
<div dir="ltr">Good Morning !<div>I&#39;ve been thinking about Security Scaffolding. It&#39;s a different beast than a simple CRUD scaffolding. It&#39;sa  bit more difficult to make assumption when you want to generate security flows : which http method to protect ? using only authentification or also authorization ?  etc ...</div>


<div><br></div><div>Therefore, I&#39;ve been thinking of some kind of configuration that the user could provide before the scaffolding process. Keeping it really simple and &quot;human readable&quot; and that could really speed up setting up the security layer : </div>


<div><br></div><div><br></div><div><pre style="word-wrap:break-word;width:744.5714111328125px;margin-top:0px;margin-bottom:0px;padding:0px"><div><font color="#000000" face="Consolas, Liberation Mono, Courier, monospace"><span style="line-height:9.137499809265137px">{

&quot;security&quot;:

        &quot;createUsers&quot; :[&quot;sebi&quot;,&quot;abtractj&quot;],                   //1

        &quot;createRole&quot; :[&quot;simple&quot;,&quot;admin&quot;],                     //2

        &quot;roleMap&quot;: [&quot;simple&quot;:[&quot;abstractj&quot;,&quot;sebi&quot;],&quot;admin&quot;:[&quot;sebi&quot;]], //3

         &quot;generateLoginForm&quot; : true,                           //4

         &quot;generateOTPPage&quot; : true,                             //5

        &quot;entities&quot; : {                                        //6

                &quot;org.sebi.Task&quot; : {

                        &quot;GET&quot;: {

                                &quot;authentification&quot; : false

                         },

                        &quot;POST&quot;: {

                                &quot;authentification&quot; : true,

                                &quot;authorization&quot; : &quot;simple&quot;

                        },

                        &quot;PUT&quot;: {

                                &quot;authentification&quot; : true,

                                &quot;authorization&quot; : &quot;admin&quot;

                        },

                        &quot;DELETE&quot;: {

                                &quot;authentification&quot; : true,

                                &quot;authorization&quot; : &quot;admin&quot;

                        }

                }

        }

}</span><span style="line-height:9.142857551574707px"><br></span></font></div><div><font color="#000000" face="Consolas, Liberation Mono, Courier, monospace"><span style="line-height:9.137499809265137px"><br>

</span></font></div><div><span style="font-family:arial;white-space:normal">Let me detail each of these points to make the discussion easier : </span><font color="#000000" face="Consolas, Liberation Mono, Courier, monospace"><span style="line-height:9.137499809265137px"><br>


</span></font></div><div><span style="font-family:arial;white-space:normal"><br></span></div><div><font color="#000000" face="Consolas, Liberation Mono, Courier, monospace"><span style="line-height:9.137499809265137px"> * 1. createUSers : We pass a list of users that we be inserted into the db : this will generate or a SQL script or a class creating the users like in </span></font><a href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java" style="font-family:arial">https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java<br>

</a></div><div style><br></div><div style> * 2. createAdmin : <font color="#000000" face="Consolas, Liberation Mono, Courier, monospace"><span style="line-height:9.137499809265137px">We pass a list of roles that we be inserted into the db : this will generate or a SQL script or a class creating the users like in </span></font><a href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java" style="font-family:arial">https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java</a></div>

<div style><br></div><div style> * 3. roleMap : <font color="#000000" face="Consolas, Liberation Mono, Courier, monospace"><span style="line-height:9.137499809265137px">We create here an association map between users and roles : this will generate or a SQL script or a class creating the users like in </span></font><a href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java" style="font-family:arial">https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java</a><br>

</div><div><a href="https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java" style="font-family:arial"><br></a></div><div> * 4. generateLoginForm : if true, the UI scaffolding will also generate a login form (location and layout depending on the scaffolding provider (AngularJS+Bootstrap, AngularJS+JQM) or by providing a custom template fragment.<br>

</div><div><br></div><div> * 5. generateOTPPage : if true, the UI scaffolding will also generate a OTP page (location and layout depending on the scaffolding provider (AngularJS+Bootstrap, AngularJS+JQM) or by providing a custom template fragment.<br>

</div><div><br></div><div style> * 6. Entities : Here we configure the security flow for each entity per HTTP methods. Concretely, this will mean :</div><div style>          - On the backend, generate the right route, i.e : </div>

<pre style="margin-top:0px;margin-bottom:0px;padding:0px;border:0px;font-size:12px;font-family:Consolas,&#39;Liberation Mono&#39;,Courier,monospace;color:rgb(51,51,51);line-height:18px"><div class="" id="LC163" style="margin:0px;padding:0px 0px 0px 10px;border:0px">

<span class="" style="margin:0px;padding:0px;border:0px">route</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">().</span><span class="" style="margin:0px;padding:0px;border:0px;color:rgb(0,128,128)">from</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">(</span><span class="" style="margin:0px;padding:0px;border:0px;color:rgb(221,17,68)">&quot;/task&quot;</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">).</span><span class="" style="margin:0px;padding:0px;border:0px;color:rgb(0,128,128)">roles</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">(</span><span class="" style="margin:0px;padding:0px;border:0px;color:rgb(221,17,68)">&quot;admin&quot;<b>)</b></span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px;color:rgb(0,128,128)">on</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">(</span><span class="" style="margin:0px;padding:0px;border:0px">RequestMethod</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px;color:rgb(0,128,128)">DELETE</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">)</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px;color:rgb(0,128,128)">to</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">(</span><span class="" style="margin:0px;padding:0px;border:0px">Task</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px;color:rgb(0,128,128)">class</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">).</span><span class="" style="margin:0px;padding:0px;border:0px;color:rgb(0,128,128)">delete</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">();</span><span style="font-family:arial;font-size:small;line-height:normal;color:rgb(34,34,34)">      </span></div>

</pre><div style>          - On the frontend, setting the flag or not on a pipe to enable auth. Other option are possible, liking hiding links, disabling button depending on the authorization/authnetification. We should discuss these options.</div>

<div style><br></div><div style>I think it could be a nice addition, and from the feedback I&#39;ve heard, this kind of feature really misses today in the current scaffolding tools regarding security. This could be really a killing feature and not hard to implement.</div>

<div style><br></div><div style>Please comment, ask questions to polish the feature ! </div><div style><br></div><div style>Seb</div><div style><br></div><div style>     </div><div><br></div></pre></div></div>