9 Replies Latest reply on Sep 2, 2009 7:17 AM by karunakaran t

    File access permission to users

    karunakaran t Newbie

      hi there,


      I'm implementing admin page i want to restrict users from accessing files which are prodected from them. plz help in this issue.


      thanks in advance.

        • 1. Re: File access permission to users
          Francisco Jose Peredo Noguez Master

          You need to be way more specific, forums are not good for this kind of questions (believe me I have made the same the same mistake ;-) ).

          • 2. Re: File access permission to users
            karunakaran t Newbie

            hi peredo,


            thanks for ur reply but i want to implement security in my application what can i do, plz suggest some idea.


            thanks.

            • 3. Re: File access permission to users
              Leo van den berg Master

              Hi,


              Seam can secure your application by restricting access to pages and resources. You can add a restriction to pages.xml to enable login (to start with) .Seam has an excellent User-Role based authorization mechanism see chapter 15 of the documentation on how to do that.


              Furthermore you can add a restriction to the rendered atributes of your page content (see the s:role element.


              last but not leats, you can restrictions to your bean-methods with annotations. This is also explainde in detail in chapter 15.


              If you have more question, don't hesitate to ask, but I agree with Francisco, don't ask the generic questions.

              • 4. Re: File access permission to users
                karunakaran t Newbie
                hi leo,

                     Thanks for ur valuable reply i just gone through the documentation but i couldn't understand the following

                <page view-id="/reports.xhtml">   
                    <restrict>#{s:hasRole('admin')}</restrict>
                </page>

                if i have to write any function like hasRole in bean. Better if u have any example code plz send it to me.

                thanks in advance.
                • 5. Re: File access permission to users
                  Leo van den berg Master

                  You need to include User and Role entities in your application. Seam allows you to annotate these classes and include them in your application security model. You need an authenticate bean which takes care of authenticating users, which also adds the defined Roles to the user.


                  If you have that in place, the -restrict- in pages will work without any additional coding. It seesm a bit complex, but it really pays off on the long term.


                  the s:role tag is also used inside the restriction but can alsobe used in the rendered attribute so disabling the visibility of elements for non-authorized used. 


                  The distro and docs contain the examples: but if it's helpful some of my own code (if shortened it a bit, because I am using it with JBPM and automatic skin/language setting:




                  @Name("authenticationManager")
                  public class AuthenticationManager {
                       
                  
                       @Logger Log log;
                       @In EntityManager entityManager;
                  
                          @In Actor actor;     // For use with JBPM
                  
                       @In Credentials credentials;
                       @In Identity identity;
                       
                       @In FacesMessages facesMessages;
                       
                       @Out(required=false)
                       Operator currentUser;
                       
                       @Transactional
                       public boolean authenticate(){
                  
                            try {
                            Operator user = (Operator) entityManager.createQuery("select u from Operator u left join fetch u.managementCentre c where u.userName = :username")
                            .setParameter("username", credentials.getUsername())
                            .getSingleResult();
                  
                            // Check the password
                            if (!user.getUserPassword().equalsIgnoreCase(credentials.getPassword()) ) return false;
                            
                            actor.setId(user.getUserName());
                            if (user.getUserRoles() != null){
                                 for (Role role: user.getUserRoles()){
                                      identity.addRole(role.getName());
                                      actor.getGroupActorIds().add(role.getName());
                                 }
                            }
                            
                            currentUser = user;
                            identity.addRole("user");
                            
                            return true;
                            
                            } catch (NoResultException e){
                                 return false;
                            }
                       }
                  }
                  



                  You need to add the following to components.xml




                        <security:identity authenticate-method="#{authenticationManager.authenticate}"  />
                  




                  • 6. Re: File access permission to users
                    karunakaran t Newbie

                    hi Leo,


                    I just gone through the identity-management, everything is ok but when running the project i still get the same welcome page instead of the identity management page when i entered as admin.


                    i couldn't understand how to set (hibernate.hbm2ddl.auto setting) in my dos console.

                    • 7. Re: File access permission to users
                      Leo van den berg Master

                      Hi,


                      I am not at my usual workingplace, so I can't do some code cut-and-pasting for exampls. You need to put the login-requirement in the pages.xml file. Something like this.




                      <pages login-view-id="your-login-page.xhtml">
                      ...
                        <page view-id="/yourSecurePageDir/*" login-required="true" />
                      ...
                      </pages>



                      That hibernate property is set in the config.files. For JPA that is persistence.xml and there you will find that setting or you need a new one.



                      Leo

                      • 8. Re: File access permission to users
                        Jaime Martin Apprentice

                        Hi,
                        What Leo has told you is perfect. To go further there is another approach for security issues.
                        You may use drools. Your application has a security.drl file.
                        There you may define that to display a page you must have a role.
                        For instance, if you have a Restricted.xhtml page that may be visited only by users whose role is admin or advancedUser your should configure it this way:


                        In your security.drl file add:


                        rule Restriction
                        when
                            c: PermissionCheck(name == "/Restricted.xhtml")
                            Role(name == "admin") 
                            or 
                            Role(name == "advancedUser")
                        then
                            c.grant();
                        end;
                        



                        On the other hand in your pages.xml add this:



                            <page view-id="/Restricted.xhtml">
                                <restrict/>
                            </page>        
                        



                        The latest means that before displaying Restricted.xhtml it checks if in security.drl file there is a rule. It would find Restriction rule and then check if user role is admin or advancedUser.


                        For using this approach the use of roles and identities is compulsory


                        A summary tip:
                        The following:


                            <page view-id="/Restricted.xhtml">
                                <restrict>#{s:hasRole('adminGral')}</restrict>
                            </page>
                        


                        is the same as this


                            <page view-id="/Restricted.xhtml">
                                <restrict/>
                            </page>
                        



                        in addition to this


                        rule Restriction
                        when
                            c: PermissionCheck(name == "/Restricted.xhtml")
                            Role(name == "admin") 
                        then
                            c.grant();
                        end;
                        



                        • 9. Re: File access permission to users
                          karunakaran t Newbie

                          hi Leo and Jaime,


                            Thanks a lot i had successfully done those things. Great work by u people.


                          thanks a lot