7 Replies Latest reply on Dec 14, 2009 1:54 AM by prati

ACL Security In Seam

prati Dec 10, 2009 5:29 PM

Hi

I am trying to implement ACL based security in Seam.
The code goes like this

@Entity
public class AccountPermission implements Serializable
{
   @Id @GeneratedValue public Integer permissionId;
   @PermissionUser @PermissionRole public String recipient;
   @PermissionTarget public String target;
   @PermissionAction public String action;
   @PermissionDiscriminator public String discriminator;
}

<security:jpa-permission-store user-permission-class="com.acme.AccountPermission"/>

PermissionManager.instance().grantPermission(new Permission(entityManager.find(Customer.class, 1234),
    "update", new SimplePrincipal("bob")));

AccountPermission
=================
RECIPIENT TARGET         ACTION DISCRIMINATOR
-----------------------------------------------
bob        Customer:1234 update user

I can store data in respective AccountPermission table, BUT when i login can't see any effect of permission.

DO I NEED TO RESTRICT IT FROM VIEW OR ACTION CLASS AS WELL?

Thanks

1. Re: ACL Security In Seam

prati Dec 10, 2009 5:33 PM (in response to prati)

Related to my previous post...
I am trying to restrict using @Restrict on Action but it's giving Authorization exception.
Actions
2. Re: ACL Security In Seam

josdaniel Dec 10, 2009 6:13 PM (in response to prati)

Check to see if you see a corresponding entry in the permissions table for your update permission.
Actions
3. Re: ACL Security In Seam

prati Dec 10, 2009 10:18 PM (in response to prati)

Hi,

Yes i can see entry going into AccountPermissionTable,there is no problem with that.

AccountPermission
=================
RECIPIENT TARGET ACTION DISCRIMINATOR
-----------------------------------------------
bob Customer:1234 update user

What my issue is my @Restrict on action is not working.I am using @Restrict or
@Restrict("#{s:hasPermission('customer','update')}").

But no luck it gives me Authorization Exception.

Thanks
Prati
Actions
4. Re: ACL Security In Seam

joblini Dec 11, 2009 4:02 AM (in response to prati)
It would have to be

@Restrict("#{s:hasPermission('customer:1234','update')}").

That is, the target must match exactly the value of @PermissionTarget, which is customer:1234

If you want to secure by entity instance, you may use annotations on the entity which will result in interceptors being invoked to authenticate whenever an entity instance is accessed. See the documentation for details.
Actions
5. Re: ACL Security In Seam

prati Dec 11, 2009 1:24 PM (in response to prati)

Hi

Thankyou ,it worked :-). Yes i need to secure entity. I will check Seam documentation.

Thanks once again.

Regards
Prati
Actions
6. Re: ACL Security In Seam

prati Dec 14, 2009 1:48 AM (in response to prati)

I have one more query. As I am not using jboss-rules and what i am trying to do is:

1) If I login as a 'Admin' i should be able to see all Customers,
2) If I login as 'User' i should be able to see few customers

I did it like that

AccountPermission accountPermission = (AccountPermission)em.createQuery("SELECT a FROM AccountPermission a WHERE a.recipient = :recipient")
          .setParameter("recipient", recipient)
          .getSingleResult();

          String[] targetParts = accountPermission.getTarget().split(":");
          if (targetParts.length == 2) {
               targetClass = targetParts[0];
               targetId = Integer.parseInt(targetParts[1]);
          }

Since target is saved like 'Customer:1234"

Then searched for targetId in Customer table.

Not sure is this the best way of doing the above thing?
Can i do this using PermissionStore?
Please suggest

Thanks
P
Actions
7. Re: ACL Security In Seam

prati Dec 14, 2009 1:54 AM (in response to prati)

http://seamframework.org/Documentation/ACLSecurityInSeam

OR it has to be done like mentioned in above link?

Thanks
P
Actions

Go to original post