...
So that it can stand-alone without an external user repository, Roller stores users and role information in it's own database tables.
Code Block |
---|
create table rolleruser ( id varchar(48) not null primary key, username varchar(255) not null, passphrase varchar(255) not null, screenname varchar(255) not null, fullname varchar(255) not null, emailaddress varchar(255) not null, activationcode varchar(48), datecreated timestamp not null, locale varchar(20), timezone varchar(50), isenabled boolean not null ) create table userrole ( id varchar(48) not null primary key, rolename varchar(255) not null, username varchar(255) not null, userid varchar(48) not null ) |
There are two distinct roles:
...
Reduce the User class down to just two fields, id and username. Everything else goes into a new UserProfile class. UserProfiles can be stored externally so Roller should obtain them through a new User Respotory API
...
User
...
Respository
...
API,
...
part
...
1/2
...
UserRespository
...
interface
...
methods
Code Block |
---|
public UserProfile getUserProfile(String userid) public void saveUserProfile(UserProfile userProfile) |
UserProfile
...
bean
...
properties
Code Block |
---|
username password screenName emailAddress locale timezone biography username password screenName emailAddress locale timezone biography etc. |
Roller authentication is manages via Acegi
...
These rules in Acegi's configuration (security.xml) file govern URI based
authorization used in Roller.
Code Block |
---|
/roller-ui/login-redirect**=admin,editor /roller-ui/profile**=admin,editor /roller-ui/createWeblog**=admin,editor /roller-ui/menu**=admin,editor /roller-ui/authoring/**=admin,editor /roller-ui/admin/**=admin /rewrite-status*=admin |
The Problem? There's no problem here. When operating without Acegi, Roller will
have to be configured with a web.xml file that specifies those contraints.
...
The RollerSession provides access to the session's authenticated user:
Code Block |
---|
public User getAuthenticatedUser()
|
The User object provides read/write access to user's roles:
Code Block |
---|
public boolean hasRole(String roleName) public void grantRole(String roleName) public Set getRoles() |
As of Roller 4.0, Roller calls hasRole() for one reason, to ensure that only
those with the admin role can:
...
UserManager interface methods
Code Block |
---|
public boolean isUserInRole(String username) public Set<String> getUserRoles(String username) public void revokeRole(String userid, String rolename) public void grantRole(String userid, String rolename) |
...
UserRespository interface methods
Code Block |
---|
public boolean isUserInRole(String username) public Set<String> getUserRoles(String username) public void revokeRole(String userid, String rolename) public void grantRole(String userid, String rolename) |
...