so you will need to modify the created perspectives
+      via the DND UI.</para>
     </sect1>
   </appendix>
 </book>

Modified: incubator/isis/trunk/security/file/pom.xml
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/file/pom.xml?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/security/file/pom.xml (original)
+++ incubator/isis/trunk/security/file/pom.xml Tue Apr 12 22:37:15 2011
@@ -16,21 +16,8 @@
 	<properties>
         <siteBaseDir>../..</siteBaseDir>
 		<relativeUrl>security/file/</relativeUrl>
-
-        <docbkxGuideTitle>Apache Isis File Security</docbkxGuideTitle>
-        <docbkxGuideName>isis-file-security</docbkxGuideName>
 	</properties>
 
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>com.agilejava.docbkx</groupId>
-                <artifactId>docbkx-maven-plugin</artifactId>
-                <inherited>false</inherited>
-            </plugin>
-        </plugins>
-    </build>
-
 	<url>http://incubator.apache.org/isis/${relativeUrl}</url>
 
     <reporting>

Modified: incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authentication/FileAuthenticationManagerInstaller.java
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authentication/FileAuthenticationManagerInstaller.java?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authentication/FileAuthenticationManagerInstaller.java (original)
+++ incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authentication/FileAuthenticationManagerInstaller.java Tue Apr 12 22:37:15 2011
@@ -41,13 +41,4 @@ public class FileAuthenticationManagerIn
         return new FileAuthenticator(configuration);
     }
 
-    @Override
-    public Module getModule() {
-    	return new AbstractModule() {
-			@Override
-			protected void configure() {
-				bind(Authenticator.class);
-			}
-		};
-    }
 }

Modified: incubator/isis/trunk/security/file/src/site/site.xml
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/file/src/site/site.xml?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/security/file/src/site/site.xml (original)
+++ incubator/isis/trunk/security/file/src/site/site.xml Tue Apr 12 22:37:15 2011
@@ -17,11 +17,6 @@
             <item name="LDAP" href="../ldap/index.html" />
         </menu>
 
-        <menu name="Documentation">
-            <item name="${docbkxGuideTitle} (PDF)" href="docbkx/pdf/${docbkxGuideName}.pdf" />
-            <item name="${docbkxGuideTitle} (HTML)" href="docbkx/html/guide/${docbkxGuideName}.html" />
-        </menu>
-
         <menu name="Maven Reports" ref="reports" />
 	</body>
 </project>

Modified: incubator/isis/trunk/security/ldap/pom.xml
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/ldap/pom.xml?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/security/ldap/pom.xml (original)
+++ incubator/isis/trunk/security/ldap/pom.xml Tue Apr 12 22:37:15 2011
@@ -16,21 +16,8 @@
 	<properties>
         <siteBaseDir>../..</siteBaseDir>
 		<relativeUrl>security/ldap/</relativeUrl>
-
-        <docbkxGuideTitle>Apache Isis LDAP Security</docbkxGuideTitle>
-        <docbkxGuideName>isis-ldap-security</docbkxGuideName>
 	</properties>
 
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>com.agilejava.docbkx</groupId>
-                <artifactId>docbkx-maven-plugin</artifactId>
-                <inherited>false</inherited>
-            </plugin>
-        </plugins>
-    </build>
-
 	<url>http://incubator.apache.org/isis/${relativeUrl}</url>
 
     <reporting>

Modified: incubator/isis/trunk/security/ldap/src/site/site.xml
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/ldap/src/site/site.xml?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/security/ldap/src/site/site.xml (original)
+++ incubator/isis/trunk/security/ldap/src/site/site.xml Tue Apr 12 22:37:15 2011
@@ -17,11 +17,6 @@
             <item name="LDAP" href="../ldap/index.html" />
         </menu>
 
-        <menu name="Documentation">
-            <item name="${docbkxGuideTitle} (PDF)" href="docbkx/pdf/${docbkxGuideName}.pdf" />
-            <item name="${docbkxGuideTitle} (HTML)" href="docbkx/html/guide/${docbkxGuideName}.html" />
-        </menu>
-
         <menu name="Maven Reports" ref="reports" />
 	</body>
 </project>

Modified: incubator/isis/trunk/security/pom.xml
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/pom.xml?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/security/pom.xml (original)
+++ incubator/isis/trunk/security/pom.xml Tue Apr 12 22:37:15 2011
@@ -21,10 +21,23 @@
 	<properties>
         <siteBaseDir>..</siteBaseDir>
 		<relativeUrl>security/</relativeUrl>
+
+        <docbkxGuideTitle>Apache Isis Security</docbkxGuideTitle>
+        <docbkxGuideName>isis-security</docbkxGuideName>
 	</properties>
 
 	<url>http://incubator.apache.org/isis/${relativeUrl}</url>
 
+	<build>
+		<plugins>
+            <plugin>
+                <groupId>com.agilejava.docbkx</groupId>
+                <artifactId>docbkx-maven-plugin</artifactId>
+				<inherited>false</inherited>
+            </plugin>
+		</plugins>
+	</build>
+
 	<modules>
 		<module>dflt</module>
         <module>file</module>

Copied: incubator/isis/trunk/security/src/docbkx/guide/isis-security.xml (from r1091133, incubator/isis/trunk/security/ldap/src/docbkx/guide/isis-ldap-security.xml)
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/src/docbkx/guide/isis-security.xml?p2=incubator/isis/trunk/security/src/docbkx/guide/isis-security.xml&p1=incubator/isis/trunk/security/ldap/src/docbkx/guide/isis-ldap-security.xml&r1=1091133&r2=1091590&rev=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/security/ldap/src/docbkx/guide/isis-ldap-security.xml (original)
+++ incubator/isis/trunk/security/src/docbkx/guide/isis-security.xml Tue Apr 12 22:37:15 2011
@@ -35,9 +35,7 @@
       </author>
 
