10 Replies Latest reply on Jan 16, 2012 5:22 PM by lightguard

    Seam 3 Security capability

    lukascz
    lukascz Jan 7, 2012 9:21 PM

      Hello,


      I would like to use Seam 3 security module for handling security in my application. However, I am not sure if seam 3 offers capabilities that I need.


      In my system, the role of the user varies among the objects. That means that user doesn't have one global role, but he has different roles for different entities. For example, there are two entites - Car and Person. Person might have role OWNER for specific car if given person owns that car. So I would like to be able to call something like .hasRole('OWNER',carInstance) or something in that sense.


      Can I do this with Seam 3 security module or does this offer only global roles for whole system and not for specific instances?


      Thanks,
      Lukas

      • 453 Views
      • Tags:
        • 1. Re: Seam 3 Security capability
          blabno
          blabno Jan 9, 2012 10:56 AM (in response to lukascz)

          In stead of roles you could work with permissions or even authorizing methods annotated with @Secures.

            • Actions
          • 2. Re: Seam 3 Security capability
            lukascz
            lukascz Jan 9, 2012 11:08 AM (in response to lukascz)

            The problem with using @Secures approach is that I need to pass an object to find out the permissons. But method annotated by @Secures takes just identity.


            However, Identity interface contains method hasPermission(Object target, String action). But where is this configured? Is this somewhere documented?


            Thanks,
            Lukas

              • Actions
            • 3. Re: Seam 3 Security capability
              lightguard
              lightguard Jan 9, 2012 3:26 PM (in response to lukascz)

              I think Security is still one of those modules we need a lot of work, and some really good examples and documentation. I'm hoping we at least get those done for the next development cycle. Of course, any help from people have things working and would like to contribute to the docs and / or examples would be greatly appreciated.

                • Actions
              • 4. Re: Seam 3 Security capability
                atdavie
                atdavie Jan 11, 2012 10:34 AM (in response to lukascz)

                Is the Security project still active? I looked at the page and it still has info relating to releasing something in 2010...?


                I would like to use Seam security with Jboss Negotiation for a new project which requires SSO but I am a bit worried.

                  • Actions
                • 5. Re: Seam 3 Security capability
                  atdavie
                  atdavie Jan 11, 2012 10:40 AM (in response to lukascz)

                  Seam 3 (from what I have read) uses a Users, Roles, Groups approach. You may be able to use this for what you have in mind, not sure.


                  I am personally looking at doing something similar with the rules support. The hasPermissions invokes a rule, and this determines the access.


                  The rules are defined in a file: security.drl.

                    • Actions
                  • 6. Re: Seam 3 Security capability
                    lightguard
                    lightguard Jan 11, 2012 2:00 PM (in response to lukascz)

                    Yes, it's still very much alive, we've simply gotten lax in updating the web site (it's a manual process and we've discussed other options about a different site, automation, etc. but they haven't gotten very far).

                      • Actions
                    • 7. Re: Seam 3 Security capability
                      riboriori
                      riboriori Jan 13, 2012 8:31 AM (in response to lukascz)

                      Jason
                      what about acl's management? it is still under development? i think acl's not available with Seam 3.1.0.Beta5 or im wrong?


                        • Actions
                      • 8. Re: Seam 3 Security capability
                        lightguard
                        lightguard Jan 13, 2012 4:08 PM (in response to lukascz)

                        No, it did not make it. I know it's been something that's been hot on the list for quite a few people. Would you like to help make it a reality?

                          • Actions
                        • 9. Re: Seam 3 Security capability
                          riboriori
                          riboriori Jan 15, 2012 8:02 AM (in response to lukascz)

                          I think acl management is a must of every security software. Roles, groups and users management without acl make the module incomplete, by my point of view.
                          Also i think that in the future, while you estimate that most of the actuals seam 3 modules migrate to other frameworks (for example i readed that seam-persistence and seam-validation will migrate to hibernate framework), i think seam-security will remain as a part of the actual seam-framework (or you want migrate to picketlink project???).
                          I dont understand exactly what you asked me about to help it a reality.
                          Can u be more clear?
                          Regards


                            • Actions
                          • 10. Re: Seam 3 Security capability
                            lightguard
                            lightguard Jan 16, 2012 5:22 PM (in response to lukascz)

                            Why I said help anything to help us out would be appreciated. Either some real world requirements, documentation, code contributions, etc. Any (or all) of the above would be very helpful in getting ACL in to Seam Security.

                              • Actions