tapestry-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Dodunski" <ChrisFromTapes...@christopher.net.nz>
Subject Authorisation in Tapestry Applications
Date Sun, 26 Nov 2017 04:16:31 GMT
Hi All,

The Tapestry Hotel demo app has proven a good lesson in implementing
AUTHENTICATION.  Having developed a multi-user Tapestry app, I now need to
implement AUTHORISATION, but the Hotel demo app is aimed at just one user
type: visitors.

I created a role table in my Tapestry application (screenshot attached). 
Permissions are specified in terms of CRUD actions, meaning there are four
columns for each domain (Hibernate) entity: e.g. CAN_CREATE_USER,
CAN_READ_USER, CAN_UPDATE_USER, CAN_DELETE_USER, etc.

The Hotel demo app enforces authentication by including or excluding the
@AnonymousAccess annotation on page classes.  I imagine enforcing page
authorisation could be done similarly, using a single annotation.  This
could prevent users lacking the necessary privilege from accessing certain
pages, for instance 'pages/DeleteUser.java'.  Ideally, though, it would be
desirable to also prevent users from navigating to such pages in the first
place.  Either the PageLink icon is greyed out, or there is no link.

I am seeking some direction - perhaps even some example code - in how to
have my Tapestry application enforce the privileges specified in my role
table.

Thanks & regards,

Chris.

Mime
View raw message