       <author>
-        <firstname>Kevin</firstname>
-
-        <surname>Meyer</surname>
+        <firstname>Dan Haywood</firstname>
       </author>
     </authorgroup>
 
@@ -55,235 +53,753 @@
   <preface id="preface">
     <title>Preface</title>
 
-    <para><emphasis>Apache Isis</emphasis> is designed to allow programmers
-    rapidly develop domain-driven applications following the <ulink
-    url="http://en.wikipedia.org/wiki/Naked_Objects">Naked Objects</ulink>
-    pattern. It is made up of a core framework plus a number of alternate
-    implementations, and supports various viewers and object stores. Apache
-    Isis is hosted at the <ulink url="http://incubator.apache.org/isis">Apache
-    Foundation</ulink>, and is licensed under <ulink
+    <para><emphasis>*** Apache Isis</emphasis> is designed to allow
+    programmers rapidly develop domain-driven applications following the
+    <ulink url="http://en.wikipedia.org/wiki/Naked_Objects">Naked
+    Objects</ulink> pattern. It is made up of a core framework plus a number
+    of supporting implementations, and supports various viewers and object
+    stores. Apache Isis is hosted at the <ulink
+    url="http://incubator.apache.org/isis">Apache Foundation</ulink>, and is
+    licensed under <ulink
     url="http://www.apache.org/licenses/LICENSE-2.0.html">Apache Software
     License v2</ulink>.</para>
 
     <para>This guide is written for ...</para>
-  </preface>
 
-  <!-- main content -->
+    <para></para>
+
+    <para></para>
+  </preface>
 
-  <chapter id="chp.Intro">
-    <title>Introduction</title>
+  <chapter id="chp.SecurityApi">
+    <title>*** Introduction</title>
 
     <abstract>
-      <para>*** yada yada</para>
+      <para>This chapter covers the authentication and authorization
+      APIs</para>
     </abstract>
 
