Security in activeweb
241 views
Skip to first unread message
Bagus Arianto
Sep 28, 2014, 2:43:38 PM9/28/14
to acti...@googlegroups.com
Hello Igor,
I've tried to implement security filter in activeweb. i also try to find an example in this group, but didn't find any. is there any example how to make login method in activeweb and then use the session in user authentication with HttpSupportFilter.
i think it's an important feature that need to be explained in code example(at least basic example). because when i spread the word about activeweb they ask me about security. personally i answer that question with apache shiro or spring security implementation, but do we have any standard security procedure in activeweb? like how to login, how to logout, how to authorise and something like that.
thanks, sorry for my bad english :D
Igor Polevoy
Sep 29, 2014, 3:45:00 AM9/29/14
to acti...@googlegroups.com
Hi, Bagus.
ActiveWeb makes it so easy to do things like that, I created a sample app that has a login built-in.
Please, see this app: https://github.com/javalite/activeweb-secure
The basics are simple:
1. Create annotation (this is just a marker):
2. Create a login controller:
obviously you need to provide your logic there for authentication :)
3. Create Authentication filter:
4. register this filter fro all controllers:
This setup only needs to be done once.
At this point, for all the controllers that you need to be protected, just use @Protected annotation:
So, every time you need to protect a controller with a login, just add @Protected annotation to it.
If all you need is login authentication to protect some pages (private site), you do not need any external frameworks like Spring or others.
tx
Nanang Suryadi
Sep 29, 2014, 4:01:41 AM9/29/14
to acti...@googlegroups.com
Awesome example igor,
just a bit , i am looking for it--
--
You received this message because you are subscribed to the Google
Groups "ActiveWeb Group" group.
To post to this group, send email to acti...@googlegroups.com
To unsubscribe from this group, send email to
activeweb+...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/activeweb?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "ActiveWeb Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to activeweb+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Nanang Suryadi
T.0822 5717 0842
T.0822 5717 0842
Bagus Arianto
Sep 29, 2014, 9:56:09 AM9/29/14
to acti...@googlegroups.com
thanks Mr. Igor.
Erwin Yonathan
Nov 28, 2014, 4:56:41 AM11/28/14
to acti...@googlegroups.com
Hi Igor,
Can we also create user role based authentication just like in Spring or others?
How can we protect our controller based on user session and active roles for the selected logged in user?
Thanks
Igor Polevoy
Nov 28, 2014, 11:17:43 AM11/28/14
to acti...@googlegroups.com
Erwin, the whole idea of ActiveWeb is to be lightweight and easy to use, unlike Spring, so adding a built-in role-based authentication is not on the plan.
However, it is really easy to add to the secure app I wrote before.
For instance, you can do the following:
1. Create a table caller ROLES with the following structure:
* role_name (varchar)
2. Create a table called PATHS with the following structure:
* controlle_name
* action_name
* role_id
3. Assuming that you have a table called USERS (or similar), add column to this table:
* role_id
At this point, you have defined that "a role has many users" and "a role has many paths"
4. Add a bit of code to your Authorization filter (or write a new filter)
The code will look like this:
Route route = getRoute();
User user = (User)session("user");
Role role = user.getRole(); alternatively, cach this in session to save extra database trip
if(!role.hasRoute(route)){
redirect(elswhere);
}
implementation of hasRoute() will look like this:
public class Role{
public boolean hasRoute(Route route){
return Path.count("conrtoller_name = ? and action_name = ? and role_id = ?",
route.getController().getClass().getName(), route.getActionName(), getId()) > 0;
}
}
You can even make it more elegant by wrapping this code into something like this:
You can even make it more elegant by wrapping this code into something like this:
if(!user.canAccessRoute(route)){
redirect(elswhere)
}
At this point, all you need is to add records to table PATHS and relate users to roles. If your users need to be in multiple roles, use many-to-many relationship from USERS and ROLES.
As you can see, you can implement role based authorization in 20 minutes or so, and there is absolutely no need to add "authorization support like Spring" to the framework!
I hope this helps
Partha
Dec 19, 2014, 11:09:54 AM12/19/14
to acti...@googlegroups.com
Hello Igor,
This works fine for controller authentication, but if we want to extend this as method annotation by adding ElementType.Method it throws the below error
No enum constant org.javalite.activeweb.HttpMethod.Protected
how should I handle this?
Thanks
Igor Polevoy
Dec 19, 2014, 2:21:50 PM12/19/14
to acti...@googlegroups.com
Partha, not sure I follow your question.
However, the example I provided is just an idea for implementation of security. You can create your own annotations and extend the filter to check controllers, actions and routes if you like.
Thanks
Partha
Dec 23, 2014, 2:04:56 AM12/23/14
to acti...@googlegroups.com
Hello Igor,
I have checked again, controller methods do not accept any custom annotation other than GET, POST, PUT, DELETE, HEAD is this intentional?
