I have an existing jhipster app on which certain companies register and do various operations.
I want to have the functionality of a sub-user which will have the option of either edit/ delete/ view o entity depending on his role,
Is there an existing blueprint for this?
You can't achieve this by using static roles unless you have very few companies and they almost never change.
You should rather look at other Spring Security features like ACL or custom methods for use in expression language annotations. You should probably also have a look at multi-tenancy topic with Spring Security.
Anyway, you have to code it manually, few links to get you started:
https://www.baeldung.com/spring-security-acl
How to create custom methods for use in spring security expression language annotations
You can also find some examples in JHipster:
https://github.com/jhipster/generator-jhipster/issues/1995
https://github.com/deepu105/jhipster-roles
https://blog.ippon.tech/improving-the-access-control-of-a-jhipster-application/
Related
Introduction
I'm designing an application using Kentico 11 CMS. Client provided me with this information:
Big data are expected
Versioning and workflow would be nice to have but are not mandatory
Editing interface for the data is needed
My research
Based on Kentico out of the box capabilities, I had to decide whether to use Pages, Module classes or Custom tables to store data. I've excluded Pages as they are not advised for big data by docs. After some additional reserach I consider Custom module to be the best option for me.
Documentation states that:
Custom modules: Workflow cannot be used for your data. Versioning of the stored data is not supported by default.
Question
1) Am I able to easily bypass this restriction when using custom classes for the custom module? (meaning versioning and workflow)
2) Is there any collision when defining an interface for editing the data, while using custom classes in custom modules?
3) When defining general indexes for searching will there be any problem when using custom classes in custom modules?
You can setup versioning (https://devnet.kentico.com/articles/module-development-versioning-recycle-bin), not workflow. If you need workflow just for publishing, first you can use pages appliaction, then after page is published move the content to custom class.
You can use default UI from Kentico or you can create your own.
I don't think so, but you can create always custom index if will be something wrong with general
In Kentico 11, in a custom module you are developing, when using a custom Page Template (portal mode) for the UI Element, where is the appropriate place to host Transformations used by web parts of that template? "Appropriate" meaning the transformations can be bundled with the module for import/export operations or at least grouped with it logically in Kentico admin?
The Kentico Custom Module app doesn't contain a Transformations tab for its Classes.
Repeater web parts used on the UI page template only list Custom Tables and Page Types when looking for transformations. Transformation doesn't seem to be supported for a Custom Class.
I could create a standalone container Page Type to host all transformations for the module, however this would be outside the module. These transformations would use data from Classes in the module (through repeater web parts and query data sources for example). It seems odd to put them outside so I am suspicious of doing this.
Up until now I've only used the out-of-box tab and listing web parts to create custom modules. Now I need to get into more customization, and prefer the portal mode to easily build templates using web parts. Transformations seem to be the missing consideration in this development flow.
Neither can I find Transformations mentioned in the Custom Module documentation. Kentico Documentation I'm referencing is:
Creating custom modules
Manually creating the interface for custom modules
Martin Hejtmanek's Module development articles like this one
I can find a place to put my transformations. I'm looking for thoughts about where to best put them and bundle them with my custom module work.
Your findings are a shortcoming in the module documentation. The documentation talks in great detail on how to build the module and display it within the Kentico UI but talks little to none on how to display that content outside of Kentico on the public facing website.
What you mentioned, using a custom Page Type as a container is a simple easy approach and I believe you can bundle this with your module. Yes it doesn't make sense but using this approach will allow you to have your custom queries to access the module data and display options (transformations).
You have another option to create custom webparts for this and package them with your module but I'd recommend against this because it takes away from the basic usage of Kentico and will require code maintenance and modifications for simple changes.
If you look at page types you will see that Kentico does the custom page types to hold transformations. They have ones like RSS Transformations, E-Commerce Transformations, etc.
That is the way I have always done it also.
I suggest you to take a look at the custom table module as example, i.e. user interface part of it: there is transformation menu item under edit custom table in the interface. Take a look on how it is done and try to clone/modify it for your own custom module. If you check the DB: cms_transformation table has TransformationClassID field. So transformation is attachable to a class - so you custom classes can have transformations attached. Honestly i've never done it, but this is the way how I would approach. I would keep apples with apples, oranges with oranges... yeah sure you can always create "container page type" and it will work, but i would play around with the custom module. You might need to create and extender in this case.
#John,
As per Brenden post, you can achieve this using custom web part with your custom logic.
Refer below URL:
https://docs.kentico.com/k10/developing-websites/defining-website-content-structure
Hi I am very new to broadleaf . I have some questions around the same ,ap per my knowledge In broadleaf we have 2 apps admin and the client app . I was just wondering if we have any extending ability of core broadleaf or any ability given by broadleaf to write own functionality
You can write your own functionality. If you have seen demo site, it has 3 sub projects admin, core, site. As per its documentation
admin - has code related to admin functionality like adding and managing product catalog
site - has code to present product catalog and offers with checkout and payment to user
core - has code which is common to both admin and site module.
Extending Broadleaf can be made in different ways.
Because it uses spring you can replace actual beans with your implementation of some service for example ( or dao etc )
Also there are some extension points, you can see for example org.broadleafcommerce.core.extension.ExtensionManager and it's implementation and you can find points where you might add custom validation to cart for example. ( you can even change the controller). see org.broadleafcommerce.core.web.service.UpdateCartServiceExtensionManager as an example
Broadleaf has some concept of workflow that contains many Activities : org.broadleafcommerce.core.workflow.Activity that are handled by sequential Processors : org.broadleafcommerce.core.workflow.SequenceProcessor .For example you could see org.broadleafcommerce.core.order.service.workflow.add.ValidateAddRequestActivity that has the role of validating add order item to cart.
If you want to find more tutorials you should read : http://docs.broadleafcommerce.org/core/current
Which design approach can be used, already exists or new ones to implement security system in MVC web-application?
Possibly there are patterns, best practices, e.g. in some popular languages, e.g. Java, .Net or whatsoever?
On which level is it better to implement it: model or controller or something between them?
I faced that primitive approach results in spreading security checks among many controllers or models depending on implementation, mixing with code of levels.
But it is not obvious for me in which way to design security in better way.
I have an MVC application.
I need flexible system of access rights.
I have and hierarchy of categories and entities in categories.
Some user can edit/view/add/remove one on set of categories, another users - other categories.
It is also required that depending on user role some fields of model should not be retrieved from DB (null should be returned)
Admins should be able to assign different access rights.
You should be using .Net's built in member ship providers. By default a new MVC 3 Internet Application Visual Studio project template will give you basic login code. Clicking on the 'manage' your site button from within visual studio will give you the web interface to manage the users and roles. Create your users/roles, then define [Authorize(Roles="Admin,Users")] on your Controller class definition or on your method definitions. DO NOT define URL access as was done in Asp.Net Web Form applications as there are multiple URLs that could map to a single place. Use the Authorize attribute instead.
Also check my response here:
What features do I need to have before I open an ASP.Net app onto the internet?
In addition make sure you use Html.AntoForgeryToken in your views and [ValidateAntiForgeryToken] on your [HttpPost] controller methods (ie any methods you post back to)
I'm an experienced developer, but new to Silverlight, Prism, MVVM and all related stuff, and I have a need for a flexible approach regarding security in a new application I'm developing.
I have this security model implemented through a custom security framework I built for WinForms (actually Visual WebGui), but I need to get some guidelines on how to implement this for Silverlight or if there is something already built that I can use.
All modules implements two interfaces, ISecurableModule and ISecuredModule.
ISecurableModule is used to register modules with security repository.
ISecuredModule is used to enforce security.
In my Winforms app, at startup (actually after a new install, at first start), a module is started that through reflection inspect all assemblies, looking for modules implementing ISecurableModule interface. This interface reports if a module ce be started in Add Mode, Edit Mode, View Mode or None of them (e.g. a reporting module or data fetch / filter can be open only in View mode, as no data can be changed in it, but a data entry can be open only in Add, or in Add / Edit, or in View)
All this data is saved into security repository.
To define security rights, I can create security categories - that is, e.g. Inventory Operator, Inventory Supervisor, Payroll Operator, Payroll Supervisor, etc. For each category, I assign modules selected from security repository, with appropriate rights (e.g. for Inventory Operator I assign module Reception Inventory Operation or Transfer Inventory Operation with Add and View rights, and for Inventory Supervisor I assign all inventory modules with full rights)
Then I create Inventory Operator Role, and assign him the Inventory Operator Security category. I can assign several security categories to each role (because I can create security categories with a higher granularity - e.g. security category to manage own account or to manage group of users - which will be granted to supervisors, etc)
Then at runtime I have the concept of workplace (like shell in Prism) where I can load modules dynamically (really dynamically, I use ServiceLocator pattern to locate a component based on the interface it implements and then there is a controller for each class of module - modules implementing the same interface - which can use a enum field to identify which module to actually load for the time of data needed to process). The workplace controller uses a security provider which check the access rights for module to be loaded against the access rights for current user.
In my SL4 app I want to use MVVM pattern, and thus I want to have my views codeless and drive the whole functionality through ViewModel, ICommands and data binding. So I need some suggestions on how can I accomplish this sort of functionality I described into a SL4 app. I'm not particularly tied to Prism, so I will consider if there is another SL4 framework which can help me accomplish this goal.
You could try to protect the Silverlight application in many ways but in the end you cannot trust the client.
A couple of guidelines I use:
Protect the wire: use ssl to protect communication between SL and the back-end (perhaps even issue custom tokens to be able to invalidate a connection)
Do not rely on secrets in the Silverlight application (private keys, custom encryption methods, isolated storage) because they are easily broken
Put all important logic and security checks on the server.
Always check authorization when a receiving a (service)call; you never know who is calling unless you check.
I only use authorization on modules to reduce the download; if you are not authorized to use a module why download it?