<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Am 11.02.2014 um 14:09 schrieb Claudio Miranda <<a href="mailto:claudio@claudius.com.br">claudio@claudius.com.br</a>>:<br><div><br class="Apple-interchange-newline"><blockquote type="cite">Hi, I plan to add rabc support to picketlink console + extension<br>(<a href="https://github.com/picketlink2/picketlink-console">https://github.com/picketlink2/picketlink-console</a>)<br><br>I read the <a href="https://community.jboss.org/wiki/AccessControlNotes">https://community.jboss.org/wiki/AccessControlNotes</a> pages<br>and docs, I understood they explain about the design of the rbac<br>solution and not how to use it.<br><br>But I would like more guidance related to the code samples and how to<br>protect resources accordingly to the role the user is associated.<br><br>I understand there are two places to protect resources,<br>- management level, protect CLI and GUI operations<br>- GUI protect and hide features from unauthorized users.<br></blockquote><div><br></div><div>For the GUI it's mainly about hiding / disabling UI elements when the user has no sufficient rights. The meta data to decide which UI elements to show / hide are retrieved from related read-resource-description operations. So it's crucial for the console that the RBAC relevant informations are present in the r-r-d operations. </div><br><blockquote type="cite">Should I first protect the management operations, used in management<br>operations, at the extension level ?<br>then proceed to protect the HAL extension ?<br></blockquote><div><br></div><div>Yes, first step is to enrich the management operations to support RBAC. The console will leverage this information (see below)</div><br><blockquote type="cite">I looked into org.jboss.as.console.client.shared.subsys.mail.MailPresenter,<br>how it is used to protect resources, but could not find how the "add",<br>"remove" "enable" buttons are hidden.<br><br>What means the annotation in the code.<br><br> @ProxyCodeSplit<br> @NameToken(NameTokens.MailPresenter)<br> @AccessControl(resources =<br>{"{selected.profile}/subsystem=mail/mail-session=*"})<br> public interface MyProxy extends Proxy<MailPresenter>, Place {}<br><br>Does @AccessControl reads the resource permission and injects some<br>code to HAL understood it needs to protect it ?<br></blockquote><div><br></div><div><div>The @AccessControl annotation defines the set of resources a presenter operates on. In the example it's just a single resource, but you can declare multiple ones. Based on that information, the security framework creates a security context that will be queried when authorization decisions need to be taken on the client side (like showing / hiding buttons). The @AccessControl annotation is processed once when the view is rendered for the first time. At that time read-resource-description operations are executed for the annotated resources. </div><div><br></div><div>There's some more documentation about the security framework at [1]. </div><br></div>[1] <a href="http://hal.github.io/developer/6_security.html">http://hal.github.io/developer/6_security.html</a></div><div><br><blockquote type="cite">If you can provide some guidance, would be very appreciated.<br></blockquote><div><br></div><div>Once the server side setup is complete, you should place the @AccessControl annotations on the Proxy classes in PicketLinks HAL extension. This should give you 80% to 90% completeness. For the fine tuning I would recommend that we have some kind of coding session (irc / hangout). In any case if you have further questions, just ping me!</div><br><blockquote type="cite"><br>Thanks<br>-- <br> Claudio Miranda<br><br><a href="mailto:claudio@claudius.com.br">claudio@claudius.com.br</a><br>http://www.claudius.com.br<br>_______________________________________________<br>wildfly-dev mailing list<br>wildfly-dev@lists.jboss.org<br>https://lists.jboss.org/mailman/listinfo/wildfly-dev<br></blockquote></div><br><div apple-content-edited="true">
---<br>Harald Pehl<br>JBoss by Red Hat<br><a href="http://hpehl.info">http://hpehl.info</a><br>
</div>
<br></body></html>