[aerogear-dev] Security Scaffolding

Sebastien Blanc scm.blanc at gmail.com
Mon Apr 15 08:27:05 EDT 2013 

On Mon, Apr 15, 2013 at 2:05 PM, Bruno Oliveira <bruno at abstractj.org> wrote:

> Hi Sebi, I think this is a good idea, here comes few suggestion:
>
> * Replace create* for the entity only, into a scaffolding domain we assume
> that the user is willing to generate ALL the things. So for example: {
> "security": "users" :["sebi","abtractj"], //1 "role" :["simple","admin"],
> //2 "roleMap"
>
> You mean creating users/role just for a particular entity ? Sorry I think
I did not understand well this remark.

> * generateLoginForm and generateOTPPage. I'd replace by otp: true, login:
> true. Why? In our scenario doesn't exist jsp pages only, but also endpoints
> for it. I'm not specialist in this scaffolding topic, but my idea is: if
> the user specify true generate pages & endpoints, if they don't want jsp
> pages, just delete it.
>

Right, I have this idea just after sending the email, one thing should be
"loginForm":"otp"|"classic"

>
> * Would be nice if we could provide an alternative to specify something
> more general for authentication/authorization, for example (ignore my poor
> scaffolding skills):
>
> https://gist.github.com/abstractj/ed6676b3106929cc23b0. And something
> which allows me to specify the exception, for example: "I want all of my
> endpoints requiring authentication, except the login endpoint.
>

+1, invert the config, let me think on how we could define this in a clear
way

>
> * You probably know about it, but just a reminder. Don't forget about
> configuration files from PicketLink (this would be something nice to be
> scaffolded). Maybe allow devs to specify persistence provider or database?
> For example: I want to use PicketLink with MySQL.
>

+1, you could help me on this by providing me a complete list on the values
and the locations that we could change, this way I can integrate it to the
config.

>
> Overall looks good.
>
Abstractj++ for the feedback !!

>
> --
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
>
>
>
> On Monday, April 15, 2013 at 6:35 AM, Sebastien Blanc wrote:
>
> > Good Morning !
> > I've been thinking about Security Scaffolding. It's a different beast
> than a simple CRUD scaffolding. It'sa bit more difficult to make assumption
> when you want to generate security flows : which http method to protect ?
> using only authentification or also authorization ? etc ...
> >
> > Therefore, I've been thinking of some kind of configuration that the
> user could provide before the scaffolding process. Keeping it really simple
> and "human readable" and that could really speed up setting up the security
> layer :
> >
> >
> > { "security": "createUsers" :["sebi","abtractj"], //1 "createRole"
> :["simple","admin"], //2 "roleMap":
> ["simple":["abstractj","sebi"],"admin":["sebi"]], //3 "generateLoginForm" :
> true, //4 "generateOTPPage" : true, //5 "entities" : { //6 "org.sebi.Task"
> : { "GET": { "authentification" : false }, "POST": { "authentification" :
> true, "authorization" : "simple" }, "PUT": { "authentification" : true,
> "authorization" : "admin" }, "DELETE": { "authentification" : true,
> "authorization" : "admin" } } } }
> >
> > Let me detail each of these points to make the discussion easier :
> >
> > * 1. createUSers : We pass a list of users that we be inserted into the
> db : this will generate or a SQL script or a class creating the users like
> in
> https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java
> > (
> https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java
> )
> >
> > * 2. createAdmin : We pass a list of roles that we be inserted into the
> db : this will generate or a SQL script or a class creating the users like
> in
> https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java
> >
> > * 3. roleMap : We create here an association map between users and roles
> : this will generate or a SQL script or a class creating the users like in
> https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java
> >
> > (
> https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java
> )
> > * 4. generateLoginForm : if true, the UI scaffolding will also generate
> a login form (location and layout depending on the scaffolding provider
> (AngularJS+Bootstrap, AngularJS+JQM) or by providing a custom template
> fragment.
> >
> > * 5. generateOTPPage : if true, the UI scaffolding will also generate a
> OTP page (location and layout depending on the scaffolding provider
> (AngularJS+Bootstrap, AngularJS+JQM) or by providing a custom template
> fragment.
> >
> > * 6. Entities : Here we configure the security flow for each entity per
> HTTP methods. Concretely, this will mean :
> > - On the backend, generate the right route, i.e :
> >
> route().from("/task").roles("admin").on(RequestMethod.DELETE).to(Task.class).delete();
> >
> > - On the frontend, setting the flag or not on a pipe to enable auth.
> Other option are possible, liking hiding links, disabling button depending
> on the authorization/authnetification. We should discuss these options.
> >
> > I think it could be a nice addition, and from the feedback I've heard,
> this kind of feature really misses today in the current scaffolding tools
> regarding security. This could be really a killing feature and not hard to
> implement.
> >
> > Please comment, ask questions to polish the feature !
> >
> > Seb
> >
> >
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org (mailto:aerogear-dev at lists.jboss.org)
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130415/5416c1d0/attachment-0001.html

More information about the aerogear-dev mailing list