9 Replies Latest reply on Jun 9, 2010 6:13 AM by Nicklas Karlsson

    Security status?

    Aaron Siri Newbie

      What is the status of the security module?  I keep looking at the online statuses reported for the various modules and the the security module doesn't seem to be going anywhere - not functional, doesn't build, no releases, no release plan, etc.


      I imagine security is a fairly important module.  Is it possible to get an update on where it is at and what still needs to be done?


      -Aaron

        • 1. Re: Security status?
          Shane Bryzak Master

          I'm working on it currently.  It was actually all ported to to CDI and fully functional, however we have decided to integrate it with PicketLink (which will be providing a lot of the more advanced security features) and adopt a lot of their API.  I'm hoping to have an alpha release out in the next couple of weeks, depending on the remaining integration issues (of which there have been many to overcome already).

          • 2. Re: Security status?
            Ryan de Laplante Newbie

            I'm also very interested in getting Seam 3 Security ASAP. I have an upcoming project (within weeks) that I'd like to build using CDI and Seam Security.  By the time it is ready for production the Seam Security RC might be available.


            Since the message above seems to indicate major API changes, I think this is a good opportunity to request a major design change related to roles and permissions.  Some of our users hold multiple positions at the company they work for.  On some days they are the manager, and on other days they are a regular employee.   When the user logs in, I need them to choose which role to use (manager or regular employee) if there are multiple roles attached to their account.  This is also useful for administrators.  They can log in using a single account and choose if they want to use the administrator role, or their regular user role.


            Groups can be associated with roles and/or users.  Permissions can be associated with roles and/or groups and/or users.


            What do you think?

            • 3. Re: Security status?
              Radu B Newbie

              If you ask me, this is a very common behavior.
              You can let the user to select the role he wants to play after he logs in, is not mandatory to select the role during the login process. You will just designate a default role for each user or group of users.


              Anyway, I don't think we will ever see this kind of feature from Seam framework. Peoples involved in Security module are to smart to ask us for opinion or even share with us the release schedule!


              It is all part of the big RedHat - Jboss integration strategy, which only the chosen one can see :)


              Mean time, I do what I suppose many other from this forum already does: migrate to plain JEE6, GlassFish, Spring, whatever has a decent documentation, release schedule, support, community, published books, ...

              • 4. Re: Security status?
                Radu B Newbie

                Sorry for the tone of last post... it really should be an Edit button on this forum.


                However, I'm disappointed about the lack of documentation and architecture information related to Seam Security and PicketLink (the 2 wiki pages from 1 year).

                • 5. Re: Security status?
                  Shane Bryzak Master

                  The only Seam and PicketLink integration that existed previously was developed by an independent community contributor for the PicketLink project.  The current integration effort which I am undertaking is the first formal integration between the two projects, so of course there won't be any documentation yet. 


                  Ryan, unfortunately since we're now adopting the PicketLink API you'll need to address any feature requests to the JBoss Security team as changes such as you have suggested are now out of our control.  I suggest you post your ideas to their development forum, which you can find here:


                  http://community.jboss.org/en/picketlink/dev

                  • 6. Re: Security status?
                    Nicklas Karlsson Master

                    I need the security module for a project, too, but I'm happy if I go on vacation and everything Just Works when I get back ;-)


                    The dependency to PicketLink means we have access to a tried and tested API but it apparently has the downside that we have to go an extra mile if we want changes to it. Hopefully there is a strategy to extend the API in non-standard ways if there is stuff that we absolutely need but they have no interest in adding?

                    • 7. Re: Security status?
                      Pete Muir Master

                      Nicklas Karlsson wrote on Jun 09, 2010 03:21:


                      I need the security module for a project, too, but I'm happy if I go on vacation and everything Just Works when I get back ;-)

                      The dependency to PicketLink means we have access to a tried and tested API but it apparently has the downside that we have to go an extra mile if we want changes to it. Hopefully there is a strategy to extend the API in non-standard ways if there is stuff that we absolutely need but they have no interest in adding?


                      Yes. It's called talking, and having a discussion :-p

                      • 8. Re: Security status?
                        Pete Muir Master

                        Radu B wrote on Jun 08, 2010 14:46:


                        If you ask me, this is a very common behavior.
                        You can let the user to select the role he wants to play after he logs in, is not mandatory to select the role during the login process. You will just designate a default role for each user or group of users.

                        Anyway, I don't think we will ever see this kind of feature from Seam framework. Peoples involved in Security module are to smart to ask us for opinion or even share with us the release schedule!

                        It is all part of the big RedHat - Jboss integration strategy, which only the chosen one can see :)

                        Mean time, I do what I suppose many other from this forum already does: migrate to plain JEE6, GlassFish, Spring, whatever has a decent documentation, release schedule, support, community, published books, ...


                        I'm sorry that you are frustrated, and Shane will get information out as soon as he has it I'm sure!

                        • 9. Re: Security status?
                          Nicklas Karlsson Master

                          "Talking" and having a "discussion" is all nice and fine but that won't actually add the method to the interface :-p