menu based on hasRole (Jsec)

Hi out there, following problem: i´ve a gsp called _menubar  
implemented in all my views:

<jsec:hasRole name="Administrator">
     <span class="menuButton">
         <g:link controller="user" action="list">
                 Manage Users
          </g:link>
     </span>
     ....
</jsec:hasRole>


<jsec:hasRole name="Supervisor">
     ...
</jsec:hasRole>


<jsec:hasRole name="User">
     ...
</jsec:hasRole>

When a user has more than one role it of course doesn´t work  
correctly... I don´t really know how to place this into a <g:if>,  
<g:elseif> branch to avoid duplicated menupoints.

thanks for your hints.

pat.


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

> When a user has more than one role it of course doesn´t work correctly... I
> don´t really know how to place this into a <g:if>, <g:elseif> branch to
> avoid duplicated menupoints.

I will hazard a guess that the following might help you:

  <jsec:hasRole in="['Administrator', 'Supervisor', 'User']">
      <span class="menuButton">
       <g:link controller="user" action="list">
               Manage Users
        </g:link>
      </span>
  </jsec:hasRole>

Cheers,

Peter

--
Software Engineer
G2One, Inc.
http://www.g2one.com/

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Yeah, this is an Idea. But something like hasRole name="Administrator"  
AND hasRole name="Supervisor". For example, Manage Users points to  
different actions, depending on the Role. I´m sure, i´ll find a  
solution.

Thanks Peter!

On Oct 2, 2008, at 2:45 PM, Peter Ledbrook wrote:


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

> Yeah, this is an Idea. But something like hasRole name="Administrator" AND
> hasRole name="Supervisor". For example, Manage Users points to different
> actions, depending on the Role. I´m sure, i´ll find a solution.

  <g:if test="${SecurityUtils.subject.hasAllRoles(['Administrator',
'Supervisor'])}">
     ...
  </g:if>

If you want a <jsec:hasAllRoles/> tag, please raise an issue. You
could also use the current JsecTagLib.hasRole tag as the basis for the
new tag if you don't mind creating it yourself.

Cheers,

Peter

--
Software Engineer
G2One, Inc.
http://www.g2one.com/

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Peter, thanks for this!

On Oct 2, 2008, at 5:31 PM, Peter Ledbrook wrote:


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

>  <g:if test="${SecurityUtils.subject.hasAllRoles(['Administrator',
> 'Supervisor'])}">
>     ...
>  </g:if>

this doesn´t work for me. Following doesn´t work too:

<g:if test="${SecurityUtils.subject.hasRole('Supervisor')}">
...
</gif>

Ideas?


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Patricia Montag wrote:
Just to be sure... you have a typo in the closing tag (no colon after g).
It should read </g:if>.

>> If you want a <jsec:hasAllRoles/> tag, please raise an issue. You
>> could also use the current JsecTagLib.hasRole tag as the basis for the
>> new tag if you don't mind creating it yourself.

Maybe if I feel like it, I'll have a look at that tomorrow. I need to
update to the latest version of the plugin anyway.

If I ever manage to come up with something reasonable, I'll raise an
issue and attach the patch.

Cheers,
DJ
--
Daniel J. Lauk

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

No, no typo in the original .gsp ;-)

i raised an issue today: http://jira.codehaus.org/browse/GRAILSPLUGINS-523

On Oct 6, 2008, at 5:14 PM, Daniel J. Lauk wrote:


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

I gave it a try and implemented the tags

* hasAllRoles
* hasAnyRole
* lacksAllRoles
* lacksAnyRole

which correspond to the logic operations AND, OR and their inversions.
The patch is attached to the JIRA issue:
http://jira.codehaus.org/browse/GRAILSPLUGINS-523

I tested it with a simple mini application, because I had no idea, how
to unit test the tag lib.

HTH!

Cheers,
DJ

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Thanks for this, Daniel! I tried to get the following working:

<g:if test="${SecurityUtils.subject.hasAllRoles(['Administrator',  
'Supervisor', 'User'])}">
....
</g:if>

Throws a Null-Pointer Exception. What do i have to pay attention to  
before using this?

thanks pat.



On Oct 10, 2008, at 12:02 PM, Daniel J. Lauk wrote:


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

> Thanks for this, Daniel! I tried to get the following working:
>
> <g:if test="${SecurityUtils.subject.hasAllRoles(['Administrator',
> 'Supervisor', 'User'])}">
> ....
> </g:if>
>
> Throws a Null-Pointer Exception. What do i have to pay attention to before
> using this?

