8000 Simple security module by gorbunkov · Pull Request #2319 · jmix-framework/jmix · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Simple security module #2319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 10 commits into
base: master
Choose a base branch
from
Draft

Simple security module #2319

wants to merge 10 commits into from

Conversation

gorbunkov
Copy link
Contributor
@gorbunkov gorbunkov commented Oct 4, 2023
edited
Loading

New Modules

Simple Security Module

  • Vaadin FlowUI security configuration
  • Menu and View constraints that analyze @RolesAllowed annotation on view controller
  • An implementation of LoginViewSupport
  • ViewAccessManager for granting view access to roles

Local User Management Module

  • UserSubstitutionEntity moved here from security-data module
  • User substitution views moved to this module
  • All password validation classes moved from security-flowui module
  • Change password and reset password actions moved from security-flowui module
  • Change password and reset password views moved from security-flowui module

New Interfaces

ServiceUserProvider

The ServiceUserProvider interface is used for getting system and anonymous user. Previously the UserRepository was responsible for this.

UserClassResolver

The UserClassResolver interface is used for getting a class that represents the user of the application. Previously the UserRepository was responsible for this.

UserAuthoritiesPopulator

The UserAuthoritiesPopulator class is used by database user repository for user authorities populating. In new project template the DatabaseUserRepository won't be scaffolded, only UserAuthoritiesPopulator will be scaffolded instead.

New Project Template Changes

  • DatabaseUserRepository isn't scaffolded in the project. The bean is defined now in the core module.
  • UiMinimalRole and FullAccessRole removed from the project template.
  • New classes added to project template: AppServiceUserProvider, AppUserAuthoritiesPopulator, AppUserClassResolver, ViewAccessInitializer

Working with Simple Security Module

Roles to users must be assigned in the AppUserAuthoritiesPopulator generated in the project. The default implementation grants ADMIN role to the "admin" user and the "USER" role to all other users.

/**
 * The class is used by the {@link io.jmix.core.security.user.DatabaseUserRepository} to populate granted authorities of
 * the loaded user.
 */
@Component<
8000
/span>
public class AppUserAuthoritiesPopulator implements UserAuthoritiesPopulator<User> {

    private static final String USER_ROLE = "USER";

    private GrantedAuthorityUtils grantedAuthorityUtils;

    private SimpleSecurityProperties simpleSecurityProperties;

    public AppUserAuthoritiesPopulator(GrantedAuthorityUtils grantedAuthorityUtils,
                                       SimpleSecurityProperties simpleSecurityProperties) {
        this.grantedAuthorityUtils = grantedAuthorityUtils;
        this.simpleSecurityProperties = simpleSecurityProperties;
    }

    @Override
    public void populateUserAuthorities(User user) {
        List<GrantedAuthority> authorities = new ArrayList<>();
        GrantedAuthority userRole = grantedAuthorityUtils.createRoleGrantedAuthority(USER_ROLE);
        authorities.add(userRole);
        if ("admin".equals(user.getUsername())) {
            GrantedAuthority adminRole = grantedAuthorityUtils.createRoleGrantedAuthority(simpleSecurityProperties.getAdminRole());
            authorities.add(adminRole);
        }
        user.setAuthorities(authorities);
    }
}

ADMIN role has access to any screen by default. The name of admin role can be configured using the SimpleSecurityProperties.

Granting access to views from the application is done using the @RolesAllowed and @AnonymousAllowed annotation (a standard Vaadin way). Role name here may be defined either with or without the "ROLE_" prefix:

@RolesAllowed("USER")
@ViewController("Customer.list")
//...
public class CustomerListView extends StandardListView<Customer> {
}

Granting access to views from included add-ons can be done using the ViewAccessManager API in the generated ViewAccessInitializer class:

/**
 * Class is responsible for granting access to views from included add-ons.
 */
@Component
public class ViewAccessInitializer {

    private final ViewAccessManager viewAccessManager;

    public ViewAccessInitializer(ViewAccessManager viewAccessManager) {
        this.viewAccessManager = viewAccessManager;
    }

    @EventListener
    public void onApplicationEvent(ApplicationStartedEvent event) {
        viewAccessManager.grantAccess("USER", FlowuiViewIndex.editFilterGroup.viewIds());
        viewAccessManager.grantAccess("USER", FlowuiViewIndex.inputDialog.viewId());
    }
}

To simplify finding view ids, each add-on will provide the "view index" interface (e.g. FlowuiViewIndex) that will provide information about views locaed in the add-on and also groups of views, e.g. "all views for filter editing"

@gorbunkov gorbunkov force-pushed the 2318-simple-security branch from acc0216 to e588887 Compare November 1, 2023 13:14
@gorbunkov
Remove CoreSecurityConfiguration class and its usages in tests
42adbe4
@gorbunkov
Rename AuthenticationManagerSupplier to AddonAuthenticationManagerPro…
b8dad7d 
…vider
@gorbunkov
Simple security module
4981ef1 
local-user-management modules added
simple-security modules added
new user management related interfaces and implementations introduced: ServiceUserProvider, UserClassResolver, UserAuthoritiesPopulator
@gorbunkov
Simple security
27255da 
Remove SpecificConstraintImpl
@gorbunkov
Simple security - rebase compilation errors fixed
d542f44
@gorbunkov
Simple security - base class for LoginViewSupport
b1c1457 
Shared between both security modules
@gorbunkov
Simple security- move applySecurityConfigurersWithQualifier method
7f341c8 
applySecurityConfigurersWithQualifier moved from SecurityConfigurers to QualifiedSecurityConfigurers class
@gorbunkov
Simple security
ba5c798 
ViewAccessManager introduced
FlowuiViewIndex and DatatoolsViewIndex classes introduced as examples of views indexes
@gorbunkov
Simple security
184c5e8
@gorbunkov gorbunkov force-pushed the 2318-simple-security branch from 5ed191c to 184c5e8 Compare November 29, 2023 11:35
@gorbunkov
Simple security
b707e28 
InputDialog view added to FlowuiViewIndex
AppUserAuthoritiesPopulator changed in project template
@gorbunkov gorbunkov linked an issue Aug 6, 2024 that may be closed by this pull request
Simple security module #2318
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Simple security module
1 participant
@gorbunkov
0