+    <para></para>
+
+    <para>*** go through these words and move around; get rid of this
+    introductory chapter.</para>
+
+    <para></para>
+
+    <para></para>
+
+    <para></para>
+
+    <para>Apache Isis supports authentication  and role-based authorization.
+    Within the framework the user is represented by a
+    <classname>Session</classname> object. From the session object you can get
+    the name of the user and their roles.</para>
+
+    <para>The session is used within the distribution mechanism and the
+    security manager. The security manager uses the session to determine if a
+    user can access or manipulate an object member. The distribution mechanism
+    passes the session to the server so the server knows which user is
+    accessing it.</para>
+
+    <para></para>
+
+    <para></para>
+
+    <para></para>
+
+    <para></para>
+
+    <para>As with authentication, authorization may be executed via a file,
+    LDAP, or database. If no authorization mechanism is specified, all domain
+    calls, methods and properties will be available to all users.</para>
+
+    <para></para>
+
+    <para></para>
+
+    <note>
+      <para>TODO: tidy up the following paras, were just copied/pasted in from
+      APT</para>
+    </note>
+
+    <para><emphasis></emphasis></para>
+
+    <para><emphasis>Apache Isis</emphasis> applications support authentication
+    ("who are you"?) and authorization ("what can you do?"). This allows the
+    set of functionality to be restricted based upon the user's role, with no
+    security knowledge needing to be embedded within the domain objects. The
+    API is defined in {{{../core/runtime/index.html}runtime}}, along with two
+    implementations, one file-based and one using LDAP.</para>
+
+    <para></para>
+
+    <para></para>
+
+    <para>An <classname>Authoriser</classname> processes an
+    <classname>AuthorizationRequest</classname> and if granted generates a
+    <classname>Session</classname> object to represent the user.</para>
+
+    <para></para>
+
+    <para></para>
+
+    <para>There is an optional capability to authorise the visibility and
+    usability of fields independently. Thus a field may be visible to certain
+    roles but not editable. In order to configure this against a authorization
+    a flag must be added as follows.</para>
+
+    <para></para>
+
+    <para></para>
+
     <sect1>
-      <title>***</title>
+      <title>Capturing authorization requirements automatically</title>
+
+      <para>As a tool for helping to configure the initial security settings
+      there is a 'learn' property.</para>
+
+      <programlisting format="linespecific">isis.authorization.learn=true</programlisting>
+
+      <para>When this is present and set, all methods will be authorised for
+      all roles. However as each method is accessed through the user interface
+      authorization will be configured for that method and the current role.
+      Configuration will be saved in either the file (saved on shutdown),
+      database table or LDAP security settings depending upon the reflector
+      setup.</para>
+
+      <para>The settings can then be modified to conform to the required
+      security settings.</para>
+
+      <para></para>
+
+      <para></para>
+    </sect1>
+  </chapter>
+
+  <part>
+    <title>Default (No-op) Security Implementation</title>
+
+    <chapter>
+      <title></title>
+
+      <section>
+        <title></title>
+
+        <para></para>
+      </section>
+    </chapter>
+  </part>
+
+  <part>
+    <title>File Security Implementation</title>
+
+    <chapter id="chp.FileIntro">
+      <title>Introduction</title>
+
+      <abstract>
+        <para>*** yada yada</para>
+      </abstract>
+
+      <sect1>
+        <title>***</title>
+
+        <para><emphasis>*** yada yada</emphasis></para>
+      </sect1>
+
+      <sect1>
+        <title>Adding Security (Authentication and Authorization)</title>
+
+        <para><remark></remark></para>
+
+        <para>x-ref Core documentation.</para>
+
+        <para></para>
+
+        <para></para>
+
+        <para>... also, move into the next chapters</para>
+
+        <para></para>
+
+        <para>Starting [[NAME]] requires a user name and password . (The
+        exception is when running in exploration mode, which uses default
+        values). The simplest way to specify the list of user names and
+        passwords is in a passwords file.</para>
+
+        <sect2>
+          <title>Authentication using a passwords file</title>
+
+          <para>Create a file called <filename class="directory"
+          moreinfo="none">password</filename>s, and place into the <filename
+          class="directory" moreinfo="none">config</filename> directory as the
+          following example shows.</para>
+
+          <screen format="linespecific">config/
+   passwords
+</screen>
+
+          <para>The following example shows how user names (sven and dick) and
+          corresponding passwords (passwd1 and passwd2) should be specified in
+          the password file.</para>
+
+          <programlisting format="linespecific">sven:passwd1
+dick:passwd2</programlisting>
+        </sect2>
+
+        <sect2>
+          <title>Authentication through a passwords file</title>
+
+          <para>To explicitly use file-based authentication set the following
+          property. (Note, however, that if this property is absent, the
+          framework will anyway assume file-based authentication as the
+          default).</para>
+
+          <programlisting format="linespecific">isis.authentication=file</programlisting>
+
+          <para>The location and name of the passwords file may be specified
+          explicitly - if not it defaults to the <filename class="directory"
+          moreinfo="none">passwords</filename> file, assumed to be in the
+          <filename class="directory" moreinfo="none">config</filename>
+          directory (or under WEB-INF if running as a web application).</para>
+
+          <programlisting format="linespecific">isis.authentication.file.location= passwords  </programlisting>
+
+          <para>The <filename class="directory"
+          moreinfo="none">passwords</filename> file contains users, passwords
+          and any roles, as follows.</para>
+
+          <programlisting format="linespecific">&lt;user&gt;:&lt;password&gt;:&lt;role&gt;|&lt;role&gt;|...</programlisting>
+
+          <para>For example, user 'sven', with password 'pass' and roles
+          'role1' and 'role2' would be</para>
+
+          <programlisting format="linespecific">sven:pass:role1|role2 </programlisting>
+        </sect2>
+
+        <sect2>
+          <title>Authorization using Allow and/or Disallow files</title>
+
+          <para>Authorization allows access to actions and properties to be
+          controlled by configuration. Authorization is entirely optional and
+          is disabled by default - in which case every user is given access to
+          all actions and properties. A prerequisite for authorization is for
+          users to have roles. These should be added to the password file as
+          follows.</para>
+
+          <programlisting format="linespecific">sven:passwd1:ordinary_user
+dick:passwd2:special_user|admin</programlisting>
+
+          <para>Sven has the role 'ordinary_user', dick has the two roles
+          'special_user' and 'admin'.</para>
+
+          <para>[[NAME]] needs to be told which actions and properties are
+          authorised for which roles. The simplest way to do this is in a file
+          i.e. <filename class="directory" moreinfo="none">allow</filename> in
+          the config directory.</para>
+
+          <screen format="linespecific">config/
+   <emphasis role="strong">password</emphasis>
+      <emphasis role="strong">allow</emphasis>
+   </screen>
+
+          <para>Each entry in the <filename class="directory"
+          moreinfo="none">allow</filename> file specifies either a class, or a
+          particular action or property within a class, together with the
+          roles that are allowed to access it. E.g.</para>
+
+          <screen format="linespecific">example.dom.PhoneNumber#Number:ordinary_user|special_user
+example.dom.Contact#Phones:ordinary_user|special_user
+example.dom.Contact#FullName:ordinary_user|special_user
+org.apache.isis.nof.core.service.SimpleRepository#FindByTitle(java.lang.String):ordinary_user|special_user
+example.dom.PhoneNumber#Type:ordinary_user|special_user
+example.dom.Contact#KnownAs:ordinary_user|special_user
+org.apache.isis.nof.core.service.SimpleRepository#NewPersistentInstance():ordinary_user|special_user
+example.dom.Contact#CreatePhone():special_user
+org.apache.isis.nof.core.service.SimpleRepository#NewTransientInstance():ordinary_user|special_user
+org.apache.isis.nof.core.service.SimpleRepository#AllInstances():ordinary_user|special_user
+</screen>
+
+          <para>The above file allows 'example.dom.Contact#CreatePhone()' only
+          for users with role 'special_user' all other actions and properties
+          are allowed for roles 'ordinary_user' and 'special_user'. A
+          different, terser implementation of this would be to use separate
+          <filename class="directory" moreinfo="none">allow</filename> and
+          <filename class="directory" moreinfo="none">disallow</filename>
+          files, or example, the <filename class="directory"
+          moreinfo="none">allow</filename> file:</para>
+
+          <screen format="linespecific">example.dom.PhoneNumber:ordinary_user|special_user
+example.dom.Contact:ordinary_user|special_user
+org.apache.isis.nof.core.service.SimpleRepository:ordinary_user|special_user
+</screen>
+
+          <para>and the <filename class="directory"
+          moreinfo="none">disallow</filename> file:</para>
+
+          <screen format="linespecific">example.dom.Contact#CreatePhone():ordinary_user</screen>
+
+          <para>For more details, see the section on Managing Security.</para>
+
+          <para></para>
+
+          <para></para>
+
+          <para></para>
+
+          <para></para>
+        </sect2>
+
+        <sect2>
+          <title>Authentication through a passwords file</title>
+
+          <para>from the "managing security" section</para>
+
+          <para></para>
+
+          <para>To explicitly use file-based authentication set the following
+          property. (Note, however, that if this property is absent, the
+          framework will anyway assume file-based authentication as the
+          default).</para>
+
+          <programlisting format="linespecific">isis.authentication=file</programlisting>
 
