15.6. Authorization
Group items matching
in title, tags, annotations or url
18More
Seam - Contextual Components - 0 views
-
-
Seam Security is built around the premise of users being granted roles and/or permissions, allowing them to perform operations that may not otherwise be permissible for users without the necessary security privileges
-
15.6.1. Core concepts
- ...15 more annotations...
-
15.6.1.1. What is a role? A role is a group, or type, of user that may have been granted certain privileges for performing one or more specific actions within an application
-
used to create logical groups of users for the convenient assignment of specific application privileges
-
15.6.1.2. What is a permission? A permission is a privilege (sometimes once-off) for performing a single, specific action. It is entirely possible to build an application using nothing but permissions, however roles offer a higher level of convenience when granting privileges to groups of users
-
consisting of three "aspects";
-
a target
-
an action
-
a recipient
-
An empty @Restrict implies a permission check of componentName:methodName
-
implied permission required to call the delete() method is account:delete
-
equivalent of this would be to write @Restrict("#{s:hasPermission('account','delete')}")
-
@Restrict annotation may reference any objects that exist within a Seam context. This is extremely useful when performing permission checks for a specific object instance.
-
selectedAccount
-
selectedAccount
-
Identity.instance().checkRestriction
-
If the expression specified doesn't evaluate to true, either if the user is not logged in, a NotLoggedInException exception is thrown or if the user is logged in, an AuthorizationException exception is thrown.
2More
How to search issues from specific Sprint - Atlassian Answers - 0 views
-
to find issues from a specific sprint, you have to add one of the following to your JQL query: 1sprint = ID 1sprint in (1,3,4)
-
have to know the ID (not name) of your sprint.
73More
shared by kuni katsuya on 13 Dec 12
- No Cached
Stephen Colebourne's blog: Javadoc coding standards - 0 views
blog.joda.org/...javadoc-coding-standards.html
java javadoc BestPractices documentation design communication
shared by kuni katsuya on 13 Dec 12
- No Cached
-
Javadoc coding standards
-
explain some of the rationale for some of my choices
-
this is more about the formatting of Javadoc, than the content of Javadoc
- ...63 more annotations...
-
Each of the guidelines below consists of a short description of the rule and an explanation
-
Write Javadoc to be read as source code
-
Making Javadoc readable as source code
-
Public and protected
-
All public and protected methods should be fully defined with Javadoc
-
Package and private methods do not have to be, but may
-
benefit from it.
-
think of it as internal design documentation when you revisit this code 8 months from now: - based on nothing but your well-chosen ;) package/class/method/variable names, will you recall all of your current design intentions and rationale? likely not - when you hand-off this code to another software engineer, how easy will it be to mostly rtfm? will you have to waste time preparing design/implementation notes specifically for the hand-off? if this is the case because the code is unreadable and not self-guiding and there's not already at least high level design notes in a wiki, you're doing it wrong!
-
-
If a method is overridden in a subclass, Javadoc should only be present if it says something distinct to the original definition of the method
-
ie. don't just copy-paste the javadoc from the superclass. that's mindless and pointless monkey work
-
-
Use the standard style for the Javadoc comment
-
Do not use '**/' at the end of the Javadoc
-
Use simple HTML tags, not valid XHTML
-
XHTML adds many extra tags that make the Javadoc harder to read as source code
-
Use a single <p> tag between paragraphs
-
Place a single <p> tag on the blank line between paragraphs:
-
this at least makes the paragraph breaks wysiwygísh and somewhat easier to read
-
-
Use a single <li> tag for items in a list
-
place a single <li> tag at the start of the line and no closing tag
-
Define a punchy first sentence
-
it has the responsibility of summing up the method or class to readers scanning the class or package
-
the first sentence should be
-
clear and punchy, and generally short
-
use the third person form at the start
-
Avoid the second person form, such as "Get the foo"
-
Use "this" to refer to an instance of the class
-
When referring to an instance of the class being documented, use "this" to reference it.
