Blog from June, 2012

More people using tapestry-security means more improvements, feature requests. We are still staying on top of it and keep our backlog clean with the following issues fixed in 0.4.6, the best ever tapestry-security release yet:


  • [TYNAMO-155] - Authorization cache is not cleared at logout


  • [TYNAMO-143] - Create a marker annotation for SecurityConfiguration
  • [TYNAMO-154] - add FirstExceptionStrategy as the default AuthenticationStrategy for projects with multiple realms
  • [TYNAMO-159] - Add a NotFoundFilter
  • [TYNAMO-160] - Handle no-context, no ending slash with the same wildcard rule
  • [TYNAMO-161] - add a PatternMatcher field to SecurityFilterChain
  • [TYNAMO-163] - Rename PageService to an internal LoginContextService

New Feature

  • [TYNAMO-150] - Implement the CasFilter (new in Shiro 1.2) as a tapestry-security filter
  • [TYNAMO-162] - provide a configuration to block access to assets (like the AssetProtectionDispatcher)

Read more at tapestry-security guide and enjoy,

Tynamo Team


Ever wished that there was a simple way for you to declare that each user can only access his own profile, just as easily as you can declare that only users with admin role can edit certain type of data? Well too bad since such a thing has never existed so you've just resorted to making programmatic checks and building the queries in your service to enforce data instance security. Until now of course: meet ERBAC (Entity-Relationship Based Access Control), the long lost cousin of RBAC (Role Based Access Control)!
Would it not be great if you could write something like:

And be assured that EntityManager.merge() would fail even if somebody manually replaced the entity id somewhere along the way? Wouldn't it be equally cool if you could just do EntityManager.find(Account.class, null) to fetch the right Account for the currently logged-in user? If securing data instances have been causing gray hair for you before and you happen to be using JPA, you should definitely checkout Tynamo's latest module, tapestry-security-jpa.
On a related note, if you happen to live in SF Bay Area, I'll be talking about ERBAC, federated accounts, tapestry-security and using Shiro in modern Java web applications in an upcoming Shiro JUG meet-up this Wednesday, graciously sponsored by Stormpath, Inc.!