KenyaUI App-based Security
KenyaUI provides a simple security model which is based around App Framework apps. All accessible URLs are associated with apps. Access to that URL is then determined by access to the associated app(s).
A set of annotations are provided which can be applied to UI Framework page controllers to make the different types of associations between apps and pages:
Annotation | Description | Examples |
---|---|---|
none | Page has no associated app but cannot be accessed by unauthenticated users | public class ProfilePageController {...} |
@PublicPage | Page has no associated app and can be accessed by unauthenticated users | @PublicPage |
@AppPage | Page has a single associated app specified by the annotation and can be accessed by users who have access to that app | @AppPage("kenyaemr.registration") |
@SharedPage | Page is shared by multiple apps and the appId request parameter specifies the current app. Page can be accessed by users who have access to the current app. Annotation can optionally specify a list of allowed apps. | @SharedPage @SharedPage({"kenyaemr.clinician","kenyaemr.chart"}) |
Another set of annotations can be applied to fragment actions to associate them with apps:
Annotation | Description | Examples |
---|---|---|
none | Action has no associated app but cannot be accessed by unauthenticated users | public class ProfileFragmentController { |
@PublicAction | Action has no associated app and can be accessed by unauthenticated users | public class LoginFragmentController { |
@AppAction | Action has a single associated app specified by the annotation and can be accessed by users who have access to that app | public class RegistrationFragmentController { |
@SharedAction | Action is shared by multiple apps and the appId request parameter specifies the current app. Action can be accessed by users who have access to the current app. Annotation can optionally specify a list of allowed apps. | public class FormFragmentController { |
The following rules apply when processing the annotations:
A page controller class or fragment action method can only have one of the above annotations.
If an request doesn't have the required privileges, an APIAuthenticationException will be thrown.
Once it has been determined which app is current for the request, the app's id is stored as both a request attribute and a page model attribute called "currentApp". For convenience, this can be fetched using KenyaUiUtils.getCurrentApp(...).