Home Blog Documentation Download Forum Bug reporting Nightly Builds Commercial Support

11. Security

 Documentation Summary
 Page Summary

Using the Identity Component (Seam)

The Seam identity component can be called from the global Tide context and is fully integrated with the Flex RemoteObject security. This provides end-to-end security from the Flex client to the server component.

public function login(username:String, password:String):void {
    tideContext.identity.username = username;
    tideContext.identity.password = password;
    tideContext.identity.login(loginResult, loginFault);
}

private function loginResult(event:TideResultEvent):void {
    Alert.show(event.context.messages.getItemAt(0).summary);
}

private function loginFault(event:TideFaultEvent):void {
    Alert.show(event.context.messages.getItemAt(0).summary);
}

 

Integration with Seam 2.1 Authorization

Seam 2.1 comes with very nice features to handle authorizations. Tide allows to use them from Flex and provides equivalents of s:hasRole and s:hasPermission that can be used on MXML components:

<mx:DataGrid id="dg" dataProvider="{products}">
    <mx:DataGridColumn dataField="name"/>
</mx:DataGrid>

<mx:Button id="bUpdate" label="Update"
    enabled="{dg.selectedItem}"
    visible="{identity.hasRole('admin')}"
    click="updateProduct()"/>
<mx:Button id="bDelete" label="Delete"
    enabled="{dg.selectedItem}"
    visible="{identity.hasPermission(dg.selectedItem, 'delete')}"
    click="deleteProduct()"/>

In this example, the Update button will be visible only if the current logged in user has the role ('admin'), and the Delete button will be visible only when the user is allowed to delete the selected product in the DataGrid list.

The hasRole() and hasPermissions() both issue remote calls to determine if the current user has the required access rights, and then cache those authorizations until the user logs out. If for some reason or security requirement you want to reduce the caching duration, you can setup a Timer and call identity.clearSecurityCache() periodically.

Identity.hasRole() and Identity.hasPermission() can also be used programmatically. As the value may be retrieved asynchonously, the return value of these methods may not be accurate if it was not already in the cache; for example, they return false by default. The correct way of handling this is to pass a result handler function:

public function canDelete(product:Product):void {
    identity.hasPermission(product, 'delete', canDeleteResult);
}

private function canDeleteResult(event:TideResultEvent, 
    product:Product, action:String):void {
    if (!event.result)
        Alert.show("You cannot delete the product " + product.name);
}

The result handler for hasRole receives the roleName as second argument.
The result handler for hasPermission receives target and action as second and third arguments.

Using the Identity Component (Spring, EJB, CDI)

There is no server identity component in Spring, EJB and CDI, but there is a Tide identity client component which integrates the Flex RemoteObject security with server security in both cases.

public function login(username:String, password:String):void {
    tideContext.identity.login(username, password, loginResult, loginFault);
}

private function loginResult(event:TideResultEvent):void {
    Alert.show(event.context.identity.loggedIn);
}

private function loginFault(event:TideFaultEvent):void {
    Alert.show(event.fault);
}

 

Integration with Spring security authorizations

The Tide Identity component provides equivalents of the Spring security JSP tag library sec:ifAllGranted, sec:ifAnyGranted, sec:ifNotGranted and sec:hasPermission that can be used on MXML components:

<mx:DataGrid id="dg" dataProvider="{products}">
    <mx:DataGridColumn dataField="name"/>
</mx:DataGrid>

<mx:Button id="bUpdate" label="Update"
    enabled="{dg.selectedItem}"
    visible="{identity.ifAllGranted('ROLE_ADMIN')}"
    click="updateProduct()"/>
<mx:Button id="bDelete" label="Delete"
    enabled="{dg.selectedItem}"
    visible="{identity.hasPermission(dg.selectedItem, '8,16')}"
    click="deleteProduct()"/>

In this example, the Update button will be visible only if the current logged in user has the role ('ROLE_ADMIN'), and the Delete button will be visible only when the user is allowed to delete the selected product in the DataGrid list.

The ifAllGranted() and hasPermissions() both issue remote calls to determine if the current user has the required access rights, and then cache those authorizations until the user logs out. If for some reason or security requirement you want to reduce the caching duration, you can setup a Timer and call identity.clearSecurityCache() periodically.

Identity.ifAllGranted() and Identity.hasPermission() can also be used programmatically. As the value may be retrieved asynchonously, the return value of these methods may not be accurate if it was not already in the cache; for example, they return false by default. The correct way of handling this is to pass a result handler function:

public function canDelete(product:Product):void {
    identity.hasPermission(product, '8,16', canDeleteResult);
}

private function canDeleteResult(event:TideResultEvent, 
    product:Product, action:String):void {
    if (!event.result)
        Alert.show("You cannot delete the product " + product.name);
}

The result handler for ifAllGranted, ifAnyGranted, ifNotGranted receives the roleNames as second argument.
The result handler for hasPermission receives target and action as second and third arguments.


Browse Space

- Pages
- Blog
- Labels
- Attachments
- Bookmarks
- Mail
- Advanced

Explore Confluence

- Popular Labels
- Notation Guide

Your Account

Log In

Other Features

Add Content

Powered by Atlassian Confluence 3.1, the Enterprise Wiki.
Bug/feature request - Contact administrators

Copyright © 2011 Granite Data Services S.A.S. All Rights Reserved.