Hi,
So I've worked some more on fine grained security and I've come up with
the following inspired by picket link:
public interface RequestPermissionResolver {
public enum PermissionStatus {
ALLOW, DENY, NOT_APPLICABLE
}
/**
* Tests if the currently authenticated user has permission to 'see' the
specified page request.
*
* @param user the user to validate the pageRequest for
* @param pageRequest The pageRequest for which the permission is required
* @return ALLOW if the current user has the permission DENY or
NOT_APPLICABLE.
*/
PermissionStatus hasPermission(User user, PageRequest pageRequest);
The PageRequest contains the name of the page and the state. By
implementing this interface the user can create logic if he wants to
show the page that is about to get shown to the user or not.
The only problem I have now is what should we do when the user decides
not to show the page? I can see 4 possibilities:
1. Create a message that is shown on the interface somewhere
The problems with this are, what message to show should be translatable
and where / how to show it, must
also be customisable. Could also be helpful as a general error message
framework?
2. Navigate to other page
We could navigate to an other page, with a role SecurityError or
something like that. This will mean the user
has full control of what will be shown when security errors occur.
3. We redirect to the login page
This is kinda strange because one is already logged in and if there is
no message this is not really helping
4. Throw an exception
This is also not really helping as there is no way for the user to do
something at this point.
What do you guys think?
Cheers,
Erik Jan
_______________________________________________
errai-dev mailing list
errai-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/errai-dev