5 Replies Latest reply on Nov 2, 2006 12:32 PM by dietice

    Security Solution for Seam

      I haven't seen any hint of a security concept in the seam documentation - except the mentioning of the usual Servlet or EJB concepts.

      But what i'm looking for is more like a 'full - ready to use' solution like Acegi Security because it's simple to secure the web part _and_ the backend.

      So my questions are:

      • Is it possible to use Acegi Security with Seam?
      • If it's possible how are your experiences with it - i.e. common pitfalls, ... ?
      • Are there any plans to develop something like Acegi especially for Seam - if it's necessary?

        On a bit OT note: can someone point me to the docs for Seam 1.1 - I'm only able to find the 1.0 & 1.0.1 ones. Further whats the ETA for 1.1 - or where can i find a roadmap (don't get me wrong: take all your time to make it as good as you can / want :))?


        • 1. Re: Security Solution for Seam
          gavin.king

          Shane has been developing a security layer for Seam, but it is not ready for use just yet. When it is, we will write up the docs, etc.

          • 2. Re: Security Solution for Seam
            texan

            To see the existing docs for Seam 1.1, you need to download that version. There's a doc directory in the download.

            • 3. Re: Security Solution for Seam

              Thank you for your answers!

              Am I right in assuming that you mean org.jboss.seam.security & subpackages and the security example?


              Further i have a feature request: I would like to have 'dynamic roles' (roles depending on the calling principal).

              I.e. let's say we have a User entity and 'updateUserData(User user)' business method in some bean.
              Access to this method should be allowed to all administrators - regardless of the user whos data is to be modified - and a user should be allowed to modify only his own user data.

              This could be done by seperating all roles in static (traditional) and dynamic roles. For every introduced dynamic role one has to implement a interface which is is called everytime a dynamic role is evaluated (something like 'boolean isInRole(Principal principal, Object[] methodArgs) - methodArgs is an array containing the parameters to the secured method).

              I.e. the updateUserData method would be annotated with @RolesAllowed{"administrator","owner"}. If this method is called by someone who is in the 'adminstrator' role there's no need to evaluate the 'owner' role. On the other hand, if this method is called by someone who is not in the 'adminstrator' role the security layer would call the method in the interface registered with the owner role to see if the current principal is allowed to access this method.

              IMHO this would be pretty usefull - i.e. to ensure users can edit only their own data, ... - what do you think about it?


              Further i noticed the improved logging implementation in the org.jboss.seam.log package. While i fully agree that this makes our life easier i was wondering if you noticed SLF4J (http://www.slf4j.org) and LogBack (http://logback.qos.ch).

              Both are from the guys who invented log4j and while SLF4J is meant as a replacement from commons-logging - as a simple facade for various logging APIs - LogBack is meant as an improvement of log4j.
              Both adress the shortcommings you adressed in your implementation and some more - please see their sites for more details.

              The reason i mention them is that switching to SLF4J (which perfectly integrates with log4j, commons-logging, LogBack, ...) might spare you the reinvention of the wheel ;) and make for less coupling of the users code with seam while providing a convenient & consistent way for logging in users code & seam & ...

              • 4. Re: Security Solution for Seam
                shane.bryzak

                 

                "dietice" wrote:

                Further i have a feature request: I would like to have 'dynamic roles' (roles depending on the calling principal).


                This type of authorization is supported by the security API, via "dynamic" permissions. In fact the security example as it exists in CVS already demonstrates this feature.

                • 5. Re: Security Solution for Seam

                  Shame on me, i completely overlooked that!

                  Although i was only able to have a look at the source and not to see it in action because it threw an exception it looks very promissing and I'm looking forward to play around with it.

                  Thanks for pointing me the direction and for all the work you invest in this!