1 2 Previous Next 23 Replies Latest reply on Jul 2, 2006 11:46 AM by gavin.king Go to original post
      • 15. Re: Security Framework w/Seam
        gavin.king

         

        "max.andersen@jboss.com" wrote:
        How would you do dynamical contextual security or ACL checks ?
        (or maybe that is considered business logic instead of security ;)

        e.g. how would I ask: hasPermissionTo('drug',$patient.ssn, $department)

        this is a variation of ACL security http://acegisecurity.org/docbook/acegi.html#acls

        The trick here is that there is not a constant range of values for the patient and department since they are driven by the business.

        I never found a good way of doing that with ejb security; so if that is possible in ejb3 now then I would like to hear about it.


        So my understanding is that in theory, JAAS/JACC can handle this kind of thing (ie. conceptually you can write a permission that can take dynamic arguments and/or access Seam contexts), however, in practice there is no good way to actually set this up.

        This absolutely _is_ an area I want to explore.

        Is this something that Acegi handles nicely?

        • 16. Re: Security Framework w/Seam
          maxandersen

          Yes, JAAS's authorization model allows for this.

          I actually implemented such a thing in the past, but had to do it via a copy of the JAAS API since there were no standard way of configuring the JAAS provider in the various J2EE containers that would guarantee the correct runtime/classloading.

          Acegi was not mature back then, so I only know about its capabilities via the documentation; and here it at least looks like they have the hooks for it + a basic implementation for it.

          • 17. Re: Security Framework w/Seam
            sforsyth

             

            e.g. how would I ask: hasPermissionTo('drug',$patient.ssn, $department)


            Max... I'm not sure what exactly you are trying to do here... are you saying that given the patient.ssn and department, you want to know if they have access to a certain instance of the drug class?

            If so, then you probably don't want ACL... ACLs are for matching a "User" with certain Objects... not data from other Objects. So with ACLs, you could say that the Drug Object with IDs 2, 8 & 456 are allowed access for User "blah".

            I believe what you are looking for is an After Invocation interceptor. Basically, you create a security class that takes in your object (Drug?, Interface provided by Acegi) from maybe where you load your object like a getDrug(Long id) and then you can run any sort of test you want against the Drug Object to see if it passes authrorization. You tell Acegi to run the security code on the Object returned by your getter, so your setting it up against a particular method. I can post a bit of code that I wrote to do this if this is what you were thinking about and you want to see how Acegi handles it.


            • 18. Re: Security Framework w/Seam
              maxandersen

              no what I am trying to decide is if the current user (should probably also be a parameter) is allowed to perform the action 'drug' on a certain patient while being on a certain department.

              And it should be something I can *ask* about at any place in the code; not something necessarily only at interceptor level.

              JAAS has the mechanism for *asking* such questions (Permission and securitymanager if i remember correctly) and with jee 5 it seems like JAAS configuration has been standardized meaning you should be able to install your own logicchekker - keeping the implementation details out of the code; but the question is asked via standard API.

              ps. jee 5 might have made it theoretically available but im not sure if it is in practice in the various containers.



              • 19. Re: Security Framework w/Seam
                fguillaume

                Gavin, I'd be interested in seeing code for a Permission class that would have access to a Seam context to do its checks. Even rough/draft/incomplete code would be good.

                I have the same problem as other posters, I'm in a content management system and I want security checks that depend on the current user *and* the current seam context so that I can match the user with the ACLs defined on the "document" in the given context.

                • 20. Re: Security Framework w/Seam
                  awhitford

                  A best practices guide for security in Seam seems to be in order. I think the use cases can be boiled down to a few scenarios, then an explanation as to how to address them will tell you whether the present mechanisms are sufficient, or if an Acegi mechanism is needed.

                  I am a big believer in addressing security via AOP because I don't really believe that you can know exactly how you want to address security at POJO compile-time (and over the life of a project, security requirements can change drastically). But if you can take a project and then apply AOP rules before deployment, this is a very flexible solution.

                  • 21. Re: Security Framework w/Seam
                    gavin.king

                    Yes, it is definitely needed. Unfortunately I am no security expert and I'm trying to piece this stuff together slowly. Also I've got *lots* of other things I'm trying to find time to work on...

                    • 22. Re: Security Framework w/Seam
                      awhitford

                      Gavin, I appreciate that you must have a thousand things, but let me just say that one of the best things about Spring (besides IoC, AOP, etc.) is the Acegi framework because one of the biggest problems with open source frameworks is that security seems to be an afterthought.

                      I will admit that I haven't used Seam yet, but it looks really great because I'm already on the Java 5, EJB3 bandwagon, and expect to jump on the JSF bandwagon very soon. Security is one area where I wonder if Seam is deficient, and I get the impression that I am not alone. I think that if this area was better documented, you would see greater committment for Seam.

                      I know you mentioned that you felt that Acegi is tightly integrated with Spring (and they even admit it). Would it be a big deal to run Seam with Spring core and Acegi? Are you aware of a technical reason as to why this is a bad idea, or is it philosophical (like why have two IoC mechanisms?). Because this was sort of my plan (at least for the short term). Maybe Acegi should be submitted to the JCP much like how Seam has been.

                      Finally, how big is the Seam team?

                      • 23. Re: Security Framework w/Seam
                        gavin.king

                        Well, the thing is, no-one has yet convinced me that we are so very deficient ;-) I mean, I am totally prepared to believe we are deficient, but I need to know _how_ we are deficient.

                        I have been asking and asking for someone to explain what it is about EJB3 role-base security @RolesAllowed that does not let them do what they want to do. No-one has yet given me a straight answer....

                        (I mean, I have a clue of some things, but I need concrete real-life examples.)

                        Well, I know that there is one problem:

                        Servlet spec authentication is totally broken and crap. So people have to write their own authentication layer. And then, people have trouble integrating their homegrown authentication with Java EE security.

                        However, it turns out that this problem is solvable: you can write a servlet filter that grabs your principal from the HttpSession, and calls directly to JAAS to establish the association b/w the request and the principal. Then you can take advantage of EJB3 authorization stuff.

                        So, what I need to know is: what is this magical stuff that Acegi has that Java EE authorization does not have?

                        (I don't think its possible to just have a Seam component take advantage of Acegi via Spring - the whole interceptor model is different.)

                        (People working actively on Seam are: me, Shane, Thomas, Norman, with Jacob and Tom advising. But note that none of these people are anything like fulltime on the project.)



                        1 2 Previous Next