-
Aim for short single line sentences
-
Wherever possible, make Javadoc sentences fit on a single line
-
favouring between 80 and 120 characters
-
Use @link and @code wisely
-
@link feature creates a visible hyperlink in generated Javadoc to the target
-
@code feature provides a section of fixed-width font, ideal for references to methods and class names
-
Only use @link on the first reference to a specific class or method
-
Use @code for subsequent references.
-
This avoids excessive hyperlinks cluttering up the Javadoc
-
Never use @link in the first sentence
-
Always use @code in the first sentence if necessary
-
Adding a hyperlink in that first sentence makes the higher level documentation more confusing
-
Do not use @code for null, true or false
-
Adding @code for every occurrence is a burden to both the reader and writer of the Javadoc and adds no real value.
-
Use @param, @return and @throws
-
@param entries should be specified in the same order as the parameters
-
@return should be after the @param entries
-
followed by @throws.
-
Use @param for generics
-
correct approach is an @param tag with the parameter name of <T> where T is the type parameter name.
-
Use one blank line before @param
-
This aids readability in source code.
-
Treat @param and @return as a phrase
-
They should start with a lower case letter, typically using the word "the". They should not end with a dot. This aids readability in source code and when generated.
-
treated as phrases rather than complete sentences
-
Treat @throws as an if clause
-
phrase describing the condition
-
Define null-handling for all parameters and return types
-
ideally, if the method in question has any specified/required pre and/or post conditions, they should be noted in the javadoc, not *just* null handling also, there are cleaner ways to design around this type of old school null handling hackage
-
-
methods should define their null-tolerance in the @param or @return
-
standard forms expressing this
-
"not null"
-
"may be null"
-
"null treated as xxx"
-
-
"null returns xxx"
-
-
In general the behaviour of the passed in null should be defined
-
Specifications require implementation notes
-
Avoid @author
-
source control system is in a much better position to record authors
-
This wastes everyone's time and decreases the overall value of the documentation. When you have nothing useful to say, say nothing!
-
likewise with javadoc on things like default constructors /** * Creates an instance of SomeClass */ public SomeClass() {} is equally useless and unnecessarily clutters up the source code
-
Specification using JPA 2.0 Criteria API - Source Code « Adrian Hummel - 0 views
adrianhummel.wordpress.com/...a-2-0-criteria-api-source-code
java JPA patterns CriteriaAPI specification
shared by kuni katsuya on 04 Nov 12
- No Cached
54More
Architecture | Apache Shiro - 0 views
-
Realm is essentially a security-specific DAO
-
3 primary concepts:
-
Subject
- ...51 more annotations...
-
SecurityManager
-
Realms
-
High-Level Overview
-
Subject
-
essentially a security specific 'view' of the the currently executing user
-
Subject
-
instances are all bound to (and require) a
-
SecurityManager
-
When you interact with a Subject, those interactions translate to subject-specific interactions with the SecurityManager
-
SecurityManager
-
'umbrella’ object that coordinates its internal security components that together form an object graph
-
Realms
-
‘connector’ between Shiro and your
-
application’s security data
-
Shiro looks up many of these things from one or more Realms configured for an application
-
Subject
-
SecurityManager
-
Authenticator
-
Authorizer
-
component responsible determining users' access control in the application
-
if a user is allowed to do something or not
-
SessionManager
-
knows how to create and manage user
-
Session
-
lifecycles
-
Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available
-
Shiro will use
-
an existing session mechanism
-
if available, (e.g. Servlet Container)
-
if there isn't one, such as in a standalone application or non-web environment, it will use its
-
built-in enterprise session management
-
SessionDAO
-
exists to allow any datasource to be used to
-
persist sessions
-
SessionDAO
-
performs Session persistence (CRUD) operations on behalf of the SessionManager
-
allows any data store to be plugged in to the Session Management infrastructure
-
CacheManager
-
creates and manages Cache instance lifecycles used by other Shiro components
-
improve performance while using these data source
-
Cryptography
-
Realms
-
‘connector’ between Shiro and your application’s security data
-
Realms
-
Realms
-
Realms
-
‘connector’ between Shiro and your application’s security data
-
‘connector’ between Shiro and your application’s security data
-
‘connector’ between Shiro and your application’s security data
-
‘connector’ between Shiro and your application’s security data
-
‘connector’ between Shiro and your application’s security data
11More
Interview of GraniteDS founders | RIAgora - 0 views
-
explained the origin of GraniteDS and the differences with LiveCycle Data Services
-
ActionScript3 reflection API
-
GraniteDS 2.2
- ...8 more annotations...
