No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.



Build Status

This Apache Isis application demonstrates how to use the ApplicationTenancyEvaluator SPI service from the (non-ASF) Isis addons' security module, allowing a given user to have access to multiple disjoint sets of objects.

Domain model

The domain model is one of Concert objects, where each such concert has a corresponding committee to organize said concert. The members of the committee can be added and removed at runtime or defined when creating a new Concert object.

A user can be assigned to be a member of multiple committees, and can only the members of a concert’s organization committee should be able to view/modify the Concert.


This example was motivated by this question on the Apache Isis mailing list.

This demo app models the concept of an committee of a Concert as a security role, and the security role and the Concert are linked simply by the name of each. Thus, having the "easter2017" security role granted means that the user can view/edit the corresponding Concert object named "easter2017".


Logged in as bill:


Logged in as joe:



The implementation relies on this implementation of ApplicationTenancyEvaluator:

@DomainService(nature = NatureOfService.DOMAIN)
public class ApplicationTenancyEvaluatorForConcerts implements ApplicationTenancyEvaluator {
    public boolean handles(Class<?> cls) {
        return Concert.class.isAssignableFrom(cls);
    public String hides(Object domainObject, ApplicationUser applicationUser) {
        if (!(domainObject instanceof Concert)) {
            return null;
        final Concert concert = (Concert) domainObject;

        final Optional<ApplicationRole> roleIfAny =
                        .filter(role -> Objects.equals(role.getName(), concert.getName()))  (1)

        return roleIfAny.isPresent()? null: "Requires role " + concert.getName();
    public String disables(Object domainObject, ApplicationUser applicationUser) {
        return null;
  1. this is the important line, correlating the name of the ApplicationRole with the name of the Concert

How to run the Demo App

The prerequisite software is:

  • Java JDK 8 (>= 1.9.0) or Java JDK 7 (<= 1.8.0)

    • note that the compile source and target remains at JDK 7

  • maven 3 (3.2.x is recommended).

To build the demo app:

git clone .
mvn clean install

To run the demo app:

cd webapp
mvn jetty:run

You can log in with:

  • bill / pass - has access to the "easter2017" and "christmas2017" Concerts

  • joe / pass - has access to the "easter2017" and "summer2017" Concerts

  • isis-module-security-admin / pass - security administrator, can be used to grant/revoke roles