1 2 Previous Next 18 Replies Latest reply on Dec 14, 2006 5:50 AM by David Alves

    Security

    Michael Singer Newbie

      I noticed that there were major changes today in the security packages in the latest CVS snapshot and that the security example was removed.

      Can anybody give me a status report on the proceedings on security? We need to do jaas with our custom login modules and we need to do role checking in our web UI...

        • 1. Re: Security
          Gus Gu Expert

          Based on the Road Map listed on the top, the Seam security should be released in Seam 1.1.5.GA ( 12/Jan/07 )

          • 2. Re: Security
            Michael Singer Newbie

            I know the release plan ;-)

            Some details on the current implementation status would be nice...

            Maybe there is something useful in there to play with prior to the official release ;-)

            • 3. Re: Security
              Gus Gu Expert

              I don't know whether this thread will be helpful: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=95430

              • 4. Re: Security
                None None Master

                I'm looking forward to it. I spent several days looking into the Java Security APIs and I got the big Sun Java Security book and read it. I want a simple way to let users log in and view web pages! How hard could that be? But after carefully reading Sun's Java Security book, I learned that I could easily build plugable security architectures and whatever but there was no reasonable way to, say, password protect a database. I'm looking forward to being able to do declarative security: "These web pages can only be accessed by users in role ___. These class methods can only be accessed by users in role ___. These objects can only be accessed by users in role ___." Combine that with annotations on classes like, "this class is a user with role ___", and then a way to define a Authentication class that lets me say "if(password.equalsIgnoreCase(user.password)). HOW HARD COULD THAT BE? And yet there doesn't seem to be any way to do that at all with Sun's security architecture. Anyway if Seam can make that happen that will be great.

                • 5. Re: Security
                  Shane Bryzak Master

                  The security API is undergoing some major changes, but as mentioned previously is due to be released in Seam 1.1.5GA. Gavin and I reviewed what we already had and came up with some innovative (at least I think so) new ideas, including using Drools to perform dynamic permission checks and support for more flexible expression-based security checks.

                  I'm only able to proceed on this stuff in my spare time at the moment, but from December 20 I'll be working on it full time so there should be more to show shortly after this date.

                  • 6. Re: Security
                    Michael Singer Newbie

                    @sbryzak2

                    I am looking forward to the security stuff. Let me ask another questions to clarify things:

                    Seam 1.1.5.GA will be released on 12. Jan. 2007, do you think the security stuff will then be in a state in which I can use my own JAAS LoginModules, the authentication information (the subject, the roles) are somehow accessible from the xhtml pages?

                    If this will be ready in january I can reschedule my project an avoid some nasty hacks. If you think this might not be working in january I have to proceed working on my custom login solution.

                    What do you think?

                    • 7. Re: Security
                      Gavin King Master

                      12 Jan is an approximate date.

                      • 8. Re: Security
                        Edwin van der Elst Newbie

                         

                        "SmokingAPipe" wrote:
                        HOW HARD COULD THAT BE?

                        It's not so hard. Look into JAAS and declerative security in j2ee (web.xml or on ejb-methods).
                        It is quite easy to provide your own password matching code.

                        Edwin

                        • 9. Re: Security
                          David Alves Newbie

                          Just one question:

                          In the final version, sema security will be integrated with the JSF/JAAS security context right? So when I implement an Authenticator the returned principal will be available through FacesContext, like any other tradicional JAAS login method.

                          I ask this because if so I will wait for this method wich I think is more powerful in some ways. If not please tell me so so I can go in the traditinal j_security_chek method.

                          David

                          • 10. Re: Security
                            David Alves Newbie

                            btw sorry for my typing mistakes, new keyboard :)

                            • 11. Re: Security
                              Shane Bryzak Master

                              There will be integration with JSF/JAAS security, but I can't promise that it will be in the first release. Do you have a specific requirement/reason for having to use JAAS?

                              And Mike to (hopefully) answer your question, the security API will provide a way to check roles and permissions within your pages.

                              • 12. Re: Security
                                None None Master

                                 

                                "sbryzak2" wrote:
                                There will be integration with JSF/JAAS security, but I can't promise that it will be in the first release. Do you have a specific requirement/reason for having to use JAAS?


                                I don't. I checked into JAAS and it seemed way more complicated than what I need.

                                For me, the use case I need is simple:

                                Log in users based on a simple call-back object, which will itself check passwords in the DB or using the EntityManager.

                                Restrict access to web pages based on the user type

                                Render or don't render certain components of web pages based on user type. For example, in a web forum, for a moderator show a "lock thread" button, but for ordinary users, don't show it.

                                That's all I need! I can do that quite easily with Seam and a Filter now, but it would be great if it were integrated.

                                Oh, and a bit of extra niceness I would like, but don't need: be able to annotate methods on various classes to say that only certain user roles can access them. So there might be methods on objects that an Administrator can access, but a Customer can't even use the method, so if I mess up, the object itself has a layer of protection. That would be nice.


                                • 13. Re: Security
                                  Shane Bryzak Master

                                  In that case, the security API has got you covered for all these requirements.

                                  • 14. Re: Security
                                    David Alves Newbie

                                    Thanks for the reply Shane!

                                    I need the security to be integrated because I am migrating an application to seam and some of the older modules test for role allowance programatically from the faces context. Besides I think any non-seam aware JSF framework will espect the same.

                                    But there is another reason, if I use my own authenticator to fetch Users and Roles the only way to test for roles now is the isUserInRole component right (or fetch the roles programatically from the seam context)? and this component test for the roles in the faces context, right?

                                    1 2 Previous Next