click › click-user

security in click

9 messages Options
Embed this post
Permalink
dian

security in click

Reply Threaded More More options
Print post
Permalink
Hello all,

I still confuse to implements how to make authentification and authorization in click framework.
I was read click manual and best practise but It can't explaine me more.
does any body can give me simple template about implementation security in click framework ?


thx..
bheikamp

Re: security in click

Reply Threaded More More options
Print post
Permalink
Hi dian,

I use Spring Security in Click, it works quit simpel, implement the spring security libs in you project. add the folowing configuration to your web.xml 

   <!--  ================================== -->
<!--  Servlet Context Listeners          -->
<!--  ================================== -->
    <listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!--  ================================== -->
<!--  CONTEXT PARAMETERS                 -->
<!--  ================================== -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:application-context.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>


add the folowing to your application context, provided that you implement a dataSource to your project, this you can also be done in spring by using hibernate as persistance layer.

<security:http auto-config="true" access-denied-page="/denied.htm">
<security:intercept-url pattern="/some_path/*" access="ROLE_ADMINISTRATOR" />
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:form-login login-page="/logon.htm" authentication-failure-url="/logon.htm?login_error=1" />
</security:http>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource" 
authorities-by-username-query="SELECT username,authority FROM authority WHERE username=?"
users-by-username-query="SELECT username,password,active FROM users WHERE username=?" />
</security:authentication-provider>

create 2 table's:
  • authority with a usernae and authority and make sure a user has a ROLE_ADMINISTRATOR or something like that, default it has to start with ROLE_,
  • users, with a username, password and active.
your login page :

public class LogonPage extends TemplatePage {

public Form form = new Form();

public LogonPage() {
setTitle("Loging page");

form.setActionURL("j_spring_security_check");
form.setMethod("post");
form.setJavaScriptValidation(true);

TextField userName = new TextField("j_username");
userName.setRequired(true);
userName.setFocus(true);
userName.setLabel("gebruikersNaam");
form.add(userName);

PasswordField password = new PasswordField("j_password");
password.setRequired(true);
password.setLabel("Wachtwoord");
form.add(password);

form.add(new NextButton("ok", " logon ", this, "onOkClicked"));
}

    @Override public void onInit() {
     super.onInit();
     if (getParameter("login_error") != null && getParameter("login_error").equals("1")) {
     msg = "fout bij aanmelden !";
     }
    }
}

that's all, this works much easier than the J2EE implementation.

Suc6

Kind Regards,

Bert Heikamp

2009/1/6 dian ruzda <[hidden email]>
Hello all,

I still confuse to implements how to make authentification and authorization in click framework.
I was read click manual and best practise but It can't explaine me more.
does any body can give me simple template about implementation security in click framework ?


thx..
Bob Schellink-2

Re: security in click

Reply Threaded More More options
Print post
Permalink
In reply to this post by dian
Hi Dian,

As Bert suggested Spring Security is a good option.

However if you would like to use Servlet security you can run the quick-start template which ships with the Click contribution. The
quick-start generates a small web application which includes Servlet security for two dummy roles: user1 and admin1. To change these roles
you can edit them in your web.xml.

Please see here for more details: http://incubator.apache.org/click/docs/quick-start.html#ant

The docs assume you use Tomcat as your server and an inmemory database for storing users. If you want to use a database instead
you need to edit the Tomcat config file: <tomcat-dir>/conf/server.xml

See this section for details on setting up Tomcat JDBC support: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JDBCRealm

If you have problems let us know.

kind regards

bob


On Tue, Jan 6, 2009 at 10:57 AM, dian ruzda <[hidden email]> wrote:
Hello all,

I still confuse to implements how to make authentification and authorization in click framework.
I was read click manual and best practise but It can't explaine me more.
does any body can give me simple template about implementation security in click framework ?


thx..
dian

Re: security in click

Reply Threaded More More options
Print post
Permalink
In reply to this post by bheikamp
hello all,

I'am using spring security in my web app, I wanna get rolename from user login to cuztom menu display in click, how to get role name value from user that was login ?


thx


bheikamp wrote:
Hi dian,
I use Spring Security in Click, it works quit simpel, implement the spring
security libs in you project. add the folowing configuration to your
web.xml

   <!--  ================================== -->
<!--  Servlet Context Listeners          -->
<!--  ================================== -->
    <listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
 <!--  ================================== -->
<!--  CONTEXT PARAMETERS                 -->
<!--  ================================== -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:application-context.xml</param-value>
</context-param>
 <filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>


add the folowing to your application context, provided that you implement a
dataSource to your project, this you can also be done in spring by using
hibernate as persistance layer.