-
JSR-303 (“Bean Validation”) ActionScript3 framework for form validation
-
validation framework is a specific adaptation of the JSR-303 (Bean Validation) specification to Flex: like its Java counterpart, it relies on validation annotations placed on bean properties and provides an engine API that lets you validate your forms without writing by hand a specific validator for each of your input fields
-
code generation tools provided by GraniteDS so that when you write your Java entity bean with validation annotations, they are automatically replicated in your ActionScript3 beans
-
problem with LCDS is mainly that it promotes a strict “client / server” architecture, with – roughly speaking – a heavy Flex client application connected to a server almost reduced to a database frontend
-
big majority of these organizations use BlazeDS, a free and open-source subset of LCDS
-
need more advanced mechanisms than just Remoting start looking for open-source libraries to enable deeper integrations with the Java business layer, and GraniteDS is for sure the most popular project
-
“Flex Data Services” (now renamed to “Live Cycle Data Services”)
-
Flex Data Services seemed too “client-centric”
9More
Java Interfaces/Implementation naming convention - Stack Overflow - 0 views
-
Putting I in front is just crappy hungarian style notation tautology that adds nothing but more stuff to type to your code.
-
An Interface in Java is a Type
-
And the Impl suffix is just more noise as well
- ...5 more annotations...
-
Everything that implements Truck is a Type of Truck.
-
The name of the interface should describe the abstract concept the interface represents. Any implementation class should have some sort of specific traits that can be used to give it a more specific name.
-
no justification to have an interface at all.
-
If there is only one implementation class
-
Java Interfaces/Implementation naming convention
-
"Putting I in front is just crappy hungarian style notation tautology that adds nothing but more stuff to type to your code"
3More
Fiddler Web Debugger - Configuring clients - 0 views
-
Debug traffic from another machine (even a device or Unix box)
-
Allow remote clients to connect
-
"HTTP application to use Fiddler? You can either directly configure the WinHTTP application to point to Fiddler, in code, or you can use the following command at the command prompt to tell WinHTTP to use Fiddler: On XP or below: proxycfg -p http=127.0.0.1:8888;https=127.0.0.1:8888 ...or this one to force WinHTTP to use WinINET's proxy settings: proxycfg -u On Vista or above, use an Elevated (admin) command prompt: netsh winhttp set proxy 127.0.0.1:8888 Note: On Windows 7 and earlier, netsh is bitness specific, so you may want to run the above command twice: first using the 32bit NETSH and then using the 64bit NETSH. This blog has more information. This issue was fixed in Windows 8; you can call either NetSh just once to set the proxy for both 32bit and 64bit WinHTTP hosts. Capture traffic from a different account, like ASP.NET on IIS or from a Windows Service? Trying to capture SOAP calls coming from ASP.NET or some background service process? By default, Fiddler registers as the proxy only for the current user account (ASP.NET runs in a different user account). To get a background process (like the ASP.NET or IIS process) to use Fiddler, you must configure that process to use Fiddler. Typically, this is done by editing web.config or machine.config for the ASP.NET installation, or the configuration for the code running within the Windows Service. Please see http://msdn.microsoft.com/en-us/magazine/cc300743.aspx#S4 or the section on .NET or WinHTTP, depending on which network stack the service is using. Configure Windows Phone 7 to use Fiddler? Please see http://blogs.msdn.com/b/fiddler/archive/2011/01/09/debugging-windows-phone-7-device-traffic-with-fiddler.aspx for actual device hardware, or http://blogs.msdn.com/b/fiddler/archive/2010/10/15/fiddler-and-the-windows-phone-emulator.aspx for the emulator. Configure Google Nexus 7 (Andoid 4.1 Jellybean) to use Fiddler? Please see this page. Configure Android Emulator to use Fiddler? Please see http://au
JBoss Maven Java EE 6 Specification APIs | How to JBoss - 0 views
9More
Seam Framework - Home - 0 views
-
How do Seam, Weld and CDI relate to each other?