Have you tried version 0.3 of the plugin? That include Daniel's tags
so you can use:

  <jsec:hasAllRoles in="['Administrator', 'Supervisor', 'User']">
      ...
  </jsec:hasAllRoles>

Cheers,

Peter

--
Software Engineer
G2One, Inc.
http://www.g2one.com/

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Hey, Pat.

You should use the new Tags ;-) like this:

<jsec:hasAllRoles in="['Administrator', 'Supervisor', 'User']"> ... </jsec:hasAllRoles>

Just for the records:
The NullPointerException happens, because the GSP processing looks at the name "SecurityUtils" and finds no declaration and therefore expects it to be a variable name used in the model passed to the GSP. As this variable is not set in the model, it throws an NPE.
If you wanted to use this style of code, you'd have to either do an import of the name (or namespace) or use the full qualified class name like this:

<g:if test="${org.jsecurity.SecurityUtils.subject.hasAllRoles(['Administrator',
'Supervisor', 'User'])}">

HTH

Cheers,
DJ
--
Daniel J. Lauk

 
-----Ursprüngliche Nachricht-----
Von: Patricia Montag [mailto:[hidden email]]
Gesendet: Dienstag, 14. Oktober 2008 15:16
An: [hidden email]
Betreff: Re: [grails-user] menu based on hasRole (Jsec)

Thanks for this, Daniel! I tried to get the following working:

<g:if test="${SecurityUtils.subject.hasAllRoles(['Administrator',
'Supervisor', 'User'])}">
....
</g:if>

Throws a Null-Pointer Exception. What do i have to pay attention to before using this?

thanks pat.



On Oct 10, 2008, at 12:02 PM, Daniel J. Lauk wrote:


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email



---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

yes, i´ve already installed version 0.3. i´ll describe what i need,  
perhaps i´ve just a blocker in my mind :-)

three roles, Administrator, Supervisor, User

There can be 7 different situations:

* Administrator && Supervisor && User
* Administrator && Supervisor
* Administrator && User
* Administrator
* Supverisor && User
* Supervisor
* User

The menu should differ based on the roles. so i tried to use the  
following:

<jsec:hasAllRoles in="['Administrator','Supervisor','User']">
....
</jsec:hasAllRoles>

<jsec:hasAllRoles in="['Administrator','Supervisor']">
....
</jsec:hasAllRoles>

and so on....

so, the menu get displayed several times, because both are true if a  
user has all three roles.... thats why i thought of using the <g:if>  
tag.

ideas?

---------------------
Spreadshirt IT


sprd.net AG
Gießerstraße 27
04229 Leipzig
Germany


Vorstand/Managing Directors: Jana Eggers (Vorsitzende/CEO), Matthias  
C. Spiess, Andreas Schroeteler

Aufsichtsratsvorsitzender/Chairman of the Board: Lukasz Gadowski

Handelsregister/Trade Register: Amtsgericht Leipzig, HRB 22478

Umsatzsteuer-IdentNummer/VAT-ID: DE 8138 7149 4









On Oct 14, 2008, at 3:34 PM, Peter Ledbrook wrote:


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

How do the menus map to the roles? Without that info, it's a bit
difficult to say what the best approach is. You may even be better of
with a permissions-based approach.

Cheers,

Peter

--
Software Engineer
G2One, Inc.
http://www.g2one.com/

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Hello, Pat.

I would suggest you rethink your navigation concept:
Instead of basing the navigation on the roles, base it on the
functionality and restrict the functionality according to the roles.

Anyway, you can do what you asked for. Instead of nesting if and else
tags you can use nested hasAllRoles and lacksAnyRole tags.
But beware, this will definitely get messy!
3 roles yield 8 possible combinations, which in turn will yield 7
conditions to distinguish between them, no matter how you arrange them.
If you add another role to the setup... Oh dear!

Nevertheless, here the basic nesting pattern:

<jsec:hasAllRoles in="['Administrator', 'Supervisor', 'User']">

...

</jsec:hasAllRoles>
<jsec:lacksAnyRole in="['Administrator', 'Supervisor', 'User']">

  <jsec:hasAllRoles in="['Administrator', 'Supervisor']">

  ...

  </jsec:hasAllRoles>
  <jsec:lacksAnyRole in="['Administrator', 'Supervisor']">

    <jsec:hasAllRoles in="['Administrator', 'User']">

    ...

