1. Securing data instances with ERBACKalle Korhonentynamo.org - Apache Tapestry - Apache Shiro

2. Me and open source Founder of Tynamo.org a full web stack suite for Tapestry 5 successor to Trails Framework, one of the original Ruby on Rails wannabes for Java Committer to Apache Tapestry,Apache Shirotynamo.org - Apache Tapestry - Apache Shiro 3. Tynamo.org Some stats : 5 active committers, 13 all time similar in size with Apache Shiro 22 individual modules + sub modules tapestry-model the bread andbutter: the most customizableCRUD framework for Java recently more JPA modules tynamo.org - Apache Tapestry - Apache Shiro 4. Security related modules tapestry-security, Apache Shirointegration for Tapestry 5 tynamo-federatedaccounts, accountfederation with remote authenticationproviders (Facebook, Twitter, Google,LDAP, etc.) tapestry-editablecontent, poor mansCMS, currently JPA only - tynamo-federatedaccounts-rollingtokens, remembermeauthentication based on rolling tokenstynamo.org - Apache Tapestry - Apache Shiro 5. tapestry-editablecontent tynamo.org - Apache Tapestry - Apache Shiro 6. tynamo-federatedaccounts Oauth: Facebook, Twitter, ... OpenID Not protocol specificpublic static void bind(ServiceBinder binder) {binder.bind(FederatedAccountService.class,DefaultHibernateFederatedAccountServiceImpl.class);}public static void contributeFederatedAccountService(MappedConfiguration configuration) {configuration.add("*", User.class);configuration.add("facebook.id", "facebookId");}public static void contributeApplicationDefaults(MappedConfiguration configuration) {configuration.add(FacebookRealm.FACEBOOK_CLIENTID, "");configuration.add(FacebookRealm.FACEBOOK_CLIENTSECRET, "");} tynamo.org - Apache Tapestry - Apache Shiro 7. tapestry-security started out as a thin layer replaced (Ini)ShiroFilter replaced ini configuration withTapestrys all-in-java contributions replaced shiros built-in filters withour own base classes proving ground for new stuff (e.g.logical operator first existed intapestry-security)tynamo.org - Apache Tapestry - Apache Shiro 8. Security check points secure views (url-based,annotations) secure method invocations (role-type) secure data - how? how do I declare that user can onlyedit his profile? tynamo.org - Apache Tapestry - Apache Shiro 9. Current approach..@Overrideprotected AuthorizationInfodoGetAuthorizationInfo(PrincipalCollection principals) {SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();info.addStringPermission("account:update:1");}// page template......// page class (controller)public String getEditEntityPermission() {return "account:edit:" + entityId;} tynamo.org - Apache Tapestry - Apache Shiro 10. What if you could just do..@Entity@RequiresAssociation(value = "owner", operations =Operation.UPDATE)public class Account {@OneToOneprivate User owner;}tynamo.org - Apache Tapestry - Apache Shiro 11. ERBAC Entity-Relationship Based AccessControl Initial concept 5 years ago withHibernate ! find out how the data is associatedwith the currently executing subject secure entities with annotations role-based security is easy allow limiting scope to a specificCRUD operation (CREATE, READ,UPDATE, DELETE)tynamo.org - Apache Tapestry - Apache Shiro 12. EntityManager operations SecureEntityManager usedautomatically when Subject is bound find -> READ (separate service forlists) merge (INSERT if doesnt exist) persist (update -> remove + insert) remove create*query() operations areunprotected takes care of 80% of instancesecurity needs tynamo.org - Apache Tapestry - Apache Shiro 13. What next? same model would work forHibernate, JDO.. push to Shiro? at least annotations... anything more is difficult becauseShiro is persistence agnostictynamo.org - Apache Tapestry - Apache Shiro 14. Thank you!For more information, visit :http://tynamo.org/tapestry-security-jpa+guideWhat do You think?tynamo.org - Apache Tapestry - Apache Shiro