I'm working on it currently.  It was actually all ported to to CDI and fully functional, however we have decided to integrate it with PicketLink (which will be providing a lot of the more advanced security features) and adopt a lot of their API.  I'm hoping to have an alpha release out in the next couple of weeks, depending on the remaining integration issues (of which there have been many to overcome already).

I'm also very interested in getting Seam 3 Security ASAP. I have an upcoming project (within weeks) that I'd like to build using CDI and Seam Security.  By the time it is ready for production the Seam Security RC might be available.

Since the message above seems to indicate major API changes, I think this is a good opportunity to request a major design change related to roles and permissions.  Some of our users hold multiple positions at the company they work for.  On some days they are the manager, and on other days they are a regular employee.   When the user logs in, I need them to choose which role to use (manager or regular employee) if there are multiple roles attached to their account.  This is also useful for administrators.  They can log in using a single account and choose if they want to use the administrator role, or their regular user role.

Groups can be associated with roles and/or users.  Permissions can be associated with roles and/or groups and/or users.

What do you think?

If you ask me, this is a very common behavior.
You can let the user to select the role he wants to play after he logs in, is not mandatory to select the role during the login process. You will just designate a default role for each user or group of users.

Anyway, I don't think we will ever see this kind of feature from Seam framework. Peoples involved in Security module are to smart to ask us for opinion or even share with us the release schedule!

It is all part of the big RedHat - Jboss integration strategy, which only the chosen one can see :)

Mean time, I do what I suppose many other from this forum already does: migrate to plain JEE6, GlassFish, Spring, whatever has a decent documentation, release schedule, support, community, published books, ...

Sorry for the tone of last post... it really should be an Edit button on this forum.

However, I'm disappointed about the lack of documentation and architecture information related to Seam Security and PicketLink (the 2 wiki pages from 1 year).

The only Seam and PicketLink integration that existed previously was developed by an independent community contributor for the PicketLink project.  The current integration effort which I am undertaking is the first formal integration between the two projects, so of course there won't be any documentation yet. 

Ryan, unfortunately since we're now adopting the PicketLink API you'll need to address any feature requests to the JBoss Security team as changes such as you have suggested are now out of our control.  I suggest you post your ideas to their development forum, which you can find here:

http://community.jboss.org/en/picketlink/dev

I need the security module for a project, too, but I'm happy if I go on vacation and everything Just Works when I get back ;-)

The dependency to PicketLink means we have access to a tried and tested API but it apparently has the downside that we have to go an extra mile if we want changes to it. Hopefully there is a strategy to extend the API in non-standard ways if there is stuff that we absolutely need but they have no interest in adding?

Nicklas Karlsson wrote on Jun 09, 2010 03:21:


I need the security module for a project, too, but I'm happy if I go on vacation and everything Just Works when I get back ;-)

The dependency to PicketLink means we have access to a tried and tested API but it apparently has the downside that we have to go an extra mile if we want changes to it. Hopefully there is a strategy to extend the API in non-standard ways if there is stuff that we absolutely need but they have no interest in adding?

Yes. It's called talking, and having a discussion :-p

Radu B wrote on Jun 08, 2010 14:46:


If you ask me, this is a very common behavior.
You can let the user to select the role he wants to play after he logs in, is not mandatory to select the role during the login process. You will just designate a default role for each user or group of users.

Anyway, I don't think we will ever see this kind of feature from Seam framework. Peoples involved in Security module are to smart to ask us for opinion or even share with us the release schedule!

It is all part of the big RedHat - Jboss integration strategy, which only the chosen one can see :)

Mean time, I do what I suppose many other from this forum already does: migrate to plain JEE6, GlassFish, Spring, whatever has a decent documentation, release schedule, support, community, published books, ...

I'm sorry that you are frustrated, and Shane will get information out as soon as he has it I'm sure!

"Talking" and having a "discussion" is all nice and fine but that won't actually add the method to the interface :-p