Is there a way to specify that a role is required for methods in an app.xml?
-
-
I am going to assume the lack of response is a no, and that it would require feature sponsorship to have implemented -
We're still checking on whether this makes sense to support, but it does not appear in the docs, and if we support it we'd only support it for the next version.Comment
-
All the declarative security features are pretty tied to the notion of a DSRequest, so this is not something that would be trivial to support. If you wish to use the authorization system that is built into the Servlet API, you could have your DMI method accept a parameter of type HttpServletRequest; that will cause SmartClient to pass the current servlet request into your method, and you can directly call the isUserInRole() method. Or, if there are a feasibly small enough number of such direct DMIs in your system, you could migrate them to DataSource DMI operations and get full declarative security support that way.Comment
-
Our goal was to use a custom role, and have a single override point of IDACall to add that role to appropriate users. There is no mechanism in the builtin security implementation to do such a thing. So we want the flexibility of passing arbitrary parameters to a server side method provided by RPC DMI, along with the declarative security provided by DataSource DMI. The current implementation requires each RPC DMI discern whether the client has the appropriate role itself, which is less than ideal. It works, but I was hoping there was a way to optimize this implementation.Comment
-
Did you read the Declarative Security overview in the QuickStart - specifically the ability to provide roles explicitly in a subclass of IDACall? You can also check for whatever roles you have applied in this manner - RPCManager.getUserRoles().Comment
-
I have read it, as that is what I was hoping to accomplish using RPC DMIs, the problem being that the code ultimately being called is not our own, and so I have to provide an intermediate method that uses Isomorphic tools to intercept and pass data to external api methods that have no notion of what SmartGWT is. If the RPC DMI implementation afforded me declarative security, and a custom implementation of IDACall established those roles then I could get rid of a lot of redundant intermediate server side code.Comment
-
The closest to what you're looking for as a built-in feature would be DataSource DMI with operationType:"custom", as previously mentioned.
Outside of that, we'd recommend cutting down on boilerplate by doing security checks for your RPC DMIs in an override of IDACall, which checks custom attributes in your .app.xml file that you use to specify roles. It's just an XML file, so you can parse it separately yourself and look up elements and attributes as needed.Comment
-
I am confused as to how I am supposed to be able to provide parameters to a function that say requires (int, string, double) via a ds dmi?Comment
-
You won't be able to directly invoke a signature like that via DataSource DMI; if that's a common pattern and you're trying to avoid a minimum of repeated code, then the RPC DMI-based approach we just recommended is probably better.Comment
Comment