7 Replies Latest reply on Dec 14, 2009 1:54 AM by prati bha

    ACL Security In Seam

    prati bha Newbie
      Hi

      I am trying to implement ACL based security in Seam.
      The code goes like this

      @Entity
      public class AccountPermission implements Serializable
      {        
         @Id @GeneratedValue public Integer permissionId;
         @PermissionUser @PermissionRole public String recipient;
         @PermissionTarget public String target;
         @PermissionAction public String action;
         @PermissionDiscriminator public String discriminator;
      }

      <security:jpa-permission-store user-permission-class="com.acme.AccountPermission"/>


      PermissionManager.instance().grantPermission(new Permission(entityManager.find(Customer.class, 1234),
          "update", new SimplePrincipal("bob")));


      AccountPermission
      =================
      RECIPIENT  TARGET         ACTION  DISCRIMINATOR
      -----------------------------------------------
      bob        Customer:1234  update  user


      I can store data in respective AccountPermission table, BUT when i login can't see any effect of permission.

      DO I NEED TO RESTRICT IT FROM VIEW OR ACTION CLASS AS WELL?

      Thanks

        • 1. Re: ACL Security In Seam
          prati bha Newbie

          Related to my previous post...
          I am trying to restrict using @Restrict on Action but it's giving Authorization exception.

          • 2. Re: ACL Security In Seam
            Joshua D Novice

            Check to see if you see a corresponding entry in the permissions table for your update permission.

            • 3. Re: ACL Security In Seam
              prati bha Newbie
              Hi,

              Yes i can see entry going into AccountPermissionTable,there is no problem with that.

              AccountPermission
              =================
              RECIPIENT TARGET ACTION DISCRIMINATOR
              -----------------------------------------------
              bob Customer:1234 update user

              What my issue is my @Restrict on  action is not working.I am using @Restrict or
              @Restrict("#{s:hasPermission('customer','update')}").

              But no luck it gives me Authorization Exception.

              Thanks
              Prati
              • 4. Re: ACL Security In Seam
                Ingo Jobling Master

                It would have to be


                @Restrict("#{s:hasPermission('customer:1234','update')}").



                That is, the target must match exactly the value of @PermissionTarget, which is customer:1234


                If you want to secure by entity instance, you may use annotations on the entity which will result in interceptors being invoked to authenticate whenever an entity instance is accessed. See the documentation for details.  

                • 5. Re: ACL Security In Seam
                  prati bha Newbie

                  Hi


                  Thankyou ,it worked :-). Yes i need to secure entity. I will check Seam documentation.


                  Thanks once again.


                  Regards
                  Prati

                  • 6. Re: ACL Security In Seam
                    prati bha Newbie
                    I have one more query. As I am not using jboss-rules and what i am trying to do is:

                    1) If I login as a 'Admin' i should be able to see all Customers,
                    2) If I login as 'User' i should be able to see few customers

                    I did it like that

                    AccountPermission accountPermission = (AccountPermission)em.createQuery("SELECT a FROM AccountPermission a WHERE a.recipient = :recipient")
                              .setParameter("recipient", recipient)
                              .getSingleResult();

                              String[] targetParts = accountPermission.getTarget().split(":");
                              if (targetParts.length == 2) {
                                   targetClass = targetParts[0];
                                   targetId = Integer.parseInt(targetParts[1]);
                              }

                    Since target is saved like 'Customer:1234"

                    Then searched for targetId in Customer table.

                    Not sure is this the best way of doing the above thing?
                    Can i do this using PermissionStore?
                    Please suggest

                    Thanks
                    P
                    • 7. Re: ACL Security In Seam
                      prati bha Newbie

                      http://seamframework.org/Documentation/ACLSecurityInSeam


                      OR it has to be done like mentioned in above link?


                      Thanks
                      P