Acegi Security for Swing Client, right tool for the job ?

Printable View

May 26th, 2005, 08:44 AM
mrfloppy

Acegi Security for Swing Client, right tool for the job ?

Hi,

We are searching for a solution/advise to implement security into an existing Swing application (which connects to a Tomcat-server using Spring Remoting). We would very much like to use Acegi Security, but have some concerns about whether it would be an appropriate solution to fit the needs.

Consider following (simplified) case: A user using the Swing application has not got the rights to use every functionality of the application. Depending on the roles or access rights of the user certain buttons in the GUI need to be disabled/enabled or hidden/unhidden. Another requirement is that users of the application should be able to view a list of data from a table, but only the data they are allowed to view, also depending on the role of the user.

With our current (basic) understanding of Acegi Security we think it could be used to prevent the user from executing certain functionalities of the application, but not to disable controls in an existing GUI-application (without having to rewrite the existing application all too much). Simply showing a warning or error message AFTER the user has already clicked the button is not sufficient (not very user-friendly also).

Does anyone have some advice on how to implement stuff like this ? It would be great if there is a sample Swing application using Acegi Security, but I cannot seem to find one.
The only thread I could find concerning this topic is http://forum.springframework.org/showthread.php?t=14838
But it only answers the question if Acegi Security could be used in a Swing client or not, no more details as to how it could be done.

Is Acegi Security the right tool for the job ? If so, how could/should it be used in this context ? Any help/thoughts/advice/example is greatly appreciated !!!

Regards,

Eric
May 29th, 2005, 04:42 AM
Ben Alex

Generally you'll have some sort of ActionRegistry that provides a registry that can disable/enable individual controls (such as menu bars, toolbar buttons etc). Thus you just need to use Acegi Security to get a list of GrantedAuthority[]s for the current principal, then iterate through each of the actions in your ActionRegistry and disable those which the principal does not possess rights to.
Jun 2nd, 2005, 04:33 AM
mrfloppy

Thanks Ben!
Unfortunately we don't have such a Registry where we can access all controls. But now at least we have an idea about how you would implement it, and we know we're not overlooking something in the framework.

regards
eric
Jun 2nd, 2005, 08:24 AM
gfaerman

Let me add two cents to Ben's posting:

Quoting mrfloppy:

Quote:

Depending on the roles or access rights of the user certain buttons in the GUI need to be disabled/enabled or hidden/unhidden

As Ben stated,

Quote:

Thus you just need to use Acegi Security to get a list of GrantedAuthority[]s for the current principal,

, then you are done.

There is another scenario we are working in our current gig right now: Disabling or enabling buttons based in an ACL entry for a given domain object actually being edited. other than just the user GrantedAUthority[] .

Quote:

Another requirement is that users of the application should be able to view a list of data from a table, but only the data they are allowed to view, also depending on the role of the user.

The "after" collections filters provided by Acegi here are your friends.

All your requirements can be implemented with Acegi.
IMHO and true field experience (this means tons of mistakes :wink: ) , mostly issues come up due to our own misunderstanding of some bests practices in the RC/java security enforcement field other than just the security and RC frameworks we choose/use.

Just needless to say Acegi rocks!

Gustavo Faerman
Jun 24th, 2005, 08:48 PM
Ben Alex

Quote:

Originally Posted by gfaerman

Just needless to say Acegi rocks!

Thanks Gustavo. Have you considered contributing to the Spring Rich Client project, as I know they'd love to see some of these sort of capabilities?
Nov 30th, 2005, 07:36 AM
lbois

Have you implemented security

Hello,

I have the same use case.
I actually have a Swing app connected to different services using Spring remoting.

I'd like to implement security.
As a first step, a BASIC auth would be enough.

I do not sse several points actually before doing this :
Should i use acegi for this.
How can i popup a dialog for login & credentials on client side once i tried to reach a secured service.

Your help is welcome

Laurent
Nov 30th, 2005, 09:04 AM
bpolka

take a look at Spring RCP

The command to look for is org.springframework.richclient.security.LoginComma nd. If you ignore all the forms fluff that Spring RCP provides with the command you will have a pretty good example of how to do it.
Nov 30th, 2005, 09:27 AM
lbois

spring rcp

OK,

But éy ui is based on classic swing and not spring rcp...
I'm going to check loginCommand

Thanks

Laurent