5 Replies Latest reply on Oct 9, 2008 9:43 AM by adlerauge

Seam 2.1 Security with an anonymous user

adlerauge Oct 8, 2008 4:04 PM

I got the following problem with the new Seam security. But before that I want to say 'Good job' for the great implementation (even though I need some more features :) )...

I was running into the problem that I want the user or say admin of our application to be able to give permissions to different parts of the application to an anonymous user (to other's of course, too), e.g a user can read profiles etc. (as I said, this has to be flexible for us), but to do more, the user has to log in. As I can see in the current implementation, there is no way than overriding the hasPermission() method and get through the pre-authenticated roles, manually read the permissions from the database and do the additional permission check then. This is because the PersistentPermissionResolver checks if the user is logged in, I can't even assign any 'real' roles since that one is checked against a logged in user as well... This makes me think if it should be correct to say that there has to be really a logged in user to apply permissions. I do here have to have the ability to assign flexible permissions to an anonymous user and the current implementation simply does not support that.

Is my assumption correct that I have no other way than overriding the hasPermission() method on the Identity component or is there another way to get that flexibility? Maybe I can write an AnonymousPermissionResolver and add it to the chain, but that way I just can't use the already implemented JpaPermissionStore! If my assumption is correct, then maybe Seam security should have the option to handle flexible permissions for a not authenticated user. Any thoughts about that?

1. Re: Seam 2.1 Security with an anonymous user

shane.bryzak Oct 8, 2008 4:25 PM (in response to adlerauge)

Why can't you use JpaPermissionStore?
Actions
2. Re: Seam 2.1 Security with an anonymous user

adlerauge Oct 8, 2008 4:28 PM (in response to adlerauge)

I was thinking of something else that there is always a logged in user, that even the anonymous user is a user in the database and when a system user really wants to log in, then I simply do another authentication with the provided credentials. How does that sound? It still somehow feels not quite right...
Actions
3. Re: Seam 2.1 Security with an anonymous user

adlerauge Oct 8, 2008 4:32 PM (in response to adlerauge)

You're correct Shane, I could use the JpaPermissionStore. Sry about that... The PersietentPermissionResolver is checking if a user is logged in. Any statement on which of the ways you would prefer or suggest for a use case like that?
Actions

4. Re: Seam 2.1 Security with an anonymous user

shane.bryzak Oct 8, 2008 11:21 PM (in response to adlerauge)

I would suggest going with your original idea of writing an AnonymousPermissionResolver. It would be almost identical to PersistentPermissionResolver, however the hasPermission() method would look something like this:

   public boolean hasPermission(Object target, String action)
   {      
      if (permissionStore == null) return false;
      
      Identity identity = Identity.instance();
      
      if (identity.isLoggedIn()) return false;      
      
      List<Permission> permissions = permissionStore.listPermissions(target, action);
            
      for (Permission permission : permissions)
      {         
         if (permission.getRecipient() instanceof Role)
         {
            Role role = (Role) permission.getRecipient();
            if ("guest".equals(role.getName()) return true;
         }
      }      
      
      return false;
   }

Then you simply need to create a guest role and grant the anonymous permissions to it.

5. Re: Seam 2.1 Security with an anonymous user

adlerauge Oct 9, 2008 9:43 AM (in response to adlerauge)

Thank you very much for your input an help Shane! I appreciate it very much! I thought about it again and was coming to the same conclusion...Let's get to work :)
Actions

Go to original post