1 2 Previous Next 23 Replies Latest reply on Jul 2, 2006 11:46 AM by gavin.king

    Security Framework w/Seam

    sforsyth

      I am wanting to switch from my current knowledge of Spring MVC/Hibernate 3.1/Acegi to Seam.

      The only thing stopping me from jumping right in is that I don't particularly want to write my own security framework and the Acegi framework is wonderful. Has anyone tried integrating Acegi w/Seam or is there another security framework that you'all use?


      Thanks,
      Steve

        • 1. Re: Security Framework w/Seam
          villo


          Using seam doesn't prevent you using standard j2ee security models.
          You can plug JAAS security domains trasparently for example.

          • 2. Re: Security Framework w/Seam
            gavin.king

            I guess it should be *really* easy to integrate Acegi with Seam. I had planned to look at this at some stage but it was not a priority, since most users here seem to prefer using JAAS.

            There are two ways you could do this:

            (1) Have JAAS delegate to Acegi - elegant architecturally, but perhaps you would miss some advantages of the Acegi model (not sure)

            (2) Write built-in Seam components and interceptors to integrate Acegi directly into Seam/EJB3

            I would love to recieve some contributions here, but if not, I will probably take a look at it myself (not sure when, I am in pre-JavaOne mode).

            • 3. Re: Security Framework w/Seam
              perwik

              I'm very interested in this.
              Actually what I'm interested in is the ability to have users in groups and permissions on single objects bound to those groups. I know that JAAS handles this as well as Acegi, but there doesn't seem to be an easy way as of today to do it with JAAS in JBoss. Acegi on the other hand some good examples of doing exactly this.
              What is needed now is Acegi integration with Seam and a bunch of nice annotations for our EJBs.

              • 4. Re: Security Framework w/Seam
                sforsyth

                Sorry for the ignorance but I'm a total newbie to EJBs and I'm far from being an expert in Security. So I'm not sure about what JAAS has to offer that Acegi doesn't offer.

                Reading the Acegi FAQ, "It can today authenticate via delegation to a JAAS login module. This means it offers the same level of JAAS integration as many web containers. Indeed the container adapter model supported by Acegi Security allows Acegi Security and container-managed security to happily co-exist and benefit from each other."

                So... I'm guessing that the username/password is stored in JAAS tables for authentication purposes but the ROLES management is still stored in the table that Acegi recognizes for any Acegi authorization.

                I'm thinking that it should not take much to get Acegi up and running with Seam since it makes use of IoC container which is available to the Seam application.

                I will most definately try to get this working and will post the code if someone else doesn't beat me to it. It may be a few months before I tackle this though.

                • 5. Re: Security Framework w/Seam
                  gavin.king

                   

                  Actually what I'm interested in is the ability to have users in groups and permissions on single objects bound to those groups.


                  I don't understand. How is what you are describing different to @RolesAllowed in EJB3?

                  Well, I just went and had a look at the Acegi docs. I'm going to revise down my initial guess of "very easy". I'm sure there is stuff in Acegi that can be reused, but I was a bit disappointed to see how much seems to have hard dependencies to Spring APIs.

                  Maybe I'm wrong, and its not as much as it looks like on a cursory inspection.

                  If anyone wants to do the hard work on this stuff, and get a POC up and running, that would be very much appreciated.

                  • 6. Re: Security Framework w/Seam
                    villo


                    Well, Acegi seems to have a JBoss adapter as well. Unfortunately I haven't had the time to look at it.
                    But looking at it from another point of view: what is that j2ee security is lacking that you would need Acegi for? I'm no expert of Acegi but at a first glance it seems to address the same problems of the J2EE security components...

                    • 7. Re: Security Framework w/Seam
                      perwik

                       

                      "gavin.king@jboss.com" wrote:
                      Actually what I'm interested in is the ability to have users in groups and permissions on single objects bound to those groups.


                      I don't understand. How is what you are describing different to @RolesAllowed in EJB3?


                      @RolesAllowed("ContentAdmin")
                      public void doSomething() {}
                      

                      would only let you check if the current user belongs to one of the groups (roles) that you allow to access that method (in this case ContentAdmin). This would require that you have all roles defined at compile time. I don't want that at all. I want
                      @RequiredPermission(name="ContentPermission" type="read")
                      public void doSomething() {}
                      

                      And then I'm free to create groups, put users into them and assign permissions to those groups as needed at runtime. This would allso make it possible to do something like
                      <authz:acl domainObject="${content}" hasPermission="read">
                       Only show this if the user is authorized to see it.
                      </authz:acl>
                      

                      (This was taken from the Acegi Reference Guide)
                      All of this is very possible to do with JAAS, but it looks like some things are still missing in JBoss Security.

                      I'm not saying that we should use Acegi instead of JAAS, I didn't even know Acegi existed until yesterday when I read this thread.

                      • 8. Re: Security Framework w/Seam
                        villo

                         

                        "perwik" wrote:

                        I don't understand. How is what you are describing different to @RolesAllowed in EJB3?


