7 Replies Latest reply on Mar 19, 2010 8:02 AM by jaykumar11

    Seam 2.1 Security

    andre.eugenio

      Hi,


      I'm trying to setup the new seam security and I'm probably missing some configuration.


      Parts of components.xml


      <persistence:hibernate-session-factory name="hibernateFactory" />
      <persistence:managed-hibernate-session name="hibernate" auto-create="true"
        session-factory="#{hibernateFactory}"/>
      <security:identity-manager identity-store="#{jpaIdentityStore}" />
      <security:jpa-identity-store user-class="User" role-class="Role" />
      <security:jpa-permission-store user-permission-class="UserPermission" 
        role-permission-class="RolePermission"/>
      



      The problem is when Seam try to create a query (createPermissionQuery) it's throw a null Exception in this line


      Query query = lookupEntityManager().createQuery(queryCache.get(queryKey));
      



      The sql string is generated fine reading annotations made on User class and is available on the queryCache hashmap, but looks like the entityManager (internal variable) is not assigned to my hibernateSession. Is there any other config that i need to do to setup the jpaIdentityStore ?


      --


      I have another question about the security. I'm planning to leave the security available to the user configure dynamically.


      To archive this i was planning to have all actions classes with @Restrict annotation and extend Identity class to override the hasPermission methods and first check if there is any restriction to submit the seam if it's necessary.


      With this customIdentity class i can create a new method to check roles as well.


      Something like


      @Override
      public boolean hasPermission(Object target, String action) {
        // Code to check hibernate if target/action has some restriction configured
        if(myCustomMethodToCheckRestriction(target, action))
           return super.hasPermission(target, action);http://www.seamframework.org/Community/SeamUsersForum?showTopicForm=true#
        else
           return true;
      }
      
      public boolean myCustomCheckForHasRole(String faceletsTemplate) {
        String roleTarget;
        if((roleTarget=getRoleRestrictionFor(faceletsTemplate)) != null) {
           return return super.hasRole(roleTarget);
        }
        return true;
      }
      



      Is it the best approach ?



        • 1. Re: Seam 2.1 Security
          andre.eugenio

          Just for the record, i guess its obvious but i made the mistake anyway, that Seam Security needs an EntityManager persistent context to work and will not work with a HibernateSession (look my old config above).


          So i just changed my components.xml to something like (below) and things starts to work.


          <persistence:managed-persistence-context 
                   name="em"
                  auto-create="true"
                  entity-manager-factory="#{hibernateFactory}"
          />
          <persistence:entity-manager-factory
               name="hibernateFactory"
          />
          <transaction:entity-transaction 
               entity-manager="#{em}"
          />     
          <ui:jpa-entity-loader
               entity-manager="#{em}"
          />
          <factory name="hibernate" 
               scope="STATELESS" 
               auto-create="true" 
               value="#{em.delegate}"
          />     
          



          About the second question in my first post i would be glad to see any comments about it.


          Regards.




          • 2. Re: Seam 2.1 Security
            oberhaus.oberhaus.pobox.com

            I ran into the same problem, and here's the stack trace that I got (to seed Google):