-
CDI is a JCP specification included in Java EE Weld is the reference implementation of CDI Seam 3 is a set of modules which extend CDI to provide functionality beyond that offered by Java EE 6
-
Seam 3 is a superset of JSR-299
- ...6 more annotations...
-
Think of JSR-299 as the core of Seam 3 - it's the basic programming model for your application components, and for the built-in components that make up the Seam framework
-
Seam 3 is implemented as a set of portable extensions, or modules
-
run in any environment which supports JSR-299 (including any Java EE 6 environment).
-
BPM integration, Seam Security, Drools integration, RESTeasy integration, PDF and email templates, Excel generation, etc
-
2.0.0.Final End of 2012 Full specification compliance
-
Weld 2
10More
shared by kuni katsuya on 03 Sep 12
- No Cached
Realm (Apache Shiro :: Core 1.1.0 API) - 0 views
127.0.0.1/...Realm.html
security ApacheShiro Realm authentication authorization user Role Permission
shared by kuni katsuya on 03 Sep 12
- No Cached
-
Interface Realm
-
AuthenticatingRealm
-
AuthorizingRealm
- ...7 more annotations...
-
JdbcRealm
-
A Realm is a security component that can access application-specific security entities such as users, roles, and permissions to determine authentication and authorization operations
-
security-specific DAOs
-
If for some reason you don't want your Realm implementation to perform authentication duties, you should override the supports(org.apache.shiro.authc.AuthenticationToken) method to always return false
-
does not require you to implement or extend any User, Group or Role interfaces or classes
-
Shiro tries to maintain a non-intrusive development philosophy
-
Most users will not implement the Realm interface directly, but will extend one of the subclasses, AuthenticatingRealm or AuthorizingRealm, greatly reducing the effort requird to implement a Realm from scratch
35More
Pro JPA 2: Mastering the Java™ Persistence API > Advanced Topics > SQL Querie... - 0 views
-
queries are also known as native queries
-
SQL Queries
-
reasons why a developer using JP QL might want to integrate SQL queries into their application
- ...32 more annotations...
-
JPA 2.0, still contains only a subset of the features supported by many database vendors
-
features not supported in JP QL.
-
performance required by an application is to replace the JP QL query with a hand-optimized SQL version. This may be a simple restructuring of the query that the persistence provider was generating, or it may be a vendor-specific version that leverages query hints and features specific to a particular database.
-
recommend avoiding SQL initially if possible and then introducing it only when necessary
-
benefits of SQL query support is that it uses the same Query interface used for JP QL queries. With some small exceptions that will be described later, all the Query interface operations discussed in previous chapters apply equally to both JP QL and SQL queries.
-
keep application code consistent because it needs to concern itself only with the EntityManager and Query interfaces.
-
An unfortunate result of adding the TypedQuery interface in JPA 2.0 is that the createNativeQuery() method was already defined in JPA 1.0 to accept a SQL string and a result class and return an untyped Query interface
-
consequence is that when the createNativeQuery() method is called with a result class argument one might mistakenly think it will produce a TypedQuery, like createQuery() and createNamedQuery() do when a result class is passed in.
-
@NamedNativeQuery
-
resultClass=Employee.class
-
The fact that the named query was defined using SQL instead of JP QL is not important to the caller
-
SQL Result Set Mapping
-
JPA provides SQL result set mappings to handle these scenarios
-
A SQL result set mapping is defined using the @SqlResultSetMapping annotation. It may be placed on an entity class and consists of a name (unique within the persistence unit) and one or more entity and column mappings.