-      <para><emphasis>*** yada yada</emphasis></para>
+          <para>The location and name of the passwords file may be specified
+          explicitly - if not it defaults to the <filename class="directory"
+          moreinfo="none">passwords</filename> file, assumed to be in the
+          <filename class="directory" moreinfo="none">config</filename>
+          directory (or under WEB-INF if running as a web application).</para>
 
-      <sect2>
-        <title>Authentication through an LDAP server</title>
+          <programlisting format="linespecific">isis.authentication.file.location= passwords  </programlisting>
 
-        <para>To authenticate through LDAP set</para>
+          <para>The <filename class="directory"
+          moreinfo="none">passwords</filename> file contains users, passwords
+          and any roles, as follows.</para>
 
-        <programlisting format="linespecific">isis.authentication=ldap</programlisting>
+          <programlisting format="linespecific">&lt;user&gt;:&lt;password&gt;:&lt;role&gt;|&lt;role&gt;|...</programlisting>
 
-        <para>LDAP needs a URL for the server and a 'dn' of the root of the
-        users on the server. For example,</para>
+          <para>For example, user 'sven', with password 'pass' and roles
+          'role1' and 'role2' would be</para>
 
-        <programlisting format="linespecific">isis.authentication.ldap.dn= dc=isis, dc=org </programlisting>
+          <programlisting format="linespecific">sven:pass:role1|role2 </programlisting>
 
-        <programlisting format="linespecific">isis.authentication.ldap.server=ldap://localhost:10389</programlisting>
+          <para></para>
 
-        <para>The logon password check will be on uid='username', &lt;dn&gt; -
-        For example, attempting to logon with user 'sven' with the above
-        settings will check against the server on localhost, port = 10389,
-        uid=sven, dc=isis, dc=org, using the password in the standard <literal
-        moreinfo="none">userpassword</literal> attribute in that entry. Once
-        logged in, roles will be picked up from cn='rolename' where
-        objectclass =organizationalRole in child entries of the user
-        entry.</para>
-      </sect2>
+          <para></para>
 
-      <sect2>
-        <title>Authorization through LDAP server</title>
+          <para></para>
 
-        <para>To enable authorization by LDAP server include facet for
-        authorization and specifying the <literal
-        moreinfo="none">ldap</literal> implementation for
-        authorization.</para>
+          <para></para>
+        </sect2>
 
