[aerogear-dev] Security Scaffolding
Sebastien Blanc
scm.blanc at gmail.com
Mon Apr 15 05:35:40 EDT 2013
Good Morning !
I've been thinking about Security Scaffolding. It's a different beast than
a simple CRUD scaffolding. It'sa bit more difficult to make assumption
when you want to generate security flows : which http method to protect ?
using only authentification or also authorization ? etc ...
Therefore, I've been thinking of some kind of configuration that the user
could provide before the scaffolding process. Keeping it really simple and
"human readable" and that could really speed up setting up the security
layer :
{
"security":
"createUsers" :["sebi","abtractj"], //1
"createRole" :["simple","admin"], //2
"roleMap": ["simple":["abstractj","sebi"],"admin":["sebi"]], //3
"generateLoginForm" : true, //4
"generateOTPPage" : true, //5
"entities" : { //6
"org.sebi.Task" : {
"GET": {
"authentification" : false
},
"POST": {
"authentification" : true,
"authorization" : "simple"
},
"PUT": {
"authentification" : true,
"authorization" : "admin"
},
"DELETE": {
"authentification" : true,
"authorization" : "admin"
}
}
}
}
Let me detail each of these points to make the discussion easier :
* 1. createUSers : We pass a list of users that we be inserted into
the db : this will generate or a SQL script or a class creating the
users like in https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java
* 2. createAdmin : We pass a list of roles that we be inserted into
the db : this will generate or a SQL script or a class creating the
users like in https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java
* 3. roleMap : We create here an association map between users and
roles : this will generate or a SQL script or a class creating the
users like in https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java
<https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java>
* 4. generateLoginForm : if true, the UI scaffolding will also
generate a login form (location and layout depending on the
scaffolding provider (AngularJS+Bootstrap, AngularJS+JQM) or by
providing a custom template fragment.
* 5. generateOTPPage : if true, the UI scaffolding will also generate
a OTP page (location and layout depending on the scaffolding provider
(AngularJS+Bootstrap, AngularJS+JQM) or by providing a custom template
fragment.
* 6. Entities : Here we configure the security flow for each entity
per HTTP methods. Concretely, this will mean :
- On the backend, generate the right route, i.e :
route().from("/task").roles("admin"*)*.on(RequestMethod.DELETE).to(Task.class).delete();
- On the frontend, setting the flag or not on a pipe to enable auth. Other
option are possible, liking hiding links, disabling button depending on the
authorization/authnetification. We should discuss these options.
I think it could be a nice addition, and from the feedback I've heard, this
kind of feature really misses today in the current scaffolding tools
regarding security. This could be really a killing feature and not hard to
implement.
Please comment, ask questions to polish the feature !
Seb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130415/b2d3717d/attachment.html
More information about the aerogear-dev
mailing list