KenyaUI App-based Security

KenyaUI provides a simple security model which is based around App Framework apps. All accessible URLs are associated with apps. Access to that URL is then determined by access to the associated app(s).

A set of annotations are provided which can be applied to UI Framework page controllers to make the different types of associations between apps and pages:

Annotation	Description	Examples

Annotation	Description	Examples
none	Page has no associated app but cannot be accessed by unauthenticated users	^{public class ProfilePageController {...}}
^@PublicPage	Page has no associated app and can be accessed by unauthenticated users	^@PublicPage ^{public class LoginPageController {...}}
^@AppPage	Page has a single associated app specified by the annotation and can be accessed by users who have access to that app	^{@AppPage("kenyaemr.registration")} ^{public class RegistrationHomePageController {...}}
^@SharedPage	Page is shared by multiple apps and the appId request parameter specifies the current app. Page can be accessed by users who have access to the current app. Annotation can optionally specify a list of allowed apps.	^@SharedPage ^{public class EnterFormPageController {...}} ^{@SharedPage({"kenyaemr.clinician","kenyaemr.chart"})} ^{public class RegimenEditorPageController {...}}

Another set of annotations can be applied to fragment actions to associate them with apps:

Annotation	Description	Examples

Annotation	Description	Examples
none	Action has no associated app but cannot be accessed by unauthenticated users	^{public class ProfileFragmentController {} ^{public Object getStatus() {...}} ^}
^{@PublicAction}	Action has no associated app and can be accessed by unauthenticated users	^{public class LoginFragmentController {} ^{@PublicAction} ^{public Object authenticate() {...}} ^}
^@AppAction	Action has a single associated app specified by the annotation and can be accessed by users who have access to that app	^{public class RegistrationFragmentController {} ^{@AppAction("kenyaemr.registration")} ^{public Object register() {...}} ^}
^{@SharedAction}	Action is shared by multiple apps and the appId request parameter specifies the current app. Action can be accessed by users who have access to the current app. Annotation can optionally specify a list of allowed apps.	^{public class FormFragmentController {} ^{@SharedAction} ^{public Object getFormHtml() {...}} ^}

The following rules apply when processing the annotations:

A page controller class or fragment action method can only have one of the above annotations.
If an request doesn't have the required privileges, an APIAuthenticationException will be thrown.

Once it has been determined which app is current for the request, the app's id is stored as both a request attribute and a page model attribute called "currentApp". For convenience, this can be fetched using KenyaUiUtils.getCurrentApp(...).