9 Replies Latest reply on Jan 31, 2007 9:37 PM by markfoerstein

    Security & Authentificaiton of a Seam Application

    toni

      Hi,

      I would like to setup security for my seam application. I have a database (realm) with users and password which I would like to use.

      I thought about using security contraints in the web.xml file in combination with some database login module from JBoss, which I remember from the past.

      Can anybody suggest an easy way of doing this? Or should I use the security stuff from the latest seam version from the cvs? Or any other ways how I could do this (Interceptors checking for context variable called Login)?

        • 1. Re: Security & Authentificaiton of a Seam Application

          Does web.xml security give you the functionality you want? If so, then go ahead and use it. JBoss makes it really easy to work with. The problem is that the functionality just isn't very advanced.

          If you can wait a bit longer for the Seam security features to be completed, I think you'll find you'll be able to apply much more interesting security policies to your application.

          • 2. Re: Security & Authentificaiton of a Seam Application
            toni

            I have now used the web.xml and it works fine for me. There is a good JAASExample in the wiki. I can recommend it.

            Just one last question. I noticed that the j_security_check is the URL to which the request for a FORM login gets posted to.

            Is that a constant or can we change it? And how could I provide it to a <h:form> tag in JSF?

            • 3. Re: Security & Authentificaiton of a Seam Application
              gavin.king

              That is a magic value defined by the servlet spec (which is totally atrociously bad on authentication).

              • 4. Re: Security & Authentificaiton of a Seam Application
                toni

                One final question:

                How can I render parts of the page depending on the user role with this kind of security setup?

                I would like to hide or show menu items depending on whether or not the user belongs to a certain rule.


                • 5. Re: Security & Authentificaiton of a Seam Application
                  toni

                  Does JSF provide any means of checking for the role the user is in?

                  • 6. Re: Security & Authentificaiton of a Seam Application
                    markfoerstein

                     

                    "norman.richards@jboss.com" wrote:
                    If you can wait a bit longer for the Seam security features to be completed, I think you'll find you'll be able to apply much more interesting security policies to your application.


                    Just saw that 1.1.5 is out... I can't wait to see some examples on this... Please Norman point us to some examples as soon as they are available. ;-)

                    Thanks

                    • 7. Re: Security & Authentificaiton of a Seam Application
                      markfoerstein

                       

                      "toni" wrote:
                      How can I render parts of the page depending on the user role with this kind of security setup?

                      I would like to hide or show menu items depending on whether or not the user belongs to a certain rule.


                      Same here toni ;-)

                      • 8. Re: Security & Authentificaiton of a Seam Application
                        gavin.king

                         

                        "markfoerstein" wrote:
                        "toni" wrote:
                        How can I render parts of the page depending on the user role with this kind of security setup?

                        I would like to hide or show menu items depending on whether or not the user belongs to a certain rule.


                        Same here toni ;-)


                        Easy:

                        <h:commandButton value="Self Destruct" action="#{machine.selfDestruct}" rendered="#{s:hasPermission('machine','selfDestruct',machine)}"/>


                        (Using 1.1.5, of course.)

                        If you don't have instance-level security, the following simpler form will suffice:

                        <h:commandButton value="Self Destruct" action="#{machine.selfDestruct}" rendered="#{s:hasPermission('machine','selfDestruct')}"/>


                        And if all you have is role-based security, the following is even simpler:

                        <h:commandButton value="Self Destruct" action="#{machine.selfDestruct}" rendered="#{s:hasRole('hero')}"/>




                        • 9. Re: Security & Authentificaiton of a Seam Application
                          markfoerstein

                          Wow, instant answer. Are you a human or a forum bot or something...;-)

                          PS: I liked the "self destruct" thing ;-)

                          Will check it out...

                          Thanks Gavin.