How do I use Tapestry-Security?

Question

I discovered Tapestry 5, quite recently, its clear separation between view and controller, the use of name standardization instead of XML made me go for it straight. Quite frankly I don't plan on changing but the documentation is just not enough for me.

The project I'm working on must be able to support several types of roles. I must allow users authentifications, the use of certains services according to their roles ans the access of url by their roles as well.

After some research I came across Tapestry-Security which is part of the Tynamo project.

I want my Service layer to be totaly independant from my web application because I will then use it to implement web services and some others stuff. I do not feel like doing another identification system when the time comes.

My problem is that I do not see how use Tapestry-Security without using Tapestry.The example they show on Tapestry-Security guide is just not enough for me. I have a pretty rough idea, how it works. However I do not know how I could use it outside the Tapestry 5.

How can I use Tapestry-Security without Tapestry 5 ?

I also do not understand the filter systems used in the AppModule class in Tapestry project. Is there a document which explain the way AppModule works with the filter system ?

Is there someone which can explain me those things or point me in the right direction ?

Thanks.

Answer 1

Tapestry-Security is just a thin layer on top of the Apache Shiro project. It only provides:

• a way to configure Shiro via your Tapestry application module
• a set of Tapestry filters to do the actual security checks for Tapestry pages and actions
• annotations should you like to declare your security declaratively
• components to support conditional rendering in your .tml files

Underneath that layer, there is an ordinary instance of Shiro doing all the work, so you can access security (for example via the SecurityUtils class) like you normally would if Tapestry wasn't involved at all.

Edit based on comment: So while you can use Shiro in any web application you use, Tapestry-Security is really just a wrapper for use with Tapestry. If you, however, have an app that includes Tapestry along with other servlets (such as a web service), you should be able to let Tapestry-Security do the initialization work.

Concerning Tapestry filters: I'm afraid this isn't documented very well. Tapestry filters work very much like Servlet Filters, but as Tapestry is implemented as a Servlet Filter itself, it has its own filter chain. Filters for Tapestry implement the RequestFilter interface.

public class MyFilter implements RequestFilter {

    @Override
    public boolean service(final Request request, final Response response,
            final RequestHandler handler) throws IOException {
        ... //your code
        try {
            return handler.service(request, response);
        } finally {
            ... //your code
        }

    }
}

You can add them to the filter chain by contributing them in your application module:

public void contributeRequestHandler(
            final OrderedConfiguration<RequestFilter> configurations) {
    configuration.add("MyFilter", new MyFilter());
}