KenyaUI App-based Security

Owned by Rowan Seymour
Last updated: Dec 11, 2013
2 min read

KenyaUI provides a simple security model which is based around App Framework apps. All accessible URLs are associated with apps. Access to that URL is then determined by access to the associated app(s).

A set of annotations are provided which can be applied to UI Framework page controllers to make the different types of associations between apps and pages:

AnnotationDescriptionExamples
nonePage has no associated app but cannot be accessed by unauthenticated users
public class ProfilePageController {...}
@PublicPage
Page has no associated app and can be accessed by unauthenticated users
@PublicPage
public class LoginPageController {...} 
@AppPage
Page has a single associated app specified by the annotation and can be accessed by users who have access to that app
@AppPage("kenyaemr.registration")
public class RegistrationHomePageController {...} 
@SharedPage

Page is shared by multiple apps and the appId request parameter specifies the current app. Page can be accessed by users who have access to the current app. Annotation can optionally specify a list of allowed apps.

@SharedPage
public class EnterFormPageController {...}
@SharedPage({"kenyaemr.clinician","kenyaemr.chart"})
public class RegimenEditorPageController {...}

Another set of annotations can be applied to fragment actions to associate them with apps:

AnnotationDescriptionExamples
noneAction has no associated app but cannot be accessed by unauthenticated users
public class ProfileFragmentController {
  public Object getStatus() {...}
}
@PublicAction
Action has no associated app and can be accessed by unauthenticated users
public class LoginFragmentController {
  @PublicAction
  public Object authenticate() {...}
} 
@AppAction
Action has a single associated app specified by the annotation and can be accessed by users who have access to that app
public class RegistrationFragmentController {
  @AppAction("kenyaemr.registration")
  public Object register() {...}
}
@SharedAction

Action is shared by multiple apps and the appId request parameter specifies the current app. Action can be accessed by users who have access to the current app. Annotation can optionally specify a list of allowed apps.

public class FormFragmentController {
  @SharedAction
  public Object getFormHtml() {...}
}

The following rules apply when processing the annotations:

  • A page controller class or fragment action method can only have one of the above annotations.
  • If an request doesn't have the required privileges, an APIAuthenticationException will be thrown.

Once it has been determined which app is current for the request, the app's id is stored as both a request attribute and a page model attribute called "currentApp". For convenience, this can be fetched using KenyaUiUtils.getCurrentApp(...).