KenyaUI App-based Security

KenyaUI provides a simple security model which is based around App Framework apps. All accessible URLs are associated with apps. Access to that URL is then determined by access to the associated app(s).

A set of annotations are provided which can be applied to UI Framework page controllers to make the different types of associations between apps and pages:

Annotation

Description

Examples

Annotation

Description

Examples

none

Page has no associated app but cannot be accessed by unauthenticated users

public class ProfilePageController {...}

@PublicPage

Page has no associated app and can be accessed by unauthenticated users

@PublicPage
public class LoginPageController {...} 

@AppPage

Page has a single associated app specified by the annotation and can be accessed by users who have access to that app

@AppPage("kenyaemr.registration")
public class RegistrationHomePageController {...} 

@SharedPage

Page is shared by multiple apps and the appId request parameter specifies the current app. Page can be accessed by users who have access to the current app. Annotation can optionally specify a list of allowed apps.

@SharedPage
public class EnterFormPageController {...}

@SharedPage({"kenyaemr.clinician","kenyaemr.chart"})
public class RegimenEditorPageController {...}

Another set of annotations can be applied to fragment actions to associate them with apps:

Annotation

Description

Examples

Annotation

Description

Examples

none

Action has no associated app but cannot be accessed by unauthenticated users

public class ProfileFragmentController {
public Object getStatus() {...}
}

@PublicAction

Action has no associated app and can be accessed by unauthenticated users

public class LoginFragmentController {
@PublicAction
public Object authenticate() {...}

@AppAction

Action has a single associated app specified by the annotation and can be accessed by users who have access to that app

public class RegistrationFragmentController {
@AppAction("kenyaemr.registration")
public Object register() {...}
}

@SharedAction

Action is shared by multiple apps and the appId request parameter specifies the current app. Action can be accessed by users who have access to the current app. Annotation can optionally specify a list of allowed apps.

public class FormFragmentController {
@SharedAction
public Object getFormHtml() {...}
}

The following rules apply when processing the annotations:

  • A page controller class or fragment action method can only have one of the above annotations.

  • If an request doesn't have the required privileges, an APIAuthenticationException will be thrown.

Once it has been determined which app is current for the request, the app's id is stored as both a request attribute and a page model attribute called "currentApp". For convenience, this can be fetched using KenyaUiUtils.getCurrentApp(...).