Database as data source for authorization
For the implementation of authorization, 3 tables are required in the database for the administration of users, roles and rights, which are linked to each other by an n:m relation. You can use the wizard to generate the corresponding entities. Additionally the entities are linked by a mapping. This allows RapidClipse to handle arbitrary names of entities and attributes. If the default mapping is not suitable for your data structure, you can define custom queries for it.
Even if you use authentication via LDAP, you must store users in a database table to link users and roles. Users and roles must be synchronized at runtime.
-
Required data structure in general.
-
User - storage of username, password, and additional user-specific information, if applicable. Labels used in RapidClipse APIs: User, Subject.
-
-
Roles - storage of roles / groups a user can belong to. In RapidClipse APIs used names: Roles, Usergroups, Userroles.
-
Rights - Storage of the rights that a role can have. States or conditions that must be fulfilled can also be stored here. In RapidClipse APIs used names: Permissions, Resources.
-
Data structure generated by RapidClipse.
-
*Entities
Entity
Attributes
Data type
Explanation
User
username
String
Saves the user name as a string.
password
byte[]
Saves the password as a byte array, usually encrypted.
roles
Set / List
List of all roles.
Role
name
String
Saves the name of the roles as a string.
resources
Set / List
List of all rights.
childRoles
Set / List
List of all roles.
parentRoles
Set / List
List of all roles.
users
Set / List
List of all users.
Resource
name
String
Saves the name of a permission as a string.
roles
Set / List
List of all roles.
-
*Data Access
-
UserDAO
-
RoleDAO
-
ResourceDAO
-
-
-
Database tables (using MySQL as an example) - Database tables generated by the (Hibernate) entity export function.
Entity
Data fields
Data type
Explanation
USER
USERNAME
varchar(255)
Saves the user data, including username and password.
password
tinyblob
ROLE
NAME
varchar(255)
Saves all roles.
RESOURCE
NAME
varchar(255)
Save all rights.
ROLERESOURCENM
ROLE
varchar(255)
Saves all role-rights combinations. A role can have many rights, a right can occur in many roles.
RESOURCE
varchar(255)
ROLEROLENM
CHILDROLE
varchar(255)
Saves all role-role combinations and thus allows nesting of roles.
PARENTROLE
varchar(255)
USERROLENM
USER
varchar(255)
Saves all user-role combinations. One user can have many roles, one role can be taken by many users.
ROLE
varchar(255)
-
Dealing with existing database - If there are already tables in your database for managing users, roles and rights, make sure that for each table there is a corresponding entity with associated DAO in your Project Management under Entities or ata Access. If not, you can import the missing entities and DAOs using the import function Create JPA entities from table. Different table and data field names are no problem due to the mapping performed later.
Define / generate resource table
-
Entity for permissions already exists - Select your existing entity.
No *Resource Entity exists yet - Click on New Entity… to create a new entity Resource including DAO ResourceDAO. -
At Mapping > Resource name select the attribute for storing the user rights.
-
Click Next >.
Notice:
-
Mapping - If you have the entity Resource generated, you can take the default attribute Resource.name.
Result:
-
Project Management > Entities - The entity class Resource.java is generated or an already existing entity is used by selection.
Entity
Attribute
DataType
Resource
name
String
-
Project Management > Data Access - The DAO class ResourceDAO.java is generated. If an already existing entity is selected, no new DAO will be generated.
Define / generate Roles table
-
Roles table already exists - Select your existing Role entity.
-
If no Role Entity exists yet - Click on New Entity… to create a new entity Role including DAO RoleDAO.
-
-
At Mapping > Role name select the attribute for storing the roles.
-
At Mapping > Resources select the attribute for saving the rights.
-
At Mapping > Child roles, select the attribute for storing subroles.
-
Click Next >.
Options:
-
Role name - selection of the attribute for the role name.
-
Resources - selection of the attribute with the list (Set/List) of all rights for a role.
-
Child roles - selection of the attribute with the list (Set/List) of all subroles for a role.
Result:
-
Project Management > ntities
-
Role - The entity class Role.java is generated or an already existing entity is used by selection.
Entity
Attribute
DataType
Role
name
string
resources
Set / List
childRoles
Set / List
parentRoles
Set / List
-
Resource - The entity class Resource.java is extended by the attribute roles.
Entity
Attribute
DataType
Resource
name
String
roles
Set / List
-
-
Project Management > Data Access - The DAO class RoleDAO.java is generated. If an already existing entity is selected, no new DAO will be generated.
Linking users and roles
-
Table for the users (User) already existing - Select your already existing User entity.
-
No User Entity exists yet - Click on New Entity… to create a new entity User.
-
-
Select the attribute for the user name at Mapping > Subject name.
-
Click Create Attribute at Mapping > Roles to extend the entity User with an attribute that links the entities User and Roles.
-
Click Finish.
Options:
-
Subject name - selection of the attribute for the user name. Roles - selection of the attribute with the list (Set/List) of all roles of a user.
Result:
Project Management > Entities * *Role - The entity class Role.java is extended by the attribute users.
+
Entity |
Attribute |
DataType |
Role |
name |
string |
resources |
Set / List |
|
childRoles |
Set / List |
|
parentRoles |
Set / List |
|
users |
Set / List |
-
User - The entity class User.java is extended by the attribute roles.
Entity
Attribute
DataType
User
username
String
password
byte[]
roles
Set / List
-
Project Management > Data Access - The DAO class RoleDAO.java is generated. If an already existing entity is selected, no new DAO will be generated. Project Management > Business Objects - The class ExampleAuthorizationProvider.java is generated.
package com.company.demoproject.ui; import com.company.demoproject.domain.Resource; import com.company.demoproject.domain.Role; import com.company.demoproject.domain.User; import com.rapidclipse.framework.security.authorization.AuthorizationConfiguration; import com.rapidclipse.framework.security.authorization.AuthorizationConfigurationProvider; import com.rapidclipse.framework.server.security.authorization.jpa.JPAAuthorizationConfigurationProvider; public class MyAuthorizationConfigurationProvider implements AuthorizationConfigurationProvider { private static class InitializationOnDemandHolder { final static MyAuthorizationConfigurationProvider INSTANCE = new MyAuthorizationConfigurationProvider(); } public static MyAuthorizationConfigurationProvider getInstance() { return InitializationOnDemandHolder.INSTANCE; } private JPAAuthorizationConfigurationProvider provider; private MyAuthorizationConfigurationProvider() { } @Override public AuthorizationConfiguration provideConfiguration() { if(this.provider == null) { this.provider = new JPAAuthorizationConfigurationProvider(User.class, Role.class, Resource.class); } return this.provider.provideConfiguration(); } }
-