Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
The moose likes Other Application Frameworks and the fly likes Seam and Acegi Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Other Application Frameworks
Bookmark "Seam and Acegi" Watch "Seam and Acegi" New topic
Author

Seam and Acegi

Paras Jain
Ranch Hand

Joined: Feb 26, 2005
Posts: 137
I was reading a post in this forum and learnt that Seam has security built-in. What if I want to integrate any security framework like Acegi or Siteminder etc?

Regards,
Paras


Paras Jain
SCJP 5.0
Jason Porter
Ranch Hand

Joined: Apr 26, 2007
Posts: 120
Dan could probably speak to this better than I can, but I don't see anything that would inhibit you from using any other security framework. It certainly won't be as integrated, and I'm pretty sure it won't be as easy to setup either.
Dan Allen
Author
Ranch Hand

Joined: Mar 05, 2003
Posts: 164
Shane Bryzak, one of the Seam developers, recognized that while the security framework in Seam was good, it still lacked the level of control of Spring Security (Acegi). Therefore, he made it a personal mission to not only make the security in Seam better, but to make it the best security management framework that you can find in Java EE. His mission was to make those people who want to integrate with Acegi realize that you just don't need that integration. Definitely check out the identity and permissions management in Seam 2.1 when it is final.

But what if you just want to integrate with Acegi? That's the cool part about Seam security. You simply write one method on a POJO, and you can authenticate to any system you want. You then grab those roles and stuff them into the identity.addRoles() method inside the authentication method on the POJO and you have Seam hooked into the third-party security framework. At that point you can check those roles in your Seam application using #{s:hasRole('admin')} in all the normal places.

Integrating ACLs in Acegi is probably not as simple and I connect speak to it.


Dan Allen | http://mojavelinux.com | Author of Seam in Action - http://mojavelinux.com/seaminaction
Alex Savitsky
Greenhorn

Joined: Aug 07, 2008
Posts: 4
Seam and Acegi are not a good combination, because Seam pretty much implies using JSF (right now, at least) - and Acegi and JSF don't play well. Acegi is geared towards request-type view frameworks, that can be secured using URL-based rules. JSF is a component-type framework, and as such doesn't play well with URL-based security - rules tend to fire for a previously-accessed URL, instead of the currently requested one, unless one is using redirects everywhere. It's possible to integrate them on the lower (DAO/service) level, not using Acegi's security filters, but, quite frankly, I have no clue what would this give me on top on what Seam Security already provides.

Disclaimer: I'm speaking from my own experience of about one year ago. Things might have changed, but I haven't looked back at Acegi since then, as Seam Security covers all my needs.
[ August 07, 2008: Message edited by: Alex Savitsky ]
Dan Allen
Author
Ranch Hand

Joined: Mar 05, 2003
Posts: 164
Seam and Acegi are not a good combination, because Seam pretty much implies using JSF (right now, at least) - and Acegi and JSF don't play well. Acegi is geared towards request-type view frameworks, that can be secured using URL-based rules. JSF is a component-type framework, and as such doesn't play well with URL-based security - rules tend to fire for a previously-accessed URL, instead of the currently requested one, unless one is using redirects everywhere. It's possible to integrate them on the lower (DAO/service) level, not using Acegi's security filters, but, quite frankly, I have no clue what would this give me on top on what Seam Security already provides.


Exactly the point I make in the book (chapter 11). Very well said.

In terms of integration, I was looking more at the authentication part of a Acegi and saying that it wouldn't be too hard to integrate that. Once the user is authenticated (logged in and granted roles), even with Acegi, you would definitely want to use Seam's authorization (enforcement of security).

Seam has always supported rule-based authorization based on Drools. What this let's you do is consult objects in any scope, and their properties, to determine if the user should be allowed to do something. Very powerful. In Seam 2.1, there is another layer of security in the form of persistent (database) ACLs. The latter is ideal for managing permissions through a user interface. By the way, none of Seam security requires you to use XML.
Alaa Nassef
Ranch Hand

Joined: Jan 28, 2008
Posts: 460
Well, even a couple of years ago, acegi supported securing objects and methods, but through the use of AOP. The most common use of acegi in web applications was through URL filters, but you can do otherwise if you want.


Visit my blog: http://jnassef.blogspot.com/
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Seam and Acegi