7 Replies Latest reply on Jul 25, 2006 3:34 PM by Gavin King

    ACL in Seam

    Anthony Yuan Newbie

      I am new to Seam and not familiar with JAAS as well. As I know, we can use JAAS to build method level permission control. But I am wondering how to implement object level permission control, i.e. ACL.

      Do we have a framework, like acegisecurity, can be used with EJB and Seam or have to develop by our own? Or Seam alread has relevant functions I overlooked?

      Thanks

        • 1. Re: ACL in Seam
          Gavin King Master

          EJB 3.0 provides method-level permissioning as a standard feature. You can use that.

          • 2. Re: ACL in Seam
            js8523 Novice

            Hi Gavin,

            I think that you missed yaun point, which is object level permission, like one user can edit one customer, but only view another customer.

            I was thinking a Entity Users_Role which you could then inherit (therefore extend the data model), and add custom properties (i.e. customer foreign key, or any other type of datamodel object). You could do the equiverlent of this to the Role Entity allowing people to custom design the priveledges a Role can have.

            You could then add a equiverlent to isUserInRole called hasPriveledge that checks the current principal has the priveledge.

            In answer to the original question, people have tried to use acegi with Seam with some success, please search this forum for previous posts.

            If you come up with any firm information you could post it on the Wiki.

            HTH,

            James

            • 3. Re: ACL in Seam
              Anthony Yuan Newbie

              Thanks both of you for quick response,

              I think James got my point.

              I think I can add 'hasPriveledge' annotation to implement this function like James suggested and migrate some codes from Acegi (or do some customization to make it work with seam). But I want to make sure this is a good way to go and I am not re-inventing wheel as well.

              In addition, I did some search before opening this discuss, only found this one http://jboss.com/index.html?module=bb&op=viewtopic&t=81833. But seems no result came out in the end. I will appreciate if you can give me some pointers I missed.

              • 4. Re: ACL in Seam
                js8523 Novice

                Hi Yuan,

                Unfortuneatly I have not attempted acegi, and instead created my own security layer (using JACC and database authetication on some custom user, role, and user_role entities), but I have not been succesful in implimenting hasPriveledge yet! I followed the wiki items on JACC container security. THANKS TO THOSE GUYS.

                I believe from looking at CVS that Shane is specing out a Seam security layer , using a servlet filter, but this looks very work in progress. I don't know how far they have got or what scope there implementation will be (method level role, or user object level permissions).
                I hope they look into user object level permissions as this could be done quite elegantly with Entity inheritance.

                So I imagine if you have any valid learning points it would be useful to the Seam guys.

                Hope this helps,

                James



                • 5. Re: ACL in Seam
                  jbpmndc Newbie

                  Acegi's voter mechanism provides the ability to assemble permissions dynamically based on changing events. Does anyone one know if JAAS provides an equivalent.

                  A common situation people may encounter is the need to dynamically add permissions to a user when a task is assigned to them using jBPM.

                  • 6. Re: ACL in Seam
                    Anthony Yuan Newbie

                    Thanks James! The information you provided is very helpful.

                    • 7. Re: ACL in Seam
                      Gavin King Master

                       

                      "jbpmndc" wrote:
                      Acegi's voter mechanism provides the ability to assemble permissions dynamically based on changing events. Does anyone one know if JAAS provides an equivalent.

                      A common situation people may encounter is the need to dynamically add permissions to a user when a task is assigned to them using jBPM.


                      Interesting, this is a really good example of something thats not easy to do in Java EE security out of the box. I'll point Shane over here and maybe he can look at it as part of the work he is doing now.