According to Yuan/Orshalick/Heute book (2nd ed.), it's possible to configure an LdapIdentityStore for user retrieval and a JpaIdentityStore for role retrieval.

code snippet from pg. 251:

<security:identity-manager
          identity-store="#{ldapIdentityStore}"
          role-identity-store="#{jpaIdentityStore}"/>

I've looked at the seamspace and rulesbooking examples.  I've read the docs and this material and API is not trivial.  Esp. when you start getting into drools for permissions management.  Is drools really necessary in most use cases concerning security?  Considering most apps will want to restrict pages based on role (not necessarily components and public methods).

We're trying to use Active Directory (i.e. LDAP) for authentication.  Currently, we're using NTLM silent authentication (i.e. no form to input username/pswd and submit) with IE browsers.  I'm interested in the role mgmt functionality via JpaIdentityStore and RDBMS tables for user self-service as far as adding users/roles, etc.  We are using security groups in AD (managed by MS Outlook) for modifying/adding users to roles.  I remember this UI admin functionality was achieved with the seamspace example however, this confuses me somewhat:

<security:ldap-identity-store name="ldapIdentityStore"
                                         server-address="localhost"
                                         bind-DN="cn=Manager,dc=bryzak,dc=com"
                                         bind-credentials="secret"
                                         user-DN-prefix="uid="
                                         user-DN-suffix=",ou=Person,dc=bryzak,dc=com"
                                         role-DN-prefix="cn="
                                         role-DN-suffix=",ou=Roles,dc=bryzak,dc=com"
                                         user-context-DN="ou=Person,dc=bryzak,dc=com"
                                         role-context-DN="ou=Roles,dc=bryzak,dc=com"
                                         user-role-attribute="roles"
                                         role-name-attribute="cn"
                                         user-object-classes="person,uidObject"
                                         />

How does this work exactly when running from my machine/network?  I see the following in the log:

2009-03-16 11:01:37,934 INFO  [org.jboss.seam.Component] Component: ldapIdentityStore, scope: APPLICATION, type: JAVA_BEAN, class: org.jboss.seam.security.management.LdapIdentityStore
2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.roleDNPrefix=cn=
2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.bindCredentials=secret
2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.userObjectClasses=person,uidObject
2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.serverAddress=localhost
2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.bindDN=cn=Manager,dc=bryzak,dc=com
2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.roleNameAttribute=cn
2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.userDNSuffix=,ou=Person,dc=bryzak,dc=com
2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.roleDNSuffix=,ou=Roles,dc=bryzak,dc=com
2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.userContextDN=ou=Person,dc=bryzak,dc=com
2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.roleContextDN=ou=Roles,dc=bryzak,dc=com
2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.userRoleAttribute=roles
2009-03-16 11:01:37,934 DEBUG [org.jboss.seam.Component] ldapIdentityStore.userDNPrefix=uid=

It also gets confusing when you have all these Seam annotations in one entity class:

@PermissionUser 
@PermissionRole

@PermissionTarget
@PermissionAction

@PermissionDiscriminator