Thanks
Igor Polevoy
Dec 23, 2014, 2:14:04 AM12/23/14
to acti...@googlegroups.com
Partha, you may have not specified your annotation correctly
Ensure you can add it to methods as well as classes:
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.TYPE,ElementType.FIELD})
@Inherited
public @interface Protected {}
.. or you can use a completely different annotations for controllers and actions
tx
Igor Polevoy
Dec 23, 2014, 2:14:36 AM12/23/14
to acti...@googlegroups.com
Corrections in code:
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.TYPE,ElementType.METHOD})
@Inherited
public @interface Protected {}
Partha
Dec 23, 2014, 8:22:24 AM12/23/14
to acti...@googlegroups.com
Hello Igor,
package app.controllers.authorization;
import java.lang.annotation.*;
/**
* Annotation for controllers that need to be protected by password
*/
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.TYPE, ElementType.METHOD})
@Inherited
public @interface Protected {}
18:47:23.511 [qtp793986732-33] ERROR o.j.activeweb.RequestDispatcher - ActiveWeb ERROR: Request URL: http://localhost:8080/accel/base/home/dashboard ContextPath: /accel Query String: null URI Full Path: /accel/base/home/dashboard URI Path: /base/home/dashboard Method: GET java.lang.IllegalArgumentException: No enum constant org.javalite.activeweb.HttpMethod.Protected at java.lang.Enum.valueOf(Enum.java:236) ~[na:1.7.0_55] at org.javalite.activeweb.HttpMethod.valueOf(HttpMethod.java:26) ~[activeweb-1.11-SNAPSHOT.jar:na] at org.javalite.activeweb.AppController.allowedActions(AppController.java:203) ~[activeweb-1.11-SNAPSHOT.jar:na] at org.javalite.activeweb.AppController.standardActionSupportsHttpMethod(AppController.java:185) ~[activeweb-1.11-SNAPSHOT.jar:na] at org.javalite.activeweb.AppController.actionSupportsHttpMethod(AppController.java:180) ~[activeweb-1.11-SNAPSHOT.jar:na] at org.javalite.activeweb.ControllerRunner.checkActionMethod(ControllerRunner.java:191) ~[activeweb-1.11-SNAPSHOT.jar:na] at org.javalite.activeweb.ControllerRunner.run(ControllerRunner.java:56) ~[activeweb-1.11-SNAPSHOT.jar:na] at org.javalite.activeweb.RequestDispatcher.doFilter(RequestDispatcher.java:202) ~[activeweb-1.11-SNAPSHOT.jar:na] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1645) [jetty-servlet-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:564) [jetty-servlet-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578) [jetty-security-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1111) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:498) [jetty-servlet-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1045) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:199) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:98) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.Server.handle(Server.java:461) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:284) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:244) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:534) [jetty-io-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:607) [jetty-util-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:536) [jetty-util-9.2.1.v20140609.jar:9.2.1.v20140609] at java.lang.Thread.run(Thread.java:745) [na:1.7.0_55]
Not sure what I am doing wrong!
import java.lang.annotation.*;
/**
* Annotation for controllers that need to be protected by password
*/
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.TYPE, ElementType.METHOD})
@Inherited
public @interface Protected {}
18:47:23.511 [qtp793986732-33] ERROR o.j.activeweb.RequestDispatcher - ActiveWeb ERROR: Request URL: http://localhost:8080/accel/base/home/dashboard ContextPath: /accel Query String: null URI Full Path: /accel/base/home/dashboard URI Path: /base/home/dashboard Method: GET java.lang.IllegalArgumentException: No enum constant org.javalite.activeweb.HttpMethod.Protected at java.lang.Enum.valueOf(Enum.java:236) ~[na:1.7.0_55] at org.javalite.activeweb.HttpMethod.valueOf(HttpMethod.java:26) ~[activeweb-1.11-SNAPSHOT.jar:na] at org.javalite.activeweb.AppController.allowedActions(AppController.java:203) ~[activeweb-1.11-SNAPSHOT.jar:na] at org.javalite.activeweb.AppController.standardActionSupportsHttpMethod(AppController.java:185) ~[activeweb-1.11-SNAPSHOT.jar:na] at org.javalite.activeweb.AppController.actionSupportsHttpMethod(AppController.java:180) ~[activeweb-1.11-SNAPSHOT.jar:na] at org.javalite.activeweb.ControllerRunner.checkActionMethod(ControllerRunner.java:191) ~[activeweb-1.11-SNAPSHOT.jar:na] at org.javalite.activeweb.ControllerRunner.run(ControllerRunner.java:56) ~[activeweb-1.11-SNAPSHOT.jar:na] at org.javalite.activeweb.RequestDispatcher.doFilter(RequestDispatcher.java:202) ~[activeweb-1.11-SNAPSHOT.jar:na] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1645) [jetty-servlet-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:564) [jetty-servlet-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578) [jetty-security-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1111) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:498) [jetty-servlet-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1045) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:199) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:98) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.Server.handle(Server.java:461) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:284) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:244) [jetty-server-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:534) [jetty-io-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:607) [jetty-util-9.2.1.v20140609.jar:9.2.1.v20140609] at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:536) [jetty-util-9.2.1.v20140609.jar:9.2.1.v20140609] at java.lang.Thread.run(Thread.java:745) [na:1.7.0_55]
Not sure what I am doing wrong!
Igor Polevoy
Dec 23, 2014, 11:08:50 AM12/23/14
to acti...@googlegroups.com
Partha, looks like this is a bug: https://github.com/javalite/activeweb/issues/193
We will fix in in a day or two, bur you can check by action name in your filter as a temporary workaround:
getRoute().getActionName()
Thanks
Reply all
Reply to author
Forward
0 new messages