11 Replies Latest reply on Dec 26, 2006 1:40 AM by Norman Richards

    Seam 1.1.5 & SeamSecurity...

    Gregory Nikle Apprentice

      Hi Gavin!
      I read on form here http://www.jboss.com/index.html?module=bb&op=viewtopic&t=96461, what U said
      about SeamSecurity "12 Jan is an approximate date." (to finish), but on Jira page, production status is
      "Blocker" what that this mean?
      Will you finish those security module?

        • 1. Re: Seam 1.1.5 & SeamSecurity...
          Gavin King Master

          "Blocker" means blocking the release. ie. we can't release 1.1.5 without it.

          • 2. Re: Seam 1.1.5 & SeamSecurity...
            Gregory Nikle Apprentice

            Hi Shane!,
            I found on jira page, info about Seam Security...but I'm intrested about one think: <s:secure/> <<== how can we use it?

            In seam 1.1.0 Beta 1 was one simple example of SeamSecurity app, but I can't find use of <s:secure/> there.
            Thanks...

            By the way, is somewhere page with full info about Seam Security, with examples or we must wait for full doc in Seam 1.1.5?
            Regards!

            • 3. Re: Seam 1.1.5 & SeamSecurity...
              Shane Bryzak Master

              <s:secure> is gone, it's been replaced with EL expressions s:hasRole and s:hasPermission.

              Unfortunately you'll have to wait until 1.1.5 for the examples and docs, but it's only a few weeks away.

              • 4. Re: Seam 1.1.5 & SeamSecurity...
                Gregory Nikle Apprentice

                I got another question....it is posible to run those SeamSecurity example?
                When I deploy project I get an Error:

                15:42:47,234 INFO [Component] Component: org.jboss.seam.core.init, scope: APPLICATION, type: JAVA_BEAN, class: org.jboss.seam.core.Init
                15:42:47,250 ERROR [[/seam-security]] Exception sending context initialized event to listener instance of class org.jboss.seam.servlet.SeamListener
                java.lang.NullPointerException
                 at org.jboss.seam.util.Conversions$FlatPropertyValue.isExpression(Conversions.java:240)
                 at org.jboss.seam.Component.getInitialValue(Component.java:357)
                 at org.jboss.seam.Component.initInitializers(Component.java:341)
                 at org.jboss.seam.Component.<init>(Component.java:248)
                 at org.jboss.seam.Component.<init>(Component.java:193)
                


                I think Seam needs somethink : java.lang.NullPointerException
                I got jboss-seam.jar in ear file and
                el-api.jar
                el-ri.jar
                jsf-facelets.jar int WEB-INF/lib

                jboss-seam.jar is form Beta 1 version.

                • 5. Re: Seam 1.1.5 & SeamSecurity...
                  Frank Cornelis Apprentice

                   

                  <s:secure> is gone, it's been replaced with EL expressions s:hasRole and s:hasPermission.


                  Does this mean that the "view" will also have servlet container security enabled on it? In my own Seam application I've places only the controller Seam BBs within a security domain. Thus these components can use the @RolesAllowed stuff. I'm using a servlet filter to push the session credentials to the client-login JAAS context. My view has no servlet container security enabled on it, but it can access the current used via #{currentUser} if needed for view purposes only, since that's the only task of the view (SoC). For this I used a simple Tomcat valve configured via context.xml.
                  IMHO the view should not have security enabled on it, since it can only expose data or perform operations via the controller components. Thus placing the controller components inside a security domain does the trick. Servlet container security doesn't bring anything in case of an MVC framework like Seam. And, since Seam 1.1 we can have a nice error page in case of an RBAC exception, thus the view does not need to get access to the RBAC itself. This is also in line with another security aspect: input validation. Via the Hibernate annotations, they've also made the view "dumb" as it comes to input validation. Anyone has opinion on this? Can anyone already shed some light on which direction this is going to take? At JavaPolis someone of JBoss said they where going to use a rules thingy for the Seam security... KISS please... we already have a security system via EJB3, one should be enough.

                  • 6. Re: Seam 1.1.5 & SeamSecurity...
                    Shane Bryzak Master

                    The security API provides page-level security - even though the component model is secure people still like to be able to secure their views for completeness. This is totally optional and if page/view security is not a concern there is no requirement to use it.

                    On the last point, there is a security system for EJB3 however it is lacking in a number of areas. A rule-based security API will provide an innovative new solution to a problem that has been traditionally complex and difficult to implement a solution for. Integration points will exist for those who still wish to work with JAAS-based container security, however I'm of the opinion that very few situations will require this.

                    • 7. Re: Seam 1.1.5 & SeamSecurity...
                      Shane Bryzak Master

                       

                      "sherkan777" wrote:
                      I got another question....it is posible to run those SeamSecurity example?


                      This example has been killed off - deleted from CVS. The SeamSpace example will replace it when the security API is released in Seam 1.1.5.

                      • 8. Re: Seam 1.1.5 & SeamSecurity...
                        Joseph Nusairat Newbie


                        are there any examples anywhere of the Seam security for 1.1.5?

                        • 9. Re: Seam 1.1.5 & SeamSecurity...
                          Norman Richards Master

                          You can get a sneak peak in CVS, but I suspect everything there is subject to change. Unless you want to join in the development, it's probably better just to hold off.

                          • 10. Re: Seam 1.1.5 & SeamSecurity...
                            Joseph Nusairat Newbie


                            yeah. just trying to figure out what to do.

                            I initially wrote my chapter about security before the latest changes. So a lot of it isnt accurate right now. My updates to the chapter are due in a few days that its in. So i was trying to figure out if i could get it enough to make what i wrote accurate for 1.1.5.


                            ... do you think format wise it will change much? doesnt have to be 100% functional. Just code usage wise

                            • 11. Re: Seam 1.1.5 & SeamSecurity...
                              Norman Richards Master

                              My impression is that you should expect a lot of churn until the final release. I don't think it is near its final form yet.