            2008-12-23 19:20:13,390 ERROR [org.jboss.seam.security.jaas.SeamLoginModule] Error invoking login method
            java.lang.NullPointerException
                 at org.jboss.seam.security.management.JpaIdentityStore.lookupUser(JpaIdentityStore.java:762)
                 at org.jboss.seam.security.management.JpaIdentityStore.authenticate(JpaIdentityStore.java:726)
                 at org.jboss.seam.security.management.IdentityManager.authenticate(IdentityManager.java:262)
                 at org.jboss.seam.security.jaas.SeamLoginModule.login(SeamLoginModule.java:126)
                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                 at java.lang.reflect.Method.invoke(Method.java:585)
                 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
                 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
                 at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
                 at java.security.AccessController.doPrivileged(Native Method)
                 at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
                 at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
                 at org.jboss.seam.security.Identity.authenticate(Identity.java:335)
                 at org.jboss.seam.security.Identity.authenticate(Identity.java:324)
                 at org.jboss.seam.security.Identity.login(Identity.java:253)
                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                 at java.lang.reflect.Method.invoke(Method.java:585)
                 at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:329)
                 at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:342)
                 at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58)
                 at org.jboss.el.parser.AstValue.invoke(AstValue.java:96)
                 at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276)
                 at com.sun.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:68)
                 at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:88)
                 at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102)
                 at javax.faces.component.UICommand.broadcast(UICommand.java:387)
                 at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:321)
                 at org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:296)
                 at org.ajax4jsf.component.AjaxViewRoot.processPhase(AjaxViewRoot.java:253)
                 at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:466)
                 at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:82)
                 at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
                 at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
                 at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
                 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
                 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
                 at org.jboss.seam.debug.hot.HotDeployFilter.doFilter(HotDeployFilter.java:51)
                 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                 at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:38)
                 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                 at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
                 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                 at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
                 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                 at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
                 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                 at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:177)
                 at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:267)
                 at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:380)
                 at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:507)
                 at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
                 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                 at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:58)
                 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                 at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
                 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                 at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
                 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
                 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
                 at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
                 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
                 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                 at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
                 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
                 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
                 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
                 at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
                 at java.lang.Thread.run(Thread.java:613)
            



            • 3. Re: Seam 2.1 Security
              stefanotravelli

              I think a better approach would be to write your custom check for role in a drools rule.


              In general you could also add a custom permission resolver to the chain.


              However, at the moment, your custom permission resolver could only be invoked at the end of the chain instead of some point in the middle, as you probably want.


              There is a JIRA issue on this topic: JBSEAM-3664

              • 4. Re: Seam 2.1 Security
                zabin7
                Click HELP for text formatting instructions. Then edit this text and check the preview.
                Hello friends

                I am new to seam and working on it from past 2 months.  I am trying to implement authorization in my project, but stuck in it.
                I am using JpaPermissionStore for checking permissions.  My entity is ready with data.
                My component.xml file is like this:
                <core:init debug="@debug@" jndi-pattern="@jndiPattern@"/>
                  
                   <core:manager concurrent-request-timeout="500"
                                 conversation-timeout="120000"
                                 conversation-id-parameter="cid"/>
                   
                   <persistence:managed-persistence-context name="em"
                                                     auto-create="true"
                                      persistence-unit-jndi-name="java:/ezeeDeskEntityManagerFactory"/>                         

                   <drools:rule-base name="securityRules">
                       <drools:rule-files>
                           <value>/security.drl</value>
                       </drools:rule-files>
                   </drools:rule-base>

                   <security:identity authenticate-method="#{authenticator.authenticate}" remember-me="true"/>
                     
                     <security:rule-based-permission-resolver security-rules="#{securityRules}"/>
                     
                     <security:jpa-permission-store user-permission-class="com.sec.ezeeDesk.login.AccountPermission"/>


                   <mail:mail-session
                        host="#{ezeestayAppSettings.settings.SMTP_SERVER_NAME}"
                        port="#{ezeestayAppSettings.settings.SMTP_SERVER_PORT}"
                        username="#{ezeestayAppSettings.settings.SMTP_USER_NAME}"
                        password="#{ezeestayAppSettings.settings.SMTP_USER_PASSWORD}"
                   />
                       
                   <!-- For use with jBPM pageflow or process management -->
                   <!-- 
                   <bpm:jbpm>
                      <bpm:process-definitions></bpm:process-definitions>
                      <bpm:pageflow-definitions></bpm:pageflow-definitions>
                   </bpm:jbpm>
                   -->
                     
                     <ui:jpa-entity-loader entity-manager="#{em}"/>
                         
                     <international:locale-selector cookie-enabled="true"/>

                In the action class before the method i have written,
                @Restrict("#{s:hasPermission('additionalFeaturesSetup','addAdditionalFeature')}")

                where additionalFeaturesSetup is the component name for the action class and  addAdditionalFeature is the method name.