-        <programlisting format="linespecific">isis.reflector.facets.include=\
+        <sect2>
+          <title>Authorization through 'allow' and 'disallow' files</title>
+
+          <para>To enable authorization by file including the facet and
+          specifying the authorization implementation in the settings</para>
+
+          <programlisting format="linespecific">isis.reflector.facets.include=\
+    org.apache.isis.runtime.authorization.standard.AuthorizationFacetFactoryImpl
+isis.authorization=file</programlisting>
+
+          <para>With file authorization the current user's role will be
+          authorised against a white and (optionally) a black list for each
+          method possibly available to them. The files are identified by
+          properties, e.g.</para>
+
+          <programlisting format="linespecific">isis.authorization.file.whitelist=allow
+isis.authorization.file.blacklist=disallow  </programlisting>
+
+          <para>The white list file is mandatory, if there is no property it
+          defaults to 'allow' (picked up from the config directory or from
+          WEB-INF if running as a webapp). The black list file is optional.
+          The presence of the property indicates it is being used. If the
+          white list file default is being used then 'disallow' is suggested
+          as a setting for the black list.</para>
+
+          <para>Each file contains a signature to match against and a list of
+          roles. A match in the white list file permits the method and match
+          in the black list forbids it. The black list overrides the white
+          list. Matching occurs at three levels class, method (or property)
+          and parameters. Property matches are to the bean property name e.g.
+          'phone' for getPhone and setPhone.</para>
+
+          <para>Formatted as follows:</para>
+
+          <para>If only class is to be matched: &lt;fully qualified class&gt;
+          :role1|role2|..</para>
+
+          <para>Class and method: &lt;fully qualified
+          class&gt;#&lt;method&gt;:role1|role2|..</para>
+
+          <para>Class and property: &lt;fully qualified
+          class&gt;#&lt;property&gt;:role1|role2|..</para>
+
+          <para>Parameters where method takes no parameters: &lt;fully
+          qualified class&gt;#&lt;method&gt;():role1|role2|...</para>
+
+          <para>Parameters where method takes one parameter: &lt;fully
+          qualified class&gt;#&lt;method&gt;(fully qualified parameter
+          class):role1|role2|...</para>
+
+          <para>Parameters where method takes two or more:</para>
+
+          <para>&lt;fully qualified class&gt;#&lt;method&gt;(fully qualified
+          parameter class1, fully qualified parameter class2,
+          ...):role1|role2|...</para>
+
+          <para>Each line in the file is a separate match.</para>
+
+          <para>So, for example, in the white list file</para>
+
+          <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate:role1 </programlisting>
+
+          <para>will permit all actions/properties on <literal
+          moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
+          for role1</para>
+
+          <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.
+    ClaimantRepositoryHibernate#findClaimantByName:role1|role2</programlisting>
+
+          <para>will permit all overloaded methods named <literal
+          moreinfo="none">findClaimantByName</literal> on <literal
+          moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate</literal>
+          for role1 and role2 and</para>
+
+          <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate#findClaimantByIdentifier(java.lang.String):role3</programlisting>
+
+          <para>will permit <literal
+          moreinfo="none">findClaimantByIdentifier</literal> with parameter
+          <literal moreinfo="none">java.lang.String</literal> on <literal
+          moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate</literal>
+          for role3. In each case an identical entry in the black list file
+          will instead make the action or property unavailable. The
+          combination of white and black list allows some economy in the
+          settings. For example, if all but one method of a large class is to
+          be allowed, that could be configured with one entry per method in
+          the white list file or, better, a single entry for the class in the
+          white list and a single entry for the unavailable method in the
+          black list.</para>
+        </sect2>
+
+        <sect2>
+          <title>Authorization through 'allow' and 'disallow' files</title>
+
+          <para>To enable authorization by file including the facet and
+          specifying the authorization implementation in the settings</para>
+
+          <programlisting format="linespecific">isis.reflector.facets.include=\
+    org.apache.isis.runtime.authorization.standard.AuthorizationFacetFactoryImpl
+isis.authorization=file</programlisting>
+
+          <para>With file authorization the current user's role will be
+          authorised against a white and (optionally) a black list for each
+          method possibly available to them. The files are identified by
+          properties, e.g.</para>
+
+          <programlisting format="linespecific">isis.authorization.file.whitelist=allow
+isis.authorization.file.blacklist=disallow  </programlisting>
+
+          <para>The white list file is mandatory, if there is no property it
+          defaults to 'allow' (picked up from the config directory or from
+          WEB-INF if running as a webapp). The black list file is optional.
+          The presence of the property indicates it is being used. If the
+          white list file default is being used then 'disallow' is suggested
+          as a setting for the black list.</para>
+
+          <para>Each file contains a signature to match against and a list of
+          roles. A match in the white list file permits the method and match
+          in the black list forbids it. The black list overrides the white
+          list. Matching occurs at three levels class, method (or property)
+          and parameters. Property matches are to the bean property name e.g.
+          'phone' for getPhone and setPhone.</para>
+
+          <para>Formatted as follows:</para>
+
+          <para>If only class is to be matched: &lt;fully qualified class&gt;
+          :role1|role2|..</para>
+
+          <para>Class and method: &lt;fully qualified
+          class&gt;#&lt;method&gt;:role1|role2|..</para>
+
+          <para>Class and property: &lt;fully qualified
+          class&gt;#&lt;property&gt;:role1|role2|..</para>
+
+          <para>Parameters where method takes no parameters: &lt;fully
+          qualified class&gt;#&lt;method&gt;():role1|role2|...</para>
+
+          <para>Parameters where method takes one parameter: &lt;fully
+          qualified class&gt;#&lt;method&gt;(fully qualified parameter
+          class):role1|role2|...</para>
+
+          <para>Parameters where method takes two or more:</para>
+
+          <para>&lt;fully qualified class&gt;#&lt;method&gt;(fully qualified
+          parameter class1, fully qualified parameter class2,
+          ...):role1|role2|...</para>
+
+          <para>Each line in the file is a separate match.</para>
+
+          <para>So, for example, in the white list file</para>
+
+          <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate:role1 </programlisting>
+
+          <para>will permit all actions/properties on <literal
+          moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
+          for role1</para>
+
+          <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.
+    ClaimantRepositoryHibernate#findClaimantByName:role1|role2</programlisting>
+
+          <para>will permit all overloaded methods named <literal
+          moreinfo="none">findClaimantByName</literal> on <literal
+          moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate</literal>
+          for role1 and role2 and</para>
+
+          <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate#findClaimantByIdentifier(java.lang.String):role3</programlisting>
+
+          <para>will permit <literal
+          moreinfo="none">findClaimantByIdentifier</literal> with parameter
+          <literal moreinfo="none">java.lang.String</literal> on <literal
+          moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate</literal>
+          for role3. In each case an identical entry in the black list file
+          will instead make the action or property unavailable. The
+          combination of white and black list allows some economy in the
+          settings. For example, if all but one method of a large class is to
+          be allowed, that could be configured with one entry per method in
+          the white list file or, better, a single entry for the class in the
+          white list and a single entry for the unavailable method in the
+          black list.</para>
+
+          <para></para>
+
+          <para></para>
+
+          <para>There is an optional capability to authorise the visibility
+          and usability of fields independently. Thus a field may be visible
+          to certain roles but not editable. In order to configure this
+          against a authorization a flag must be added as follows.</para>
+
+          <para></para>
+
+          <para></para>
+
+          <para>As a tool for helping to configure the initial security
+          settings there is a 'learn' property.</para>
+
+          <programlisting format="linespecific">isis.authorization.learn=true</programlisting>
+
+          <para>When this is present and set, all methods will be authorised
+          for all roles. However as each method is accessed through the user
+          interface authorization will be configured for that method and the
+          current role. Configuration will be saved in either the file (saved
+          on shutdown), database table or LDAP security settings depending
+          upon the reflector setup.</para>
+
+          <para>The settings can then be modified to conform to the required
+          security settings.</para>
+
+          <para></para>
+
+          <para></para>
+
+          <para></para>
+        </sect2>
+      </sect1>
+    </chapter>
+  </part>
+
+  <part>
+    <title>LDAP Security Implementation</title>
+
+    <chapter>
+      <title>Introduction</title>
+
+      <abstract>
+        <para>*** yada yada</para>
+      </abstract>
+
+      <sect1>
+        <title>***</title>
+
+        <para><emphasis>*** yada yada</emphasis></para>
+
+        <sect2>
+          <title>Authentication through an LDAP server</title>
+
+          <para>To authenticate through LDAP set</para>
+
+          <programlisting format="linespecific">isis.authentication=ldap</programlisting>
+
+          <para>LDAP needs a URL for the server and a 'dn' of the root of the
+          users on the server. For example,</para>
+
+          <programlisting format="linespecific">isis.authentication.ldap.dn= dc=isis, dc=org </programlisting>
+
+          <programlisting format="linespecific">isis.authentication.ldap.server=ldap://localhost:10389</programlisting>
+
+          <para>The logon password check will be on uid='username', &lt;dn&gt;
+          - For example, attempting to logon with user 'sven' with the above
+          settings will check against the server on localhost, port = 10389,
+          uid=sven, dc=isis, dc=org, using the password in the standard
+          <literal moreinfo="none">userpassword</literal> attribute in that
+          entry. Once logged in, roles will be picked up from cn='rolename'
+          where objectclass =organizationalRole in child entries of the user
+          entry.</para>
+        </sect2>
+
+        <sect2>
+          <title>Authorization through LDAP server</title>
+
+          <para>To enable authorization by LDAP server include facet for
+          authorization and specifying the <literal
+          moreinfo="none">ldap</literal> implementation for
+          authorization.</para>
+
+          <programlisting format="linespecific">isis.reflector.facets.include=\
     org.apache.isis.runtime.authorization.standard.AuthorizationFacetFactoryImpl
 isis.authorization=ldap</programlisting>
 
