1 Reply Latest reply on Jun 10, 2011 10:30 AM by jsoye

    Seam Security: Groups vs Roles

    spitster

      Hi everyone,


      I had a lasting discussion with a mate tonight about security, groups and roles.
      We were wondering, why it should be possible to create just a group association to a user without a role, like it is at the moment with the RoleManager and the RelationshipManager.


      We came to the conclusion that it makes developing much more comfortable to rely on the fact that every user in a group has a role.
      Likewise this approach would represent the real world a bit better. In nearly every group I can imagine the participants have specific roles.


      So my question is, why would it be useful to associate a user to a group without a role, in other words, is it intended that the developer can choose if he wants user in groups without roles.


      Is there a best practice for security issues?


      With kind regards


      /Malte

        • 1. Re: Seam Security: Groups vs Roles
          jsoye

          Hi,
          I guess they are trying to be as flexible as possible. For instance, I may
          want to associate a user to a 'friends' group. Or I might want to associate
          users to a particular country group.


          @Inject
          IdentitySession identitySession;
          ...
          RelationshipManager relationshipManager = identitySession.getRelationshipManager();
          relationshipManager.associateUser(friendsOfSeamGroup, user);
          relationshipManager.associateUser(canadianGroup, user);
          



          In these cases I wouldn't care what role they have. Then I could just test if they
          were in that group or not using:


          boolean inGroup(String name, String groupType); (where name is the name of the group)
          void checkGroup(String group, String groupType);
          



          I might also be interested in finding out all the groups a person is associated
          with by using:


          relationshipManager.findAssociatedGroups(user)
          

               


          Again, I don't really care about roles.


          On the other hand, the RoleManager is perfect for your more specific purposes, e.g.


               
          (from the seam documentation)
               
          RoleManager roleManager = identitySession.getRoleManager();
          RoleType manager = roleManager.createRoleType("manager");
          Role r = roleManager.createRole(manager, user, headOffice);
          
            if (identity.hasRole("manager", "Head Office", "OFFICE")) {
                report.addManagementSummary();
            }
          

            


          or


          public class Restrictions {      
            public @Secures @Admin boolean isAdmin(Identity identity) {
              return identity.hasRole("admin", "USERS", "GROUP");
            }
          }