<security:http auto-config="true" access-denied-page="/denied.htm">
<security:intercept-url pattern="/some_path/*" access="ROLE_ADMINISTRATOR"
/>
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"
/>
<security:form-login login-page="/logon.htm"
authentication-failure-url="/logon.htm?login_error=1" />
</security:http>
 <security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource"
authorities-by-username-query="SELECT username,authority FROM authority
WHERE username=?"
users-by-username-query="SELECT username,password,active FROM users WHERE
username=?" />
</security:authentication-provider>

create 2 table's:

   - authority with a usernae and authority and make sure a user has a
   ROLE_ADMINISTRATOR or something like that, default it has to start with
   ROLE_,
   - users, with a username, password and active.

your login page :

public class LogonPage extends TemplatePage {

public Form form = new Form();

public LogonPage() {
setTitle("Loging page");

form.setActionURL("j_spring_security_check");
form.setMethod("post");
form.setJavaScriptValidation(true);

TextField userName = new TextField("j_username");
userName.setRequired(true);
userName.setFocus(true);
userName.setLabel("gebruikersNaam");
form.add(userName);

PasswordField password = new PasswordField("j_password");
password.setRequired(true);
password.setLabel("Wachtwoord");
form.add(password);

form.add(new NextButton("ok", " logon ", this, "onOkClicked"));
}

    @Override public void onInit() {
     super.onInit();
     if (getParameter("login_error") != null &&
getParameter("login_error").equals("1")) {
     msg = "fout bij aanmelden !";
     }
    }
}

that's all, this works much easier than the J2EE implementation.

Suc6

Kind Regards,

Bert Heikamp

2009/1/6 dian ruzda <dianruz@gmail.com>

> Hello all,
>
> I still confuse to implements how to make authentification and
> authorization in click framework.
> I was read click manual and best practise but It can't explaine me more.
> does any body can give me simple template about implementation security in
> click framework ?
>
>
> thx..
>
bheikamp

Re: security in click

Reply Threaded More More options
Print post
Permalink
Hi,
 
This is how I did it,

#if ($topMenu.isUserInRoles() || $topMenu.isUserInChildMenuRoles() || $topMenu.getRoles().size() == 0)

in the menu.vm and

<menu label="Administrator" path="index.htm" roles="ROLE_SUPER_ADMINISTRATOR">

in the menu.xml

Hopes it help.

Regard,

Bert

2009/7/1 dian <[hidden email]>

hello all,

I'am using spring security in my web app, I wanna get rolename from user
login to cuztom menu display in click, how to get role name value from user
that was login ?