-        <para>With LDAP authorization the current user's role will be
-        authorised against an entry in the LDAP server for each method
-        possibly available to them. The URL of the server is obtained from the
-        same property as for authentication.</para>
-
-        <para>The authorization entries should exist under a DN configured in
-        the property file. For example.</para>
-
-        <programlisting format="linespecific">isis.authorization.ldap.application.dn= cn=expenses, dc=apps, dc=isis, dc=org </programlisting>
-
-        <para>This will be checked anonymously.</para>
-
-        <para>Entries to be matched against should exist under this dn.
-        Expected configuration is a hierarchy of class, method and parameters.
-        The cn of each entry is expected to be the fully qualified class name,
-        method or parameter list ('()' for an empty parameter list). If an
-        entry has a 'uniquemember' attribute equal to 'role' then that entry
-        and all sub-entries are authorised.</para>
-
-        <para>For example</para>
-
-        <para>DN:
-        cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
-        cn=expenses, dc=apps, dc=isis, dc=org</para>
-
-        <para>with uniquemember = role1 will authorise all members of <literal
-        moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
-        for users with role1.</para>
-
-        <para>DN: cn=(com.isisgroup.expenses.claimant.Claimant,
-        java.lang.String),</para>
-
-        <para>cn=createNewClaim,
-        cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
-        cn=expenses, dc=apps, dc=isis, dc=org</para>
-
-        <para>with uniquemember = role1 will authorise the <literal
-        moreinfo="none">createNewClaim(com.isisgroup.expenses.claimant.Claimant,
-        String)</literal> member of <literal
-        moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
-        for users with role1.</para>
-      </sect2>
-
-      <sect2>
-        <title>Authorization through LDAP server</title>
-
-        <para>To enable authorization by LDAP server include facet for
-        authorization and specifying the <literal
-        moreinfo="none">ldap</literal> implementation for
-        authorization.</para>
+          <para>With LDAP authorization the current user's role will be
+          authorised against an entry in the LDAP server for each method
+          possibly available to them. The URL of the server is obtained from
+          the same property as for authentication.</para>
+
+          <para>The authorization entries should exist under a DN configured
+          in the property file. For example.</para>
+
+          <programlisting format="linespecific">isis.authorization.ldap.application.dn= cn=expenses, dc=apps, dc=isis, dc=org </programlisting>
+
+          <para>This will be checked anonymously.</para>
+
+          <para>Entries to be matched against should exist under this dn.
+          Expected configuration is a hierarchy of class, method and
+          parameters. The cn of each entry is expected to be the fully
+          qualified class name, method or parameter list ('()' for an empty
+          parameter list). If an entry has a 'uniquemember' attribute equal to
+          'role' then that entry and all sub-entries are authorised.</para>
+
+          <para>For example</para>
+
+          <para>DN:
+          cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
+          cn=expenses, dc=apps, dc=isis, dc=org</para>
+
+          <para>with uniquemember = role1 will authorise all members of
+          <literal
+          moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
+          for users with role1.</para>
+
+          <para>DN: cn=(com.isisgroup.expenses.claimant.Claimant,
+          java.lang.String),</para>
+
+          <para>cn=createNewClaim,
+          cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
+          cn=expenses, dc=apps, dc=isis, dc=org</para>
+
+          <para>with uniquemember = role1 will authorise the <literal
+          moreinfo="none">createNewClaim(com.isisgroup.expenses.claimant.Claimant,
+          String)</literal> member of <literal
+          moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
+          for users with role1.</para>
+        </sect2>
+
+        <sect2>
+          <title>Authorization through LDAP server</title>
+
+          <para>To enable authorization by LDAP server include facet for
+          authorization and specifying the <literal
+          moreinfo="none">ldap</literal> implementation for
+          authorization.</para>
 
-        <programlisting format="linespecific">isis.reflector.facets.include=\
+          <programlisting format="linespecific">isis.reflector.facets.include=\
     org.apache.isis.runtime.authorization.standard.AuthorizationFacetFactoryImpl
 isis.authorization=ldap</programlisting>
 
