[jboss-user] [JBoss Seam] - Re: External Client and Seam Security

agnadello do-not-reply at jboss.com
Thu Nov 29 14:02:24 EST 2007


I give up!

Thanks a lot Shane for all your help.

I wasn't able to use the interceptor you suggested. I tried to add it to the default stack by Component.forName("...").addInterceptor(...) but ended up with ArrayIndexOutOfBounds etc.

My second try was to use a regular EJB3 interceptor which does the Seam login/logout and basically all the thing in SecurityInterceptor from Seam.

It's really a copy of your code:


  | public class ExternalClientSecurityInterceptor {
  | 
  | 	@AroundInvoke
  | 	public Object aroundInvoke(final InvocationContext theInvocationContext)
  | 			throws Exception {
  | 
  | 		try {
  | 			// Perform a Seam login
  | 			this.doSeamLogin();
  | 
  | 			// Get the invoked method
  | 			final Method theInterfaceMethod = theInvocationContext.getMethod();
  | 
  | 			// TODO: optimize this:
  | 			// Check if there's a Seam @Restrict annotation on invoked method
  | 			final Object theTarget = theInvocationContext.getTarget();
  | 			final Method theMethod = this.getComponent(theTarget)
  | 					.getBeanClass().getMethod(theInterfaceMethod.getName(),
  | 							theInterfaceMethod.getParameterTypes());
  | 			final Restrict theRestriction = this.getRestriction(theMethod,
  | 					theTarget);
  | 
  | 			// Perform security check if a restriction is found
  | 			if (null != theRestriction && Identity.isSecurityEnabled()) {
  | 				final String theRestrictionExpression = !Strings
  | 						.isEmpty(theRestriction.value()) ? theRestriction
  | 						.value() : this.createDefaultExpr(theMethod, theTarget);
  | 				Identity.instance().checkRestriction(theRestrictionExpression);
  | 			}
  | 			return theInvocationContext.proceed();
  | 		} finally {
  | 
  | 			// Always logout after invocation
  | 			this.doSeamLogout();
  | 		}
  | 	}
  | 
  | 	private Component getComponent(final Object theTarget) {
  | 		// Get the Seam component name of the target class
  | 		final String theComponentName = Component.getComponentName(theTarget
  | 				.getClass());
  | 		// Return the component
  | 		return Component.forName(theComponentName);
  | 	}
  