[jboss-user] [JBoss Seam] - Re: Security Solution for Seam

dietice do-not-reply at jboss.com
Wed Nov 1 11:57:48 EST 2006


Thank you for your answers!

Am I right in assuming that you mean org.jboss.seam.security & subpackages and the security example?


Further i have a feature request: I would like to have 'dynamic roles' (roles depending on the calling principal).

I.e. let's say we have a User entity and 'updateUserData(User user)' business method in some bean. 
Access to this method should be allowed to all administrators - regardless of the user whos data is to be modified - and a user should be allowed to modify only his own user data.

This could be done by seperating all roles in static (traditional) and dynamic roles. For every introduced dynamic role one has to implement a interface which is is called everytime a dynamic role is evaluated (something like 'boolean isInRole(Principal principal, Object[] methodArgs) - methodArgs is an array containing the parameters to the secured method).

I.e. the updateUserData method would be annotated with @RolesAllowed{"administrator","owner"}. If this method is called by someone who is in the 'adminstrator' role there's no need to evaluate the 'owner' role. On the other hand, if this method is called by someone who is not in the 'adminstrator' role the security layer would call the method in the interface registered with the owner role to see if the current principal is allowed to access this method.

IMHO this would be pretty usefull - i.e. to ensure users can edit only their own data, ... - what do you think about it?


Further i noticed the improved logging implementation in the org.jboss.seam.log package. While i fully agree that this makes our life easier i was wondering if you noticed SLF4J (http://www.slf4j.org) and LogBack (http://logback.qos.ch).

Both are from the guys who invented log4j and while SLF4J is meant as a replacement from commons-logging - as a simple facade for various logging APIs - LogBack is meant as an improvement of log4j.
Both adress the shortcommings you adressed in your implementation and some more - please see their sites for more details.

The reason i mention them is that switching to SLF4J (which perfectly integrates with log4j, commons-logging, LogBack, ...) might spare you the reinvention of the wheel ;) and make for less coupling of the users code with seam while providing a convenient & consistent way for logging in users code & seam & ...

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3982414#3982414

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3982414



More information about the jboss-user mailing list