Hey guys - I recently had a look at the documentation for Errai Security being included in Errai 3.0.0. I have some feedback for you based on the use-cases we have in JBoss Overlord. But first let me say that what's in the documentation currently makes a lot of sense for many simple use cases (authenticated vs. unauthenticated, simple role-based authorization).
Single Sign On
The first thing that came to mind when reading the docs was single sign-on. This is a requirement that we have in Overlord and we currently implement it for all our Errai web apps via a picketlink SAML based IDP/SP approach. Basically you cannot even get to the host page of our Errai apps without first being authenticated. The Errai app itself does not have a login form - that's all taken care of via standard web app security stuff.
So this has obvious implications on Errai Security. I'm thinking the approach to integrate SSO with Errai Security would be to implement an SSO version of a AuthenticationService, correct? This implementation could simply check the current session to ensure that the user was currently authenticated, and then respond with appropriate information in the current security context. This will require being able to manifest the current set of roles, which can't be done in an app-container agnostic way. But it's something that can be done on most (all?) containers.
Fine Grained Authorization
The other looming requirement we have in some of our applications is fine grained authorization. Roles provide a relatively coarse grained authorization (is the user an "admin" or a "manager"?). However, we are going to require context sensitive authorization like "does this user have edit permission on entities of type 'foo' for folder 'bar'?"
In the API Management project this is currently implemented using Qualified Permissions which are granted to users via qualified membership in one or more Roles. In other words, a user might have the following roles (format is Role Name [Qualifier]):
- Application Developer [Red Hat]
- Application Developer [Apache]
- Service Developer [Spark Industries]
- Organization Owner [Foo Inc]
The user has four roles, granting her the following set of permissions:
app_view[Red Hat], app_edit[Red Hat],
service_view[Spark Industries], service_edit[Spark Industries],
app_view[Foo Inc], app_edit[Foo Inc], service_view[Foo Inc], service_edit[Foo Inc]
Notice that the user has the same permission multiple times, but qualified differently. This means that she is allowed to perform certain actions that require (for example) the "app_edit" permission under certain circumstances (e.g. when modifying applications owned by "Red Hat") but not others.
I don't have a suggestion for you regarding how Errai Security could support this model, or even whether it should. The difficulty is that when hiding UI functionality (for example) based on the user's permissions also requires domain specific contextual information pull from the state of the current page. I can imagine a framework that supports this, but I'm not sure whether Errai Security should tackle it.
My assumption is that Errai Security will not support this approach and so instead I will implement my own UI filtering based on current user permissions. That said, it certainly would be nice to leverage Errai functionality for this.