-        <para>With LDAP authorization the current user's role will be
-        authorised against an entry in the LDAP server for each method
-        possibly available to them. The URL of the server is obtained from the
-        same property as for authentication.</para>
-
-        <para>The authorization entries should exist under a DN configured in
-        the property file. For example.</para>
-
-        <programlisting format="linespecific">isis.authorization.ldap.application.dn= cn=expenses, dc=apps, dc=isis, dc=org </programlisting>
-
-        <para>This will be checked anonymously.</para>
-
-        <para>Entries to be matched against should exist under this dn.
-        Expected configuration is a hierarchy of class, method and parameters.
-        The cn of each entry is expected to be the fully qualified class name,
-        method or parameter list ('()' for an empty parameter list). If an
-        entry has a 'uniquemember' attribute equal to 'role' then that entry
-        and all sub-entries are authorised.</para>
-
-        <para>For example</para>
-
-        <para>DN:
-        cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
-        cn=expenses, dc=apps, dc=isis, dc=org</para>
-
-        <para>with uniquemember = role1 will authorise all members of <literal
-        moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
-        for users with role1.</para>
-
-        <para>DN: cn=(com.isisgroup.expenses.claimant.Claimant,
-        java.lang.String),</para>
-
-        <para>cn=createNewClaim,
-        cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
-        cn=expenses, dc=apps, dc=isis, dc=org</para>
-
-        <para>with uniquemember = role1 will authorise the <literal
-        moreinfo="none">createNewClaim(com.isisgroup.expenses.claimant.Claimant,
-        String)</literal> member of <literal
-        moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
-        for users with role1.</para>
+          <para>With LDAP authorization the current user's role will be
+          authorised against an entry in the LDAP server for each method
+          possibly available to them. The URL of the server is obtained from
+          the same property as for authentication.</para>
 
-        <para></para>
+          <para>The authorization entries should exist under a DN configured
+          in the property file. For example.</para>
 
-        <para></para>
+          <programlisting format="linespecific">isis.authorization.ldap.application.dn= cn=expenses, dc=apps, dc=isis, dc=org </programlisting>
 
-        <para>There is an optional capability to authorise the visibility and
-        usability of fields independently. Thus a field may be visible to
-        certain roles but not editable. In order to configure this against a
-        authorization a flag must be added as follows.</para>
+          <para>This will be checked anonymously.</para>
 
-        <para></para>
+          <para>Entries to be matched against should exist under this dn.
+          Expected configuration is a hierarchy of class, method and
+          parameters. The cn of each entry is expected to be the fully
+          qualified class name, method or parameter list ('()' for an empty
+          parameter list). If an entry has a 'uniquemember' attribute equal to
+          'role' then that entry and all sub-entries are authorised.</para>
 
-        <para>Add a flags attribute to the entry with the role. If it's set to
-        'rw' editing will be allowed, any other value (typically 'ro') will
-        disallow editing.</para>
+          <para>For example</para>
 
-        <para>In each case absence of the flag will mean that visibility and
-        usability and are always the same.</para>
+          <para>DN:
+          cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
+          cn=expenses, dc=apps, dc=isis, dc=org</para>
 
-        <para></para>
+          <para>with uniquemember = role1 will authorise all members of
+          <literal
+          moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
+          for users with role1.</para>
 
-        <para></para>
+          <para>DN: cn=(com.isisgroup.expenses.claimant.Claimant,
+          java.lang.String),</para>
 
-        <para>As a tool for helping to configure the initial security settings
-        there is a 'learn' property.</para>
+          <para>cn=createNewClaim,
+          cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
+          cn=expenses, dc=apps, dc=isis, dc=org</para>
 
-        <programlisting format="linespecific">isis.authorization.learn=true</programlisting>
+          <para>with uniquemember = role1 will authorise the <literal
+          moreinfo="none">createNewClaim(com.isisgroup.expenses.claimant.Claimant,
+          String)</literal> member of <literal
+          moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
+          for users with role1.</para>
 
-        <para>When this is present and set, all methods will be authorised for
-        all roles. However as each method is accessed through the user
-        interface authorization will be configured for that method and the
-        current role. Configuration will be saved in either the file (saved on
-        shutdown), database table or LDAP security settings depending upon the
-        reflector setup.</para>
+          <para></para>
 
-        <para>The settings can then be modified to conform to the required
-        security settings.</para>
+          <para></para>
 
-        <para></para>
+          <para>There is an optional capability to authorise the visibility
+          and usability of fields independently. Thus a field may be visible
+          to certain roles but not editable. In order to configure this
+          against a authorization a flag must be added as follows.</para>
 
-        <para></para>
-      </sect2>
-    </sect1>
-  </chapter>
+          <para></para>
 
-  <chapter>
-    <title>***</title>
+          <para>Add a flags attribute to the entry with the role. If it's set
+          to 'rw' editing will be allowed, any other value (typically 'ro')
+          will disallow editing.</para>
 
-    <abstract>
-      <para>*** yada yada</para>
-    </abstract>
+          <para>In each case absence of the flag will mean that visibility and
+          usability and are always the same.</para>
 
-    <sect1>
-      <title>***</title>
+          <para></para>
 
-      <para><emphasis>*** yada yada</emphasis></para>
-    </sect1>
-  </chapter>
+          <para></para>
 
-  <appendix>
-    <title>***</title>
+          <para>As a tool for helping to configure the initial security
+          settings there is a 'learn' property.</para>
 
-    <abstract>
-      <para>*** yada yada</para>
-    </abstract>
+          <programlisting format="linespecific">isis.authorization.learn=true</programlisting>
 
