• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Seam and Acegi

 
Ranch Hand
Posts: 141
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I was reading a post in this forum and learnt that Seam has security built-in. What if I want to integrate any security framework like Acegi or Siteminder etc?

Regards,
Paras
 
Author
Posts: 134
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Dan could probably speak to this better than I can, but I don't see anything that would inhibit you from using any other security framework. It certainly won't be as integrated, and I'm pretty sure it won't be as easy to setup either.
 
Author
Posts: 164
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Shane Bryzak, one of the Seam developers, recognized that while the security framework in Seam was good, it still lacked the level of control of Spring Security (Acegi). Therefore, he made it a personal mission to not only make the security in Seam better, but to make it the best security management framework that you can find in Java EE. His mission was to make those people who want to integrate with Acegi realize that you just don't need that integration. Definitely check out the identity and permissions management in Seam 2.1 when it is final.

But what if you just want to integrate with Acegi? That's the cool part about Seam security. You simply write one method on a POJO, and you can authenticate to any system you want. You then grab those roles and stuff them into the identity.addRoles() method inside the authentication method on the POJO and you have Seam hooked into the third-party security framework. At that point you can check those roles in your Seam application using #{s:hasRole('admin')} in all the normal places.

Integrating ACLs in Acegi is probably not as simple and I connect speak to it.
 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Seam and Acegi are not a good combination, because Seam pretty much implies using JSF (right now, at least) - and Acegi and JSF don't play well. Acegi is geared towards request-type view frameworks, that can be secured using URL-based rules. JSF is a component-type framework, and as such doesn't play well with URL-based security - rules tend to fire for a previously-accessed URL, instead of the currently requested one, unless one is using redirects everywhere. It's possible to integrate them on the lower (DAO/service) level, not using Acegi's security filters, but, quite frankly, I have no clue what would this give me on top on what Seam Security already provides.

Disclaimer: I'm speaking from my own experience of about one year ago. Things might have changed, but I haven't looked back at Acegi since then, as Seam Security covers all my needs.
[ August 07, 2008: Message edited by: Alex Savitsky ]
 
Dan Allen
Author
Posts: 164
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Seam and Acegi are not a good combination, because Seam pretty much implies using JSF (right now, at least) - and Acegi and JSF don't play well. Acegi is geared towards request-type view frameworks, that can be secured using URL-based rules. JSF is a component-type framework, and as such doesn't play well with URL-based security - rules tend to fire for a previously-accessed URL, instead of the currently requested one, unless one is using redirects everywhere. It's possible to integrate them on the lower (DAO/service) level, not using Acegi's security filters, but, quite frankly, I have no clue what would this give me on top on what Seam Security already provides.



Exactly the point I make in the book (chapter 11). Very well said.

In terms of integration, I was looking more at the authentication part of a Acegi and saying that it wouldn't be too hard to integrate that. Once the user is authenticated (logged in and granted roles), even with Acegi, you would definitely want to use Seam's authorization (enforcement of security).

Seam has always supported rule-based authorization based on Drools. What this let's you do is consult objects in any scope, and their properties, to determine if the user should be allowed to do something. Very powerful. In Seam 2.1, there is another layer of security in the form of persistent (database) ACLs. The latter is ideal for managing permissions through a user interface. By the way, none of Seam security requires you to use XML.
 
Ranch Hand
Posts: 471
Mac OS X Hibernate Spring
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, even a couple of years ago, acegi supported securing objects and methods, but through the use of AOP. The most common use of acegi in web applications was through URL filters, but you can do otherwise if you want.
 
reply
    Bookmark Topic Watch Topic
  • New Topic