                {though the concept of target is still not clear with me}

                When i am calling this method i am getting null pointer exception.
                The stack shows:
                Caused by: java.lang.NullPointerException
                at org.jboss.seam.security.permission.JpaPermissionStore.createPermissionQuery(JpaPermissionStore.java:232)
                at org.jboss.seam.security.permission.JpaPermissionStore.listPermissions(JpaPermissionStore.java:622)
                at org.jboss.seam.security.permission.JpaPermissionStore.listPermissions(JpaPermissionStore.java:607)
                at org.jboss.seam.security.permission.PersistentPermissionResolver.hasPermission(PersistentPermissionResolver.java:80)
                at org.jboss.seam.security.permission.PermissionMapper.resolvePermission(PermissionMapper.java:77)
                at org.jboss.seam.security.Identity.hasPermission(Identity.java:632)
                at org.jboss.seam.security.SecurityFunctions.hasPermission(SecurityFunctions.java:29)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                at java.lang.reflect.Method.invoke(Method.java:597)
                at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:329)


                Can anybody help please.  I need to have a permission base authorization, and dont want to use rule based.
                • 5. Re: Seam 2.1 Security
                  zergspirit

                  The 'target' is supposed to be, by default, an entity, it can't be a String.


                  By default, Seam provides Entity and Class handling for permission, it means you can put entity or a Class as target without having to code anything.
                  So, if you want to check a permission on your additionalFeaturesSetup component, you should check


                  @Restrict("#{s:hasPermission(additionalFeaturesSetup.class,'action')}")



                  Were action is typically something like 'view', 'write' or 'delete', but you can put anything you want.


                  Granting permissions work the same way.


                  Don't know if I've been clear, feel free to ask for more informations.

                  • 6. Re: Seam 2.1 Security
                    skallio

                    Adrien Orsier wrote on Mar 06, 2009 17:11:


                    The 'target' is supposed to be, by default, an entity, it can't be a String.

                    By default, Seam provides Entity and Class handling for permission, it means you can put entity or a Class as target without having to code anything.
                    So, if you want to check a permission on your additionalFeaturesSetup component, you should check

                    @Restrict("#{s:hasPermission(additionalFeaturesSetup.class,'action')}")



                    Were action is typically something like 'view', 'write' or 'delete', but you can put anything you want.

                    Granting permissions work the same way.

                    Don't know if I've been clear, feel free to ask for more informations.



                    How would I migrate Seam 2.0 permission checks to Seam 2.1. I have, for example, the following rule:


                    rule "edit-store-conclude-for-store-admin"
                            no-loop
                        when
                            $c: PermissionCheck(name == "edit-store")
                            $principal: Principal()
                            $store: Store()
                            $currentUser: Person(userid == $principal.name)
                            RoleBroker(person.id == $currentUser.id, role.role == "store_admin", store.id == $store.id)
                        then
                            $c.grant();
                    end;
                    



                    And the following check on xxx.page.xml



                    <restrict>#{s:hasPermission('edit-store', 'restore', storeHome.instance)}</restrict>




                    How to do the same with Seam 2.1?

                    • 7. Re: Seam 2.1 Security
                      jaykumar11

                      Andre Eugenio wrote on Nov 18, 2008 18:57:


                      Just for the record, i guess its obvious but i made the mistake anyway, that Seam Security needs an EntityManager persistent context to work and will not work with a HibernateSession (look my old config above).

                      So i just changed my components.xml to something like (below) and things starts to work.

                      <persistence:managed-persistence-context 
                               name="em"
                              auto-create="true"
                              entity-manager-factory="#{hibernateFactory}"
                      />
                      <persistence:entity-manager-factory
                           name="hibernateFactory"
                      />
                      <transaction:entity-transaction 
                           entity-manager="#{em}"
                      />     
                      <ui:jpa-entity-loader
                           entity-manager="#{em}"
                      />
                      <factory name="hibernate" 
                           scope="STATELESS" 
                           auto-create="true" 
                           value="#{em.delegate}"
                      />     
                      



                      About the second question in my first post i would be glad to see any comments about it.

                      Regards.






                      Hi Andre Eugenio,


                      I am currently using hibernate session factory and we are just implementing the authorization .. Now we are getting the NullpointerException like above ..
                      Could you please advice how can we use the JPA Persistence context in hibernate session factory..


                      Thanks
                      Jay