    </jsec:hasAllRoles>
    <jsec:lacksAnyRole in="['Administrator', 'User']">

    and so on... even more nesting!

    </jsec:lacksAnyRole>

  </jsec:lacksAnyRole>

</jsec:lacksAnyRole>

Cheers,
DJ
--
Daniel J. Lauk

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Daniel and Pat,

On Tue, Oct 14, 2008 at 11:16 AM, Lauk Daniel <[hidden email]> wrote:
> Hello, Pat.
>
> I would suggest you rethink your navigation concept:
> Instead of basing the navigation on the roles, base it on the
> functionality and restrict the functionality according to the roles.

Daniel surfaces excellent points.  Permissions were created for this
very purpose.  If/Else logic based on roles can become extremely
cumbersome, even when the application only has 2 or 3 roles, as Daniel
pointed out.  The combinations get quite messy very quickly.  I'll
elaborate for Pat:

Roles are a coarse-grained concept and are only an _implicit_
indication of who can do what, based on what you define arbitrarily in
code.  For example,

if ( subject.hasRole("Administrator") ) {
    //show the "manage users" link.
}

This is just an arbitrary definition just because of the nature of
your application's business logic or requirements.

But what does this code really say?  What are we trying to enforce?

We are trying to say "if the current user has the ability (permission)
to manage users, show them the link".  That is an explicit statement
that can better be reflected by permissions.  Consider this example:

if ( subject.hasPermission( "user:update" ) ) {
  //show the "manage users" link.
}

Permissions describe raw functionality at the most basic level.  They
describe the 'what' the user can do in the application rather than
arbitrary code blocks attributed to roles.

You then assign 'what' a person can do by assigning one or more
permissions to any role.  Then you assign roles to users.  Your
JSecurity Realm checks for the permissions across all of a user's
assigned roles.

So, you would considerably clean up your if/else permutations if you
used a permission check instead of role checks.  This is because the
"Administrator" and "Supervisor" roles would probably both be assigned
the "user:update" permission, so you'd only have one permission check,
instead of many permutations.

Another side benefit of Permissions is that their definitions change
only when the application's raw functionality changes - this allows
you to create/delete/assign roles at runtime (if your business sees
that as desirable) instead of hard-coding role names in code.  That
is, it is much 'safer' to hard-code permission checks rather than role
checks.

Cheers,

Les

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Les, Peter,

thank you once again very helpful additions to the discussion. :-)
I considered using permissions instead of roles for my own project, but
unfortunately I failed on getting it to work. I.e. I think it will
improve the clean structuring of my instance level security a lot.

I am sorry, if I overlooked anything obvious in the docs.

Cheers,
DJ
--
Daniel J. Lauk

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

> thank you once again very helpful additions to the discussion. :-)
> I considered using permissions instead of roles for my own project, but
> unfortunately I failed on getting it to work. I.e. I think it will
> improve the clean structuring of my instance level security a lot.
>
> I am sorry, if I overlooked anything obvious in the docs.

I'm planning to cover the more advanced aspects of JSecurity
(particularly permissions) in a forthcoming London GGUG. The talk
should be recorded, so that will add a bit more "documentation" for
the plugin. I'll provide a link once it's ready.

Do you remember what specific issues you had with permissions? They
have become much easier to use since the introduction of string-based
permissions, but the documentation for their use is non-existent as
far as the plugin goes.

Cheers,

Peter

--
Software Engineer
G2One, Inc.
http://www.g2one.com/

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Peter, thanks for your fast reply.

I don't exactly remember, what problems I had. But don't worry, it's
sure a personal being-verwhelmed-by-the-new scenario that caught me.
I remember that I felt pretty lost in the JEE world coming from CGI and
PHP, and Grails convention over configuration paradigm helped a lot, but
as soon as my requirements exceeded default well-documented scenarios I
had some trouble.
So that's why I stuck to the (IMHO) easier to grasp role based approach,
which worked pretty well so far.

By now I feel comfortable enough to get a grasp of what's going on from
the sources, so I'll just have to give it another try. If time allows
for it, I'll add to the wiki.

Anyway, one thing that just didn't completely fit into my head:
AFAIK the plugin comes with a default permission class and this class is
agnostic to instance level security.
How would I implement my own instance level aware permission class(es)?
Where would/should the files go?
Would they work with the <jsec:hasPermission > tags automatically?

Thanks for your patience.

Cheers,
DJ
--
Daniel J. Lauk

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email