You need to be way more specific, forums are not good for this kind of questions (believe me I have made the same the same mistake ;-) ).

Hi,

Seam can secure your application by restricting access to pages and resources. You can add a restriction to pages.xml to enable login (to start with) .Seam has an excellent User-Role based authorization mechanism see chapter 15 of the documentation on how to do that.

Furthermore you can add a restriction to the rendered atributes of your page content (see the s:role element.

last but not leats, you can restrictions to your bean-methods with annotations. This is also explainde in detail in chapter 15.

If you have more question, don't hesitate to ask, but I agree with Francisco, don't ask the generic questions.

You need to include User and Role entities in your application. Seam allows you to annotate these classes and include them in your application security model. You need an authenticate bean which takes care of authenticating users, which also adds the defined Roles to the user.

If you have that in place, the -restrict- in pages will work without any additional coding. It seesm a bit complex, but it really pays off on the long term.

the s:role tag is also used inside the restriction but can alsobe used in the rendered attribute so disabling the visibility of elements for non-authorized used. 

The distro and docs contain the examples: but if it's helpful some of my own code (if shortened it a bit, because I am using it with JBPM and automatic skin/language setting:

@Name("authenticationManager")
public class AuthenticationManager {
     

     @Logger Log log;
     @In EntityManager entityManager;

        @In Actor actor;     // For use with JBPM

     @In Credentials credentials;
     @In Identity identity;
     
     @In FacesMessages facesMessages;
     
     @Out(required=false)
     Operator currentUser;
     
     @Transactional
     public boolean authenticate(){

          try {
          Operator user = (Operator) entityManager.createQuery("select u from Operator u left join fetch u.managementCentre c where u.userName = :username")
          .setParameter("username", credentials.getUsername())
          .getSingleResult();

          // Check the password
          if (!user.getUserPassword().equalsIgnoreCase(credentials.getPassword()) ) return false;
          
          actor.setId(user.getUserName());
          if (user.getUserRoles() != null){
               for (Role role: user.getUserRoles()){
                    identity.addRole(role.getName());
                    actor.getGroupActorIds().add(role.getName());
               }
          }
          
          currentUser = user;
          identity.addRole("user");
          
          return true;
          
          } catch (NoResultException e){
               return false;
          }
     }
}

You need to add the following to components.xml

      <security:identity authenticate-method="#{authenticationManager.authenticate}"  />

Hi,

I am not at my usual workingplace, so I can't do some code cut-and-pasting for exampls. You need to put the login-requirement in the pages.xml file. Something like this.

<pages login-view-id="your-login-page.xhtml">
...
  <page view-id="/yourSecurePageDir/*" login-required="true" />
...
</pages>

That hibernate property is set in the config.files. For JPA that is persistence.xml and there you will find that setting or you need a new one.

Leo

Hi,
What Leo has told you is perfect. To go further there is another approach for security issues.
You may use drools. Your application has a security.drl file.
There you may define that to display a page you must have a role.
For instance, if you have a Restricted.xhtml page that may be visited only by users whose role is admin or advancedUser your should configure it this way:

In your security.drl file add:

rule Restriction
when
    c: PermissionCheck(name == "/Restricted.xhtml")
    Role(name == "admin") 
    or 
    Role(name == "advancedUser")
then
    c.grant();
end;

On the other hand in your pages.xml add this:

    <page view-id="/Restricted.xhtml">
        <restrict/>
    </page>        

The latest means that before displaying Restricted.xhtml it checks if in security.drl file there is a rule. It would find Restriction rule and then check if user role is admin or advancedUser.

For using this approach the use of roles and identities is compulsory

A summary tip:
The following:

    <page view-id="/Restricted.xhtml">
        <restrict>#{s:hasRole('adminGral')}</restrict>
    </page>

is the same as this

    <page view-id="/Restricted.xhtml">
        <restrict/>
    </page>

in addition to this

rule Restriction
when
    c: PermissionCheck(name == "/Restricted.xhtml")
    Role(name == "admin") 
then
    c.grant();
end;