11 Replies Latest reply on Dec 26, 2006 1:40 AM by norman.richards

    Seam 1.1.5 & SeamSecurity...

    sherkan777
    sherkan777 Dec 14, 2006 7:56 AM

      Hi Gavin!
      I read on form here http://www.jboss.com/index.html?module=bb&op=viewtopic&t=96461, what U said
      about SeamSecurity "12 Jan is an approximate date." (to finish), but on Jira page, production status is
      "Blocker" what that this mean?
      Will you finish those security module?

      • 8458 Views
      • Tags:
        • 1. Re: Seam 1.1.5 & SeamSecurity...
          gavin.king
          gavin.king Dec 14, 2006 8:01 AM (in response to sherkan777)

          "Blocker" means blocking the release. ie. we can't release 1.1.5 without it.

            • Actions
          • 2. Re: Seam 1.1.5 & SeamSecurity...
            sherkan777
            sherkan777 Dec 15, 2006 7:02 AM (in response to sherkan777)

            Hi Shane!,
            I found on jira page, info about Seam Security...but I'm intrested about one think: <s:secure/> <<== how can we use it?

            In seam 1.1.0 Beta 1 was one simple example of SeamSecurity app, but I can't find use of <s:secure/> there.
            Thanks...

            By the way, is somewhere page with full info about Seam Security, with examples or we must wait for full doc in Seam 1.1.5?
            Regards!

              • Actions
            • 3. Re: Seam 1.1.5 & SeamSecurity...
              shane.bryzak
              shane.bryzak Dec 15, 2006 7:49 AM (in response to sherkan777)

              <s:secure> is gone, it's been replaced with EL expressions s:hasRole and s:hasPermission.

              Unfortunately you'll have to wait until 1.1.5 for the examples and docs, but it's only a few weeks away.

                • Actions
              • 4. Re: Seam 1.1.5 & SeamSecurity...
                sherkan777
                sherkan777 Dec 15, 2006 10:01 AM (in response to sherkan777)

                I got another question....it is posible to run those SeamSecurity example?
                When I deploy project I get an Error:

                15:42:47,234 INFO [Component] Component: org.jboss.seam.core.init, scope: APPLICATION, type: JAVA_BEAN, class: org.jboss.seam.core.Init
15:42:47,250 ERROR [[/seam-security]] Exception sending context initialized event to listener instance of class org.jboss.seam.servlet.SeamListener
java.lang.NullPointerException
 at org.jboss.seam.util.Conversions$FlatPropertyValue.isExpression(Conversions.java:240)
 at org.jboss.seam.Component.getInitialValue(Component.java:357)
 at org.jboss.seam.Component.initInitializers(Component.java:341)
 at org.jboss.seam.Component.<init>(Component.java:248)
 at org.jboss.seam.Component.<init>(Component.java:193)


                I think Seam needs somethink : java.lang.NullPointerException
                I got jboss-seam.jar in ear file and
                el-api.jar
                el-ri.jar
                jsf-facelets.jar int WEB-INF/lib

                jboss-seam.jar is form Beta 1 version.

                  • Actions
                • 5. Re: Seam 1.1.5 & SeamSecurity...
                  fcorneli
                  fcorneli Dec 16, 2006 9:04 AM (in response to sherkan777)

                   

                  <s:secure> is gone, it's been replaced with EL expressions s:hasRole and s:hasPermission.


                  Does this mean that the "view" will also have servlet container security enabled on it? In my own Seam application I've places only the controller Seam BBs within a security domain. Thus these components can use the @RolesAllowed stuff. I'm using a servlet filter to push the session credentials to the client-login JAAS context. My view has no servlet container security enabled on it, but it can access the current used via #{currentUser} if needed for view purposes only, since that's the only task of the view (SoC). For this I used a simple Tomcat valve configured via context.xml.
                  IMHO the view should not have security enabled on it, since it can only expose data or perform operations via the controller components. Thus placing the controller components inside a security domain does the trick. Servlet container security doesn't bring anything in case of an MVC framework like Seam. And, since Seam 1.1 we can have a nice error page in case of an RBAC exception, thus the view does not need to get access to the RBAC itself. This is also in line with another security aspect: input validation. Via the Hibernate annotations, they've also made the view "dumb" as it comes to input validation. Anyone has opinion on this? Can anyone already shed some light on which direction this is going to take? At JavaPolis someone of JBoss said they where going to use a rules thingy for the Seam security... KISS please... we already have a security system via EJB3, one should be enough.

                    • Actions
                  • 6. Re: Seam 1.1.5 & SeamSecurity...
                    shane.bryzak
                    shane.bryzak Dec 17, 2006 9:25 PM (in response to sherkan777)

                    The security API provides page-level security - even though the component model is secure people still like to be able to secure their views for completeness. This is totally optional and if page/view security is not a concern there is no requirement to use it.

                    On the last point, there is a security system for EJB3 however it is lacking in a number of areas. A rule-based security API will provide an innovative new solution to a problem that has been traditionally complex and difficult to implement a solution for. Integration points will exist for those who still wish to work with JAAS-based container security, however I'm of the opinion that very few situations will require this.

                      • Actions
                    • 7. Re: Seam 1.1.5 & SeamSecurity...
                      shane.bryzak
                      shane.bryzak Dec 17, 2006 9:27 PM (in response to sherkan777)

                       

                      "sherkan777" wrote:
                      I got another question....it is posible to run those SeamSecurity example?


                      This example has been killed off - deleted from CVS. The SeamSpace example will replace it when the security API is released in Seam 1.1.5.

                        • Actions
                      • 8. Re: Seam 1.1.5 & SeamSecurity...
                        kasim
                        kasim Dec 25, 2006 8:25 PM (in response to sherkan777)


                        are there any examples anywhere of the Seam security for 1.1.5?

                          • Actions
                        • 9. Re: Seam 1.1.5 & SeamSecurity...
                          norman.richards Dec 26, 2006 12:06 AM (in response to sherkan777)

                          You can get a sneak peak in CVS, but I suspect everything there is subject to change. Unless you want to join in the development, it's probably better just to hold off.

                            • Actions
                          • 10. Re: Seam 1.1.5 & SeamSecurity...
                            kasim
                            kasim Dec 26, 2006 12:14 AM (in response to sherkan777)


                            yeah. just trying to figure out what to do.

                            I initially wrote my chapter about security before the latest changes. So a lot of it isnt accurate right now. My updates to the chapter are due in a few days that its in. So i was trying to figure out if i could get it enough to make what i wrote accurate for 1.1.5.


                            ... do you think format wise it will change much? doesnt have to be 100% functional. Just code usage wise

                              • Actions
                            • 11. Re: Seam 1.1.5 & SeamSecurity...
                              norman.richards Dec 26, 2006 1:40 AM (in response to sherkan777)

                              My impression is that you should expect a lot of churn until the final release. I don't think it is near its final form yet.

                                • Actions