-    <sect1 id="sec.module-ui">
-      <title>***</title>
+          <para>When this is present and set, all methods will be authorised
+          for all roles. However as each method is accessed through the user
+          interface authorization will be configured for that method and the
+          current role. Configuration will be saved in either the file (saved
+          on shutdown), database table or LDAP security settings depending
+          upon the reflector setup.</para>
 
-      <para>*** yada yada</para>
-    </sect1>
-  </appendix>
+          <para>The settings can then be modified to conform to the required
+          security settings.</para>
+
+          <para></para>
+
+          <para></para>
+        </sect2>
+      </sect1>
+    </chapter>
+  </part>
 </book>

Modified: incubator/isis/trunk/security/src/site/site.xml
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/src/site/site.xml?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/security/src/site/site.xml (original)
+++ incubator/isis/trunk/security/src/site/site.xml Tue Apr 12 22:37:15 2011
@@ -17,6 +17,11 @@
             <item name="LDAP" href="./ldap/index.html" />
         </menu>
 
+        <menu name="Documentation">
+            <item name="${docbkxGuideTitle} (PDF)" href="docbkx/pdf/${docbkxGuideName}.pdf" />
+            <item name="${docbkxGuideTitle} (HTML)" href="docbkx/html/guide/${docbkxGuideName}.html" />
+        </menu>
+
         <menu name="Maven Reports" ref="reports" />
 	</body>
 </project>

Modified: incubator/isis/trunk/src/site/apt/documentation.apt
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/apt/documentation.apt?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/src/site/apt/documentation.apt (original)
+++ incubator/isis/trunk/src/site/apt/documentation.apt Tue Apr 12 22:37:15 2011
@@ -45,13 +45,9 @@ Documentation
 *--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
 |core                            |Core Framework                      |Architecture, APIs and Customization            |{{{./core/docbkx/pdf/isis-core.pdf}PDF}}                                         |{{{./core/docbkx/html/guide/isis-core.html}HTML}}                                         |50%       |Dan, Rob |
 *--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
-|progmodels:groovy               |Groovy Programming Model            |Configuration and Deployment Guide              |{{{./progmodels/groovy/docbkx/pdf/isis-groovy-support.pdf}PDF}}                  |{{{./progmodels/groovy/docbkx/html/guide/isis-groovy-support.html}HTML}}                  |Done      |Dan      |
+|progmodels                      |Programming Models                  |Configuration and Customization Guide           |{{{./progmodels/docbkx/pdf/isis-progmodels.pdf}PDF}}                             |{{{./progmodels/docbkx/html/guide/isis-progmodels.html}HTML}}                             |33%       |Dan      |
 *--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
-|progmodels:wrapper              |Wrapper Programming Model           |Configuration and Deployment Guide              |{{{./progmodels/wrapper/docbkx/pdf/isis-wrapper.pdf}PDF}}                        |{{{./progmodels/wrapper/docbkx/html/guide/isis-wrapper.html}HTML}}                        |0%        |Dan      |
-*--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
-|security:file                   |File Security                       |Configuration and Deployment Guide              |{{{./security/file/docbkx/pdf/isis-file-security.pdf}PDF}}                       |{{{./security/file/docbkx/html/guide/isis-file-security.html}HTML}}                       |10%       |Dan,Rob  |
-*--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
-|security:ldap                   |LDAP Security                       |Configuration and Deployment Guide              |{{{./security/ldap/docbkx/pdf/isis-ldap-security.pdf}PDF}}                       |{{{./security/ldap/docbkx/html/guide/isis-ldap-security.html}HTML}}                       |10%       |Rob      |
+|security                        |Security                            |Configuration and Deployment Guide              |{{{./security/docbkx/pdf/isis-security.pdf}PDF}}                                 |{{{./security/docbkx/html/guide/isis-security.html}HTML}}                                 |10%       |Dan,Rob  |
 *--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
 |runtimes:dflt                   |Default Runtime                     |Programming, Configuration and Deployment Guide |{{{./runtimes/dflt/docbkx/pdf/isis-default-runtime.pdf}PDF}}                     |{{{./runtimes/dflt/docbkx/html/guide/isis-default-runtime.html}HTML}}                     |0%        |Dan      |
 *--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+

Modified: incubator/isis/trunk/src/site/apt/quickstart-app.apt
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/apt/quickstart-app.apt?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/src/site/apt/quickstart-app.apt (original)
+++ incubator/isis/trunk/src/site/apt/quickstart-app.apt Tue Apr 12 22:37:15 2011
@@ -24,7 +24,7 @@ QuickStart App
 
 +------------------------------------------------------------
 mvn archetype:generate  \
-    -D archetypeCatalog=https://incubator.apache.org/isis \
+    -D archetypeCatalog=http://incubator.apache.org/isis \
     -D archetypeGroupId=org.apache.isis.support \
     -D archetypeArtifactId=quickstart-archetype
 

Modified: incubator/isis/trunk/src/site/resources/images/HexagonalArchitectureOverview.odg
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/resources/images/HexagonalArchitectureOverview.odg?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
Binary files - no diff available.

Modified: incubator/isis/trunk/src/site/resources/images/HexagonalArchitectureOverview.png
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/resources/images/HexagonalArchitectureOverview.png?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
Binary files - no diff available.

Modified: incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis-notes.pdf
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis-notes.pdf?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
Binary files - no diff available.

Modified: incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis-slides.pdf
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis-slides.pdf?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
Binary files - no diff available.

Modified: incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis.odp
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis.odp?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
Binary files - no diff available.

Modified: incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis.ppt
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis.ppt?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
Binary files - no diff available.

Modified: incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis.pptx
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis.pptx?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
Binary files - no diff available.



Mime
View raw message