-
entities=@EntityResult(entityClass=Employee.class)
-
@SqlResultSetMapping
-
Multiple Result Mappings
-
A query may return more than one entity at a time
-
The SQL result set mapping to return both the Employee and Address entities out of this query
-
emp_id, name, salary, manager_id, dept_id
-
address_id, id, street, city, state, zip
-
order in which the entities are listed is not important
-
ntities={@EntityResult(entityClass=Employee.class), @EntityResult(entityClass=Address.class)}
-
expected result type and therefore received an instance of TypedQuery that is bound to the expected type. By qualifying the result type in this way, the getResultList() and getSingleResult() methods return the correct types without the need for casting.
-
Defining a Class for Use in a Constructor Expression
-
public EmpMenu(String employeeName, String departmentName)
-
List<EmpMenu>
-
NEW example.EmpMenu(" + "e.name, e.department.name)
-
EmpMenu.class
-
createNamedQuery() can return a TypedQuery whereas the createNativeQuery() method returns an untyped Query
-
List<Employee>
-
createNamedQuery("orgStructureReportingTo", Employee.class)
19More
8. Bean Validation (JSR-303) - Confluence - 0 views
-
"Bean Validation" specification (aka JSR-303) standardizes an annotation-based validation framework for Java
-
Flex doesn't provide by itself such framework. The standard way of processing validation is to use Validator subclasses and to bind each validator to each user input (see Validating data). This method is at least time consuming for the developer, source of inconsistancies between the client-side and the server-side validation processes, and source of redundancies in your MXML code.
-
GraniteDS introduces an ActionsScript3 implementation of the Bean Validation specification and provides code generation tools integration so that your Java constraint annotations are reproduced in your AS3 beans
- ...16 more annotations...
-
GraniteDS validation framework provides a set of standard constraints
-
Constraint Description AssertFalse The annotated element must be false AssertTrue The annotated element must be true DecimalMax The annotated element must be a number whose value must be lower or equal to the specified maximum DecimalMin The annotated element must be a number whose value must be greater or equal to the specified minimum Digits The annotated element must be a number whithin accepted range Future The annotated element must be a date in the future Max The annotated element must be a number whose value must be lower or equal to the specified maximum Min The annotated element must be a number whose value must be greater or equal to the specified minimum NotNull The annotated element must not be null Null The annotated element must be null Past The annotated element must be a date in the past Pattern The annotated String must match the supplied regular expression Size The annotated element size must be between the specified boundaries (included)
-
Constraint annotations must be placed on public properties, either public variables or public accessors
-
-keep-as3-metadata+=AssertFalse,AssertTrue,DecimalMax,DecimalMin, Digits,Future,Max,Min,NotNull,Null,Past,Pattern,Size
-
must use
-
keep the constraint annotations in your compiled code
-
Error Messages and Localization
-
{name.notnull}
-
{name.minsize}
-
use the built-in ResourceBundle support offered by Flex:
-
to add support for different locales
-
follow the same principle:
-
create a ValidationMessages.properties for the new locale
-
translate all default error messages and add new ones for your customized message keys
-
Note that the bundle name must always be set to "ValidationMessages".
-
Using the FormValidator Class
Specifications - 0 views
11More
Subject | Apache Shiro - 0 views
-
Understanding Subjects in Apache Shiro
-
'Subject'
-
is just a security term that means a
- ...8 more annotations...
-
security-specific 'view'
-
of an application user
-
Subject instance represents both security state and operations for
-
a single application user
-
in the security world, the term 'Subject' is actually the recognized nomenclature
-
Subject currentUser = SecurityUtils.getSubject();
-
obtain the currently executing Subject by using org.apache.shiro.SecurityUtils:
-
Subject based on user data associated with current thread or incoming request.
