3 Replies Latest reply: Apr 27, 2012 10:08 AM by Shane Bryzak RSS

ACL permissions in Seam-Security

Richard Barabe Newbie

In a previous discussion on the forum, Shane explained that there had "several refactoring" to be done to enable persistent permission in seam-security (JpaPermissionStore).


Since here we really need this feature, I made an attempt to make those several refactorings.


This work form me.


One can pull it from my github fork : https://github.com/richardbarabe/security


By "working" I mean I was successful at granting, revoking and listing permissions for a user on a resource (object instance). 


What I did :

Basically, I had to extract EntityToSpiConverter from JpaIdenityStore to put it in its own file and then reuse it in JpaPermissionStore. 

For this I had to extract some configuration code from JpaIdentityStore to JpaIdentityStoreConfiguration (the part that configures the data model objects).


How it works :

Exactly has planned in the "initial implementation". 
First you have to create a JPA mapping for IdentityPermission as explained here.  The IdmConsole example have an example too.  Then you have to create an IdentifierStrategy for the class you want to persist permissions for.  Ie, for the class foo.bar.Dog, the following would work :



package foo.bar;

import javax.enterprise.context.Dependent;
import org.jboss.seam.security.permission.IdentifierStrategy;
public class DogIdentifierStrategy implements IdentifierStrategy {

    public boolean canIdentify(Class<?> targetClass) {
        return Dog.class.equals(targetClass);

    public String getIdentifier(Object target) {
        if (!(target instanceof Dog)) {
            throw new IllegalArgumentException("Target [" + target + "] must be instance of "+Dog.class.getName());
        Dog dog = (Dog) target;
        String identifier = "Dog"+":"+dog.getName()+":"+dog.getRace();
        return identifier;



This will be used by seam-security to identify Dog instances one from another.  Note that this example assume some naming conventions if you don't want permissions on different types of objects to collide.

To use the "IdentifierStrategy", you have to annotate the Dog class like this :



package foo.bar;

import org.jboss.seam.security.annotations.permission.Identifier;

 * @author baraber
public class Dog {
    private String name;
    private String race;

    public DogString name, String race) {
        this.name = name;
        this.race = race;

    public String getName() {
        return name;

    public void setName(String name) {
        this.name = name;

    public String getRace() {
        return race;

    public void setRace(String race) {
        this.race = race;




And to manage permissions(grant, revoke, list), you normally would @Inject PermissionManager and work with it, tough I personnaly had to directly @Inject PermissionStore to bypass security check on permissions "seam.read-permissions", "seam.grant-permission" and "seam.revoke-permission"...



As I said, this works for me.  But ...


I think the PermissionManager/PermissionResolver API should change.  I wanted to discuss with someone more implicated in seam3 development before changing something like this. 


The problem is this one :
To use the "PermissionManager", for instance to grant a new permission, one must provide an object of type org.jboss.seam.security.permission.Permission.  To create an instance of this class, one must pass an instance of org.picketlink.idm.spi.model.IdentityObject as the recipient of the permission.  But, using the picketlink api, I didn't find anyway to get an org.picketlink.idm.spi.model.IdentityObject from the picketlink API (PersistenceManager).  I had to provide my own implementation of org.picketlink.idm.spi.model.IdentityObject.


This is the same reason why I had to extract EntityToSpiConverter from JpaIdentityStore : When the JpaPermissionStore have to create instances of Permission to return (ie in listPermissions methods), it have to build an org.picketlink.idm.spi.model.IdentityObject from an instance of my Jpa mapping foo.bar.IdentityObject.


I think that the API have to change. 
At least I'm pretty sure that is not the way I would like to use such an API.  Maybe we could just use org.picketlink.idm.api.User, org.picketlink.idm.api.Group and strings as in the other picketlink apis (PersistenceManager, RelationshipManager and RoleManager).


Can anyone take a look at this and maybe work with me to integrate it for an eventual seam release ?  (I don't want to maintain a fork of the project )

Should I create a JIRA feature request and associate it a pull request ?  I prefered to ask ...

  • 1. Re: ACL permissions in Seam-Security
    Shane Bryzak Master

    We are actually having extended discussions on this subject right now for DeltaSpike.  As this feature will most likely never make it into a Seam release, I recommend you join in the discussion on the DeltaSpike mailing list to ensure that your use cases are all supported by the new design.

  • 2. Re: ACL permissions in Seam-Security
    Richard Barabe Newbie

    Thank you for your answer, Shane.  I subscribed to the mailing list and read the discussion on permission management.  The query api with the pagination looks promising. 

    But, is there any roadmap that could help me have a very rough idea regarding when I should be able to start playing with it (I know it's not yet developed and maybe it's too early to tell) ?


    (sorry to use this tread to ask )

  • 3. Re: ACL permissions in Seam-Security
    Shane Bryzak Master

    The new security features that we're discussing right now are due for inclusion in the next release of DeltaSpike, which I'm guessing should be in around 2 months or so.