Security - mareknovotny/seam-migration GitHub Wiki

Security

The Seam 2 Security API provides a multitude of security-related features:

  • Authentication — an extensible, JAAS-based authentication layer that allows users to authenticate against any security provider.

  • Identity Management — an API for managing a Seam application’s users and roles at runtime.

  • Authorization — an extremely comprehensive authorization framework, supporting user roles, persistent and rule-based permissions, and a pluggable permission resolver for easily implementing customised security logic.

  • Permission Management — a set of built-in Seam components to allow easy management of an application’s security policy.

  • CAPTCHA support — to assist in the prevention of automated software/scripts abusing your Seam-based site.

All of these areas and much more than Seam 2 Security covered are implemented by PicketLink which is integrated with CDI technology and has an API very similar to that of Seam 2 Security. See a thread discussing the evolution.

PicketLink is distributed as a WildFly/EAP module so you can easily get its Identity Management and Federation features into your application by referencing it in jboss-deployment-structure.xml file in your application archive. See PicketLink JBoss AS subsystem.

Authentication

The simplest way to enable authentication in Seam 2 was to include the identity component in components.xml:

Seam 2 security component setup
<components>
   ...

   <security:identity authenticate-method="#{authenticator.authenticate}"/>

   ...
</components>

and you needed to provide a Seam component — @Name("authenticator") with an authenticate method.

With PicketLink it is just an annotated authenticator class like the following:

PicketLink simple authentication
@PicketLink
public class SimplePicketLinkAuthenticator extends BaseAuthenticator {

    @Inject DefaultLoginCredentials credentials;

    @Override
    public void authenticate() { ... }
}

Migration is pretty straightforward so look for more details at PicketLink documentation.

Authorization

In Seam 2 the security configuration resided in components.xml. To enable annotation-based authorization with PicketLink you need to enable a security interceptor in the beans.xml descriptor placed in WEB-INF or META-INF directory. PicketLink will then intercept invocations of secured beans and check for authorization rules and policies before processing their methods.

Security setup in beans.xml 
<interceptors>
	<class>org.apache.deltaspike.security.impl.extension.SecurityInterceptor</class>
</interceptors>

PicketLink authorization is based on the DeltaSpike Security API.

Identity Management

Identity Management is fundamental module of PicketLink which you can easily migrate from Seam 2 IDM model.

Captcha support

PicketLink can use Google’s reCaptcha implementation service, look at PicketLink quickstart demo for learning.

Seam 2 Security annotations

The following table suggests the annotation migration alternatives for PicketLink.

Table 1. Annotation alternatives
Seam Security PicketLink

@Identifier

@Identifier

@PasswordSalt

No direct mapping

@TokenUsername

No direct mapping

@TokenValue

No direct mapping

@Restrict

@Restrict

@UserPrincipal

No direct mapping

PicketLink uses @IdentityStereotype(USER) for a class and @StereotypeProperty for class field or method

@UserEnabled

No direct mapping

PicketLink uses @IdentityStereotype(USER) for a class and @StereotypeProperty for class field or method

@UserFirstName

No direct mapping

PicketLink uses @IdentityStereotype(USER) for a class and @StereotypeProperty(IDENTITY_USER_NAME) for class field or method

@UserRoles

No direct mapping

PicketLink uses @IdentityStereotype(USER) for a class and @StereotypeProperty() for class field or method

@UserLastName

No direct mapping

PicketLink uses @IdentityStereotype(USER) for a class and @StereotypeProperty(IDENTITY_USER_NAME) for class field or method

@UserPassword

No direct mapping

PicketLink uses @IdentityStereotype(USER) for a class and @StereotypeProperty for class field or method

@Admin

@RolesAllowed("Administrator")

@RoleConditional

No direct mapping

@RoleCheck

@RolesAllowed

@RoleGroups

@GroupsAllowed

@RoleName

No direct mapping

PicketLink uses @IdentityStereotype(ROLE) for a class and @StereotypeProperty(IDENTITY_ROLE_NAME) for class field or method

@Insert

@AllowedOperations({@AllowedOperation(value = "CREATE")})

@Update

@AllowedOperations({@AllowedOperation(value = "UPDATE")})

@Read

@AllowedOperations({@AllowedOperation(value = "READ")})

@Delete

@AllowedOperations({@AllowedOperation(value = "DELETE")})

@PermissionCheck

No direct mapping

you can use Apache DeltaSpike Security for creating your own security annotation

@Permission

No direct mapping

@Permissions

No direct mapping

@PermissionTarget

No direct mapping

@PermissionRole

No direct mapping

@PermissionDiscriminator

No direct mapping

@PermissionAction

No direct mapping

@PermissionUser

No direct mapping

© Copyright 2015, Red Hat Middleware, LLC. All rights reserved. JBoss and Seam are registered trademarks and servicemarks of Red Hat, Inc. Privacy Policy

⚠️ **GitHub.com Fallback** ⚠️