thx



bheikamp wrote:
>
> Hi dian,
> I use Spring Security in Click, it works quit simpel, implement the spring
> security libs in you project. add the folowing configuration to your
> web.xml
>
>    <!--  ================================== -->
> <!--  Servlet Context Listeners          -->
> <!--  ================================== -->
>     <listener>
> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
> </listener>
>  <!--  ================================== -->
> <!--  CONTEXT PARAMETERS                 -->
> <!--  ================================== -->
> <context-param>
> <param-name>contextConfigLocation</param-name>
> <param-value>classpath:application-context.xml</param-value>
> </context-param>
>  <filter>
> <filter-name>springSecurityFilterChain</filter-name>
> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
> </filter>
> <filter-mapping>
> <filter-name>springSecurityFilterChain</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
>
> add the folowing to your application context, provided that you implement
> a
> dataSource to your project, this you can also be done in spring by using
> hibernate as persistance layer.
>
> <security:http auto-config="true" access-denied-page="/denied.htm">
> <security:intercept-url pattern="/some_path/*" access="ROLE_ADMINISTRATOR"
> />
> <security:intercept-url pattern="/**"
> access="IS_AUTHENTICATED_ANONYMOUSLY"
> />
> <security:form-login login-page="/logon.htm"
> authentication-failure-url="/logon.htm?login_error=1" />
> </security:http>
>  <security:authentication-provider>
> <security:jdbc-user-service data-source-ref="dataSource"
> authorities-by-username-query="SELECT username,authority FROM authority
> WHERE username=?"
> users-by-username-query="SELECT username,password,active FROM users WHERE
> username=?" />
> </security:authentication-provider>
>
> create 2 table's:
>
>    - authority with a usernae and authority and make sure a user has a
>    ROLE_ADMINISTRATOR or something like that, default it has to start with
>    ROLE_,
>    - users, with a username, password and active.
>
> your login page :
>
> public class LogonPage extends TemplatePage {
>
> public Form form = new Form();
>
> public LogonPage() {
> setTitle("Loging page");
>
> form.setActionURL("j_spring_security_check");
> form.setMethod("post");
> form.setJavaScriptValidation(true);
>
> TextField userName = new TextField("j_username");
> userName.setRequired(true);
> userName.setFocus(true);
> userName.setLabel("gebruikersNaam");
> form.add(userName);
>
> PasswordField password = new PasswordField("j_password");
> password.setRequired(true);
> password.setLabel("Wachtwoord");
> form.add(password);
>
> form.add(new NextButton("ok", " logon ", this, "onOkClicked"));
> }
>
>     @Override public void onInit() {
>      super.onInit();
>      if (getParameter("login_error") != null &&
> getParameter("login_error").equals("1")) {
>      msg = "fout bij aanmelden !";
>      }
>     }
> }
>
> that's all, this works much easier than the J2EE implementation.
>
> Suc6
>
> Kind Regards,
>
> Bert Heikamp
>
> 2009/1/6 dian ruzda <[hidden email]>
>
>> Hello all,
>>
>> I still confuse to implements how to make authentification and
>> authorization in click framework.
>> I was read click manual and best practise but It can't explaine me more.
>> does any body can give me simple template about implementation security
>> in
>> click framework ?
>>
>>
>> thx..
>>
>
>

--
View this message in context: http://n2.nabble.com/security-in-click-tp2116683p3191195.html
Sent from the click-user mailing list archive at Nabble.com.
dian

Re: security in click

Reply Threaded More More options
Print post
Permalink
can we make menu control by programatically, so I shouldn't write menu.xml again, all menu configuration create otomatically by program ?


On Thu, Jul 2, 2009 at 12:44 AM, Bert Heikamp <[hidden email]> wrote:
Hi,
 
This is how I did it,

#if ($topMenu.isUserInRoles() || $topMenu.isUserInChildMenuRoles() || $topMenu.getRoles().size() == 0)

in the menu.vm and

<menu label="Administrator" path="index.htm" roles="ROLE_SUPER_ADMINISTRATOR">

in the menu.xml

Hopes it help.

Regard,

Bert

2009/7/1 dian <[hidden email]>


hello all,

I'am using spring security in my web app, I wanna get rolename from user
login to cuztom menu display in click, how to get role name value from user
that was login ?


thx



bheikamp wrote:
>
> Hi dian,
> I use Spring Security in Click, it works quit simpel, implement the spring
> security libs in you project. add the folowing configuration to your
> web.xml
>
>    <!--  ================================== -->
> <!--  Servlet Context Listeners          -->
> <!--  ================================== -->
>     <listener>
> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
> </listener>
>  <!--  ================================== -->
> <!--  CONTEXT PARAMETERS                 -->
> <!--  ================================== -->
> <context-param>
> <param-name>contextConfigLocation</param-name>
> <param-value>classpath:application-context.xml</param-value>
> </context-param>
>  <filter>
> <filter-name>springSecurityFilterChain</filter-name>
> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
> </filter>
> <filter-mapping>
> <filter-name>springSecurityFilterChain</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
>
> add the folowing to your application context, provided that you implement
> a
> dataSource to your project, this you can also be done in spring by using
> hibernate as persistance layer.
>
> <security:http auto-config="true" access-denied-page="/denied.htm">
> <security:intercept-url pattern="/some_path/*" access="ROLE_ADMINISTRATOR"
> />
> <security:intercept-url pattern="/**"
> access="IS_AUTHENTICATED_ANONYMOUSLY"
> />
> <security:form-login login-page="/logon.htm"
> authentication-failure-url="/logon.htm?login_error=1" />
> </security:http>
>  <security:authentication-provider>
> <security:jdbc-user-service data-source-ref="dataSource"
> authorities-by-username-query="SELECT username,authority FROM authority
> WHERE username=?"
> users-by-username-query="SELECT username,password,active FROM users WHERE
> username=?" />
> </security:authentication-provider>
>
> create 2 table's:
>
>    - authority with a usernae and authority and make sure a user has a
>    ROLE_ADMINISTRATOR or something like that, default it has to start with
>    ROLE_,
>    - users, with a username, password and active.
>
> your login page :
>
> public class LogonPage extends TemplatePage {
>
> public Form form = new Form();
>
> public LogonPage() {
> setTitle("Loging page");
>
> form.setActionURL("j_spring_security_check");
> form.setMethod("post");
> form.setJavaScriptValidation(true);
>
> TextField userName = new TextField("j_username");
> userName.setRequired(true);
> userName.setFocus(true);
> userName.setLabel("gebruikersNaam");
> form.add(userName);
>
> PasswordField password = new PasswordField("j_password");
> password.setRequired(true);
> password.setLabel("Wachtwoord");
> form.add(password);
>
> form.add(new NextButton("ok", " logon ", this, "onOkClicked"));
> }
>
>     @Override public void onInit() {
>      super.onInit();
>      if (getParameter("login_error") != null &&
> getParameter("login_error").equals("1")) {
>      msg = "fout bij aanmelden !";
>      }
>     }
> }
>
> that's all, this works much easier than the J2EE implementation.
>
> Suc6
>
> Kind Regards,
>
> Bert Heikamp
>
> 2009/1/6 dian ruzda <[hidden email]>
>
>> Hello all,
>>
>> I still confuse to implements how to make authentification and
>> authorization in click framework.
>> I was read click manual and best practise but It can't explaine me more.
>> does any body can give me simple template about implementation security
>> in
>> click framework ?
>>
>>
>> thx..
>>
>
>

--
View this message in context: http://n2.nabble.com/security-in-click-tp2116683p3191195.html
Sent from the click-user mailing list archive at Nabble.com.
Malcolm Edgar-2

Re: security in click

Reply Threaded More More options
Print post
Permalink
I think maintaining menu.xml will be much easier than doing this
programatically,

regards Malcolm Edgar

On Thu, Jul 2, 2009 at 1:16 PM, dian ruzda<[hidden email]> wrote:

> can we make menu control by programatically, so I shouldn't write menu.xml
> again, all menu configuration create otomatically by program ?
>
>
> On Thu, Jul 2, 2009 at 12:44 AM, Bert Heikamp <[hidden email]> wrote:
>>
>> Hi,
>>
>> This is how I did it,
>>
>> #if ($topMenu.isUserInRoles() || $topMenu.isUserInChildMenuRoles() ||
>> $topMenu.getRoles().size() == 0)
>>
>> in the menu.vm and
>>
>> <menu label="Administrator" path="index.htm"
>> roles="ROLE_SUPER_ADMINISTRATOR">
>>
>> in the menu.xml
>>
>> Hopes it help.
>>
>> Regard,
>>
>> Bert
>>
>> 2009/7/1 dian <[hidden email]>
>>>
>>> hello all,
>>>
>>> I'am using spring security in my web app, I wanna get rolename from user
>>> login to cuztom menu display in click, how to get role name value from
>>> user
>>> that was login ?
>>>
>>>
>>> thx
>>>
>>>
>>>
>>> bheikamp wrote:
>>> >
>>> > Hi dian,
>>> > I use Spring Security in Click, it works quit simpel, implement the
>>> > spring
>>> > security libs in you project. add the folowing configuration to your
>>> > web.xml
>>> >
>>> >    <!--  ================================== -->
>>> > <!--  Servlet Context Listeners          -->
>>> > <!--  ================================== -->
>>> >     <listener>
>>> >
>>> > <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
>>> > </listener>
>>> >  <!--  ================================== -->
>>> > <!--  CONTEXT PARAMETERS                 -->
>>> > <!--  ================================== -->
>>> > <context-param>
>>> > <param-name>contextConfigLocation</param-name>
>>> > <param-value>classpath:application-context.xml</param-value>
>>> > </context-param>
>>> >  <filter>
>>> > <filter-name>springSecurityFilterChain</filter-name>
>>> >
>>> > <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
>>> > </filter>
>>> > <filter-mapping>
>>> > <filter-name>springSecurityFilterChain</filter-name>
>>> > <url-pattern>/*</url-pattern>
>>> > </filter-mapping>
>>> >
>>> >
>>> > add the folowing to your application context, provided that you
>>> > implement
>>> > a
>>> > dataSource to your project, this you can also be done in spring by
>>> > using
>>> > hibernate as persistance layer.
>>> >
>>> > <security:http auto-config="true" access-denied-page="/denied.htm">
>>> > <security:intercept-url pattern="/some_path/*"
>>> > access="ROLE_ADMINISTRATOR"
>>> > />
>>> > <security:intercept-url pattern="/**"
>>> > access="IS_AUTHENTICATED_ANONYMOUSLY"
>>> > />
>>> > <security:form-login login-page="/logon.htm"
>>> > authentication-failure-url="/logon.htm?login_error=1" />
>>> > </security:http>
>>> >  <security:authentication-provider>
>>> > <security:jdbc-user-service data-source-ref="dataSource"
>>> > authorities-by-username-query="SELECT username,authority FROM authority
>>> > WHERE username=?"
>>> > users-by-username-query="SELECT username,password,active FROM users
>>> > WHERE
>>> > username=?" />
>>> > </security:authentication-provider>
>>> >
>>> > create 2 table's:
>>> >
>>> >    - authority with a usernae and authority and make sure a user has a
>>> >    ROLE_ADMINISTRATOR or something like that, default it has to start
>>> > with
>>> >    ROLE_,
>>> >    - users, with a username, password and active.
>>> >
>>> > your login page :
>>> >
>>> > public class LogonPage extends TemplatePage {
>>> >
>>> > public Form form = new Form();
>>> >
>>> > public LogonPage() {
>>> > setTitle("Loging page");
>>> >
>>> > form.setActionURL("j_spring_security_check");
>>> > form.setMethod("post");
>>> > form.setJavaScriptValidation(true);
>>> >
>>> > TextField userName = new TextField("j_username");
>>> > userName.setRequired(true);
>>> > userName.setFocus(true);
>>> > userName.setLabel("gebruikersNaam");
>>> > form.add(userName);
>>> >
>>> > PasswordField password = new PasswordField("j_password");
>>> > password.setRequired(true);
>>> > password.setLabel("Wachtwoord");
>>> > form.add(password);
>>> >
>>> > form.add(new NextButton("ok", " logon ", this, "onOkClicked"));
>>> > }
>>> >
>>> >     @Override public void onInit() {
>>> >      super.onInit();
>>> >      if (getParameter("login_error") != null &&
>>> > getParameter("login_error").equals("1")) {
>>> >      msg = "fout bij aanmelden !";
>>> >      }
>>> >     }
>>> > }
>>> >
>>> > that's all, this works much easier than the J2EE implementation.
>>> >
>>> > Suc6
>>> >
>>> > Kind Regards,
>>> >
>>> > Bert Heikamp
>>> >
>>> > 2009/1/6 dian ruzda <[hidden email]>
>>> >
>>> >> Hello all,
>>> >>
>>> >> I still confuse to implements how to make authentification and
>>> >> authorization in click framework.
>>> >> I was read click manual and best practise but It can't explaine me
>>> >> more.
>>> >> does any body can give me simple template about implementation
>>> >> security
>>> >> in
>>> >> click framework ?
>>> >>
>>> >>
>>> >> thx..
>>> >>
>>> >
>>> >
>>>
>>> --
>>> View this message in context:
>>> http://n2.nabble.com/security-in-click-tp2116683p3191195.html
>>> Sent from the click-user mailing list archive at Nabble.com.
>>>
>>
>
>
Bob Schellink-2

Re: security in click

Reply Threaded More More options
Print post
Permalink
In reply to this post by dian
dian ruzda wrote:
> can we make menu control by programatically, so I shouldn't write
> menu.xml again, all menu configuration create otomatically by program ?

Use one of the public Menu constructors and set the properties
as needed. For example:

Menu rootMenu = new Menu("rootMenu");
Menu editCustomer = createMenu("Edit Customer", rootMenu);
...


private static Menu createMenu(String label, Menu parent) {
  Menu menu = new Menu();
  menu.setLabel(label);
  menu.setTitle(label);
  parent.getChildren().add(menu);
  return menu;
}


kind regards

bob
aurmam

Re: security in click

Reply Threaded More More options
Print post
Permalink
you can check my tutorial

http://code.google.com/p/click-cas/wiki/Intro

it is in Click Wiki page
Free Embeddable Forum Powered by Nabble Help