31More
TH01-EP03-US004 - Property Mgmt, Edit Location & Directions, Content Mgmt - Projects - ... - 0 views
-
Property Mgmt
-
Property Mgmt
-
Property Mgmt
- ...18 more annotations...
-
Property Mgmt
-
Property Mgmt
-
Property Mgmt
-
As a user
-
-
ability to see
-
-
Location Type
-
Description
-
Airports
-
belonging to other organizations
-
-
clone this information
-
clone = retrieve, then create ie. required permissions: {retrieve,create:}
-
-
have the rights
-
generally speaking, there can be a few independent but overlapping mechanism that will control who is allowed to do what with content: 1. any subject's access to the content itself can be controlled via authorization rules (ie. required vs granted permissions) enforced via system-wide resource-based access control 2. content licensors (~content owners) can restrict the usage of their content by: * whom - ie. content licensee (legally/commercially represented by an organization) * how - eg. reuse as unmodified, create derivatives, composite, redistribute, etc * where - ie. distribution channels their content can be used (eg. only on hotel's vbrochure site, but not in any ids/gds channels) * when - temporal restrictions may limit scope of content license grant by: start, end, duration, season, etc 3. content licensees can further filter or funnel content available to them (resulting from a combination of license granted to them and access control) based on their own criteria (eg. generate a templated hotel presentation only if: at least 1 textual description, 5 photos and 1 video for a hotel is available with a license to combine them (composite content)
-
-
see how other organizations describe the property
-
permission required: retrieve hotel descriptive content(?) owned by independent organization
-
-
Property Mgmt
-
which textual information
-
displayed
-
-
ECM will ask user to confirm that the user has rights to use that content
-
if ecm/vfml is to manage content licensing as a third party between organizations (content licensors & licensees) shouldn't ecm *know* if the user('s organization) has rights to use the content in question? is this question posed to the user (with required explicit acknowledgement) purely to absolve vfml from liability issues that may result from licensing disagreements?
-
-
property’s
-
this being the user's (organization's) 'version'or 'view'of the hotel, since this user normally wouldn't/shouldn't be granted permissions to replace content for a hotel on a different organization's 'view'or 'version' of the same hotel
-
-
to see the user’s original content
-
this implies that *at least* one version of such (temporarily) replaceable content needs to be managed/maintaned to allow reverting what if, deliberately, ignorantly or maliciously, a user replaces the same piece of--textual or any type, really--content for this hotel n times? will all n versions be required to be managed as an undo history? the user's ''original content'' might have been version 1, but equally might have been 1 mean: - previous version of the content, regardless of which user - initial version of that content attached to the hotel regardless of which user created/updated it and ignoring which organization owns it?, or, -
-
[CDI Specification Bugs/Clarifications proposed for CDI 1.1] Issue Navigator - JBoss Is... - 0 views
30More
3. Gas3 Code Generator - Confluence - 0 views
-
3. Gas3 Code Generator
-
Known Limitations
-
Gas3 does not support inner classes
- ...26 more annotations...
-
except of enum type
-
-
must declare your classes in separated source files if you want them to be correctly handled by the generator
-
Java enums
-
enum.gsp
-
JPA entity beans
-
entity.gsp
-
Java interfaces
-
interface.gsp
-
Java services
-
remote.gsp
-
Java events
-
bean.gsp
-
All other Java classes
-
bean.gsp
-
beanBase.gsp
-
beanBase.gsp
-
remoteBase.gsp, or tideRemoteBase.gsp
-
entityBase.gsp, or tideEntityBase.gsp
-
@Entity
-
@MappedSuperclass
-
@RemoteDestination
-
@TideEvent
-
templates are bundled in the granite-generator.jar
-
accessible as resources via the class loader
-
GraniteDS comes with an ActionScript3 code generator that writes AS3 beans for all externalized JavaBeans, with specific support for lazily loaded EJB 3 entities
-
3. Gas3 Code Generator
1More
The WebSocket API - 0 views
-
two-way communication with a remote host.