gist:5387537

{
"security":
	"createUsers" :["sebi","abtractj"],                   //1
	"createRole" :["simple","admin"],                     //2
	"roleMap": ["simple":["abstractj","sebi"],"admin":["sebi"]], //3
 	"generateLoginForm" : true,                           //4
 	"generateOTPPage" : true,                             //5
	"entities" : {                                        //6
		"org.sebi.Task" : {
			"GET": {
				"authentification" : false
			 },
			"POST": {
				"authentification" : true,
				"authorization" : "simple"
			},
			"PUT": {
				"authentification" : true,
				"authorization" : "admin"
			},
			"DELETE": {
				"authentification" : true,
				"authorization" : "admin"
			}
		}
	}
}

Let me detail each of these points to make the discussion easier :

createUSers : We pass a list of users that we be inserted into the db : this will generate or a SQL script or a class creating the users like in https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java
createAdmin : We pass a list of roles that we be inserted into the db : this will generate or a SQL script or a class creating the users like in https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java
roleMap : We create here an association map between users and roles : this will generate or a SQL script or a class creating the users like in https://github.com/aerogear/aerogear-controller-demo/blob/master/src/main/java/org/jboss/aerogear/controller/demo/config/PicketLinkDefaultUsers.java
generateLoginForm : if true, the UI scaffolding will also generate a login form (location and layout depending on the scaffolding provider (AngularJS+Bootstrap, AngularJS+JQM) or by providing a custom template fragment.
generateOTPPage : if true, the UI scaffolding will also generate a OTP page (location and layout depending on the scaffolding provider (AngularJS+Bootstrap, AngularJS+JQM) or by providing a custom template fragment.
Entities : Here we configure the security flow for each entity per HTTP methods. Concretely, this will mean : - On the backend, generate the right route, i.e :

route().from("/task").roles("admin").on(RequestMethod.DELETE).to(Task.class).delete();

      - On the frontend, setting the flag or not on a pipe to enable auth. Other option are possible, liking hiding links, disabling button depending on the authorization/authnetification. We should discuss these options.

sebastienblanc/gist:5387537