1 Reply Latest reply on Aug 26, 2006 8:20 AM by Nick Golovin

    Best practise - Where to put authorization code

    Abhilash Kumar Newbie


      After going through Seam examples and Reference Doc and also through the postings in this forums, we have decided on a strategy for authentication and authorization with Seam.

      1. Use JAAS for authentication (FORM based)
      Put all the pages to be protected under a JSP or JSF directory. Put login.html, loginerr.html and all the resources needed for these pages (images, stylesheets etc) outside the protected dir and configure JAAS.

      2. Authorisation.

      Use the page uris (for initial page request) and page uri + action method as the view id for uniquely identifing the request and associate this with a role name in the database. Write a filter for "/*" below the Seam Exception Filter in the filter chain. Get the user name from the JAAS caller principal and get his roles from db / cache. Get the URI and action from the request, and get needed role from db / cache and check whether the user has the role and proceed accordngly.

      Why we didn't went for declarative authorisation with JAAS is because of the inconveniance of arranging the pages in dirs according to roles or writing uri regular expression for role matching. Since we needed fine grained acces control to page, we thought this will be better method.

      Pls suggest is there any better approach to do the above with Seam or any problems that anyone can in this approach from their experience.

      thanks and regards,

      -- Kannan.