<div dir="ltr">sounds like a nice idea, to add this to our scaffolding; Would safe a lot of time, when starting with a "backend / service" like that;<div><br></div><div style>Pretty cool!</div><div style><br></div>
<div style><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Apr 15, 2013 at 2:38 PM, Bruno Oliveira <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Monday, April 15, 2013 at 9:27 AM, Sebastien Blanc wrote:<br>
<div class="im">><br>
><br>
><br>
> On Mon, Apr 15, 2013 at 2:05 PM, Bruno Oliveira <<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a> (mailto:<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a>)> wrote:<br>
> > Hi Sebi, I think this is a good idea, here comes few suggestion:<br>
> ><br>
> > * Replace create* for the entity only, into a scaffolding domain we assume that the user is willing to generate ALL the things. So for example: { "security": "users" :["sebi","abtractj"], //1 "role" :["simple","admin"], //2 "roleMap"<br>
> You mean creating users/role just for a particular entity ? Sorry I think I did not understand well this remark.<br>
<br>
</div>Keep the same concept, only renaming the attributes like 'createUsers' to 'users'. (Create is something implicit). Makes sense?<br>
<div class="im">><br>
> > * generateLoginForm and generateOTPPage. I'd replace by otp: true, login: true. Why? In our scenario doesn't exist jsp pages only, but also endpoints for it. I'm not specialist in this scaffolding topic, but my idea is: if the user specify true generate pages & endpoints, if they don't want jsp pages, just delete it.<br>
><br>
><br>
> Right, I have this idea just after sending the email, one thing should be "loginForm":"otp"|"classic"<br>
</div>Maybe "login":"otp"|"default"<br>
<div class="im">><br>
> ><br>
> > * Would be nice if we could provide an alternative to specify something more general for authentication/authorization, for example (ignore my poor scaffolding skills):<br>
> ><br>
> > <a href="https://gist.github.com/abstractj/ed6676b3106929cc23b0" target="_blank">https://gist.github.com/abstractj/ed6676b3106929cc23b0</a>. And something which allows me to specify the exception, for example: "I want all of my endpoints requiring authentication, except the login endpoint.<br>
><br>
> +1, invert the config, let me think on how we could define this in a clear way<br>
> ><br>
> > * You probably know about it, but just a reminder. Don't forget about configuration files from PicketLink (this would be something nice to be scaffolded). Maybe allow devs to specify persistence provider or database? For example: I want to use PicketLink with MySQL.<br>
><br>
> +1, you could help me on this by providing me a complete list on the values and the locations that we could change, this way I can integrate it to the config.<br>
</div>Here comes the config file commented my friend <a href="https://gist.github.com/abstractj/53ce0a9faae482151da2" target="_blank">https://gist.github.com/abstractj/53ce0a9faae482151da2</a><br>
<div><div class="h5">><br>
> ><br>
> > Overall looks good.<br>
> Abstractj++ for the feedback !!<br>
> ><br>
> > --<br>
> > "The measure of a man is what he does with power" - Plato<br>
> > -<br>
> > @abstractj<br>
> > -<br>
> > Volenti Nihil Difficile<br>
> ><br>
> ><br>
> ><br>
> > On Monday, April 15, 2013 at 6:35 AM, Sebastien Blanc wrote:<br>
> ><br>
> > > Good Morning !<br>
> > > I've been thinking about Security Scaffolding. It's a different beast than a simple CRUD scaffolding. It'sa bit more difficult to make assumption when you want to generate security flows : which http method to protect ? using only authentification or also authorization ? etc ...<br>
> > ><br>
> > > Therefore, I've been thinking of some kind of configuration that the user could provide before the scaffolding process. Keeping it really simple and "human readable" and that could really speed up setting up the security layer :<br>
> > ><br>
> > ><br>
> > > { "security": "createUsers" :["sebi","abtractj"], //1 "createRole" :["simple","admin"], //2 "roleMap": ["simple":["abstractj","sebi"],"admin":["sebi"]], //3 "generateLoginForm" : true, //4 "generateOTPPage" : true, //5 "entities" : { //6 "org.sebi.Task" : { "GET": { "authentification" : false }, "POST": { "authentification" : true, "authorization" : "simple" }, "PUT": { "authentification" : true, "authorization" : "admin" }, "DELETE": { "authentification" : true, "authorization" : "admin" } } } }<br>
> > ><br>
> > > Let me detail each of these points to make the discussion easier :<br>
> > ><br>
> > > * 1. createUSers : We pass a list of users that we be inserted into the db : this will generate or a SQL script or a class creating the users like in <a href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java" target="_blank">https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java</a><br>
> > > (<a href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java" target="_blank">https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java</a>)<br>
> > ><br>
> > > * 2. createAdmin : We pass a list of roles that we be inserted into the db : this will generate or a SQL script or a class creating the users like in <a href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java" target="_blank">https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java</a><br>
> > ><br>
> > > * 3. roleMap : We create here an association map between users and roles : this will generate or a SQL script or a class creating the users like in <a href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java" target="_blank">https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java</a><br>
> > ><br>
> > > (<a href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java" target="_blank">https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java</a>)<br>
> > > * 4. generateLoginForm : if true, the UI scaffolding will also generate a login form (location and layout depending on the scaffolding provider (AngularJS+Bootstrap, AngularJS+JQM) or by providing a custom template fragment.<br>
> > ><br>
> > > * 5. generateOTPPage : if true, the UI scaffolding will also generate a OTP page (location and layout depending on the scaffolding provider (AngularJS+Bootstrap, AngularJS+JQM) or by providing a custom template fragment.<br>
> > ><br>
> > > * 6. Entities : Here we configure the security flow for each entity per HTTP methods. Concretely, this will mean :<br>
> > > - On the backend, generate the right route, i.e :<br>
> > > route().from("/task").roles("admin").on(RequestMethod.DELETE).to(Task.class).delete();<br>
> > ><br>
> > > - On the frontend, setting the flag or not on a pipe to enable auth. Other option are possible, liking hiding links, disabling button depending on the authorization/authnetification. We should discuss these options.<br>
> > ><br>
> > > I think it could be a nice addition, and from the feedback I've heard, this kind of feature really misses today in the current scaffolding tools regarding security. This could be really a killing feature and not hard to implement.<br>
> > ><br>
> > > Please comment, ask questions to polish the feature !<br>
> > ><br>
> > > Seb<br>
> > ><br>
> > ><br>
> > > _______________________________________________<br>
> > > aerogear-dev mailing list<br>
</div></div>> > > <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a> (mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>) (mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>)<br>
<div class="HOEnZb"><div class="h5">> > > <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > aerogear-dev mailing list<br>
> > <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a> (mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>)<br>
> > <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
><br>
><br>
> _______________________________________________<br>
> aerogear-dev mailing list<br>
> <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a> (mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>)<br>
> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
<br>
<br>
<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div>