                        @RolesAllowed("ContentAdmin")
                        public void doSomething() {}
                        

                        would only let you check if the current user belongs to one of the groups (roles) that you allow to access that method (in this case ContentAdmin). This would require that you have all roles defined at compile time. I don't want that at all. I want
                        @RequiredPermission(name="ContentPermission" type="read")
                        public void doSomething() {}
                        

                        And then I'm free to create groups, put users into them and assign permissions to those groups as needed at runtime. This would allso make it possible to do something like
                        <authz:acl domainObject="${content}" hasPermission="read">
                         Only show this if the user is authorized to see it.
                        </authz:acl>
                        

                        (This was taken from the Acegi Reference Guide)
                        All of this is very possible to do with JAAS, but it looks like some things are still missing in JBoss Security.

                        I'm not saying that we should use Acegi instead of JAAS, I didn't even know Acegi existed until yesterday when I read this thread.


                        Well, AFAIK what you are talking about is the difference between logical and application roles.
                        "ContentAdmin" is a role known to the application, configured with

                        <security-role>
                         <description>content admin</description>
                         <role-name>ContentAdmin</role-name>
                        </security-role>
                        


                        and used like

                        <method-permission>
                         <role-name>ContentAdmin</role-name>
                         <method>
                        ...
                         </method>
                        </method-permission>
                        
                        


                        • 9. Re: Security Framework w/Seam
                          villo

                          Sorry for the bad formatting:S

                          I was adding that if using JAAS, your LoginModule is responsible of mapping principals coming from your identity manager to the application roles.

                          Cheers
                          Francesco

                          • 10. Re: Security Framework w/Seam
                            perwik

                            I don't really understand if that was a comment to what I wrote or something else, but to clarify: I wouldn't ever want to have anything to do with the names of roles anywhere in my code or xml-files since those names are not known before an admin creates them through the application. The only thing I want to define is Permissions. A permission can have a name, like ContentPermission, and actions, like "read, write, delete, create". The only thing I want to specify in the code is what Permission is required. How that Permission then is mapped to a User (through a Role or directly) is entirely up to the security system, I dont want to have to care about that then.

                            • 11. Re: Security Framework w/Seam
                              gavin.king

                              I might be being dense, but I still don't understand how ("ContentPermission", "read") is any different to having the role "ReadContent".

                              My somewhat hazy understanding of this stuff is that a "role" is not meant only for modelling user groups but also for modelling permissions. ie. you can assign roles to roles, etc.

                              But now I am speaking about stuff I don't really understand properly, and I should really point Scott over here...

                              • 12. Re: Security Framework w/Seam
                                sforsyth

                                I would like to clarify what exactly I'm looking for that Acegi offers that I do not believe Seam or any extension has integrated into the JSF view tier. But feel free to correct me if I have overlooked something.

                                Acegi offers out of the box Servlet Filters for login authentication with suggested table structures that are very simple. The filter will also take care of "storing" the Principal where the application has access to it such as the Session. However, you don't really have to worry about where it is because you just use Acegis helper classes to pull it if required. Acegi also has some other filters for things such as forcing https.

                                So... while Seam does have JAAS capabilities... I don't believe that it has an easy to use Servlet Filter for the frontend to use for web site authentication.

                                There is also a basic Tag library for View display such as:

                                <authz:authorize ifAnyGranted="ADMIN_ROLE, USER_ROLE">
                                Do something here
                                </authz:authorize>


                                It is also very easy to create custom code that uses interceptors to kick off After Method Invocation security... so you can can create custom code that makes security checks on anything brought back from a getter. This is very simple too.

                                All of my security settings are in a fairly clean XML doc and I don't have any "security" code inside my application except for the Tags in the views.

                                From what little I've read... it seems that Seam could easily accomodate everything that Acegi does because it is all based on Servlet Filters and IoC.

                                I'm not familiar with the JAAS capabilities within JBoss... does anyone have a good link on reading material with regards to what all it can/cannot do? and how to use it? I tried Sun first but it is spec and not what is implemented by the JBoss container.



                                • 13. Re: Security Framework w/Seam
                                  gavin.king

                                  In terms of authentication, we agree that what the servlet spec offers is total nonsense, and we are looking into implementing something nonbroken using Tomcat realms.

                                  For authorization, the combination of EJB3 method-level security with the isUserInRole component, ie. rendered="#{isUserInRole('admin')}" seems to me to do the trick in terms of all the requirements I've seen so far, but I would not be at all surprised if I'm missing something.

                                  I'm really interested to hear more about what people think Acegi offers in terms of authorization that can't be handled using EJB3 security.

                                  • 14. Re: Security Framework w/Seam
                                    maxandersen

                                    How would you do dynamical contextual security or ACL checks ?
                                    (or maybe that is considered business logic instead of security ;)

                                    e.g. how would I ask: hasPermissionTo('drug',$patient.ssn, $department)

                                    this is a variation of ACL security http://acegisecurity.org/docbook/acegi.html#acls

                                    The trick here is that there is not a constant range of values for the patient and department since they are driven by the business.

                                    I never found a good way of doing that with ejb security; so if that is possible in ejb3 now then I would like to hear about it.

                                    1 2 Previous Next