0 Replies Latest reply on Mar 17, 2009 12:21 AM by jeckhart

    Security questions


      Does anyone else have some insight on how to couple Seam with container managed security? My rationale for sticking with container managed security:

      1. More portable. Since the deployer/assembler can control the user and group roles, security is easier to configure and port.

      2. Performance. Most containers support connection pooling and caching at the security layer. I expect this cache to be more secure and perform better than JAAS.

      3. Simpler. Although this is debatable given the defaults Seam provides, I still feel that container managed security is better understood and simpler to comprehend than the depths of JAAS.

      4. More secure. This is also debatable, but I tend to trust the container managed security more than home-grown efforts, even when they are based on standard specs such as JAAS.

      5. Container support. Specifically, my container still recommends using container managed security over JAAS (read ... Use declarative security as a rule; use the techniques that are described in this section as a last resort. on http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.exp.doc/info/exp/ae/tsec_web.html)

      Based on this, does seam provide any mechanism to couple security at the container level with some method of identity and role mapping. Specifically, the servlet spec provides for methods at the ServletRequest API to retrieve the userprinciple (request.getUserPrinciple), the remote user (request.getRemoteUser) and role mapping (request.isUserInRole("admin")). Based on these, is there a way to still inject some of the Seam security principles without resorting to a full JAAS implementation?