Securing access to entities

kinnego May 22, 2008 1:46 AM

Hi, I've ever used SEAM before. Can anyone tell me if the security framework supports the ability to intercept and check a user's authorization based on the selected entity they are trying to modify.

Given the code below (from reference guide 2.0.2.GA Page 231) the 'selectedAccount' is passed into the @Restrict evaluation. Is it is possible when executing the rules to invoke Java code - e.g. perform data access? For example if I wanted to grant the logged in user access to modify their own account details (but no-one elses) as opposed to just this being an admin role. If so how would you do this?

@Name("account")
public class AccountAction {
@In Account selectedAccount;
@Restrict("#{s:hasPermission('account','modify',selectedAccount)}")
public void modify() {
selectedAccount.modify();
}
}

1. Re: Securing access to entities

shane.bryzak May 22, 2008 4:17 AM (in response to kinnego)

Seam 2.1.0 supports ACL security for specific object instances, it should provide what you need. Unfortunately there's no simple way to achieve this in Seam 2.0.2, you'd probably need to extend the Identity component and implement something yourself.
Actions
2. Re: Securing access to entities

barbacena May 23, 2008 3:49 PM (in response to kinnego)

Rule base security will solve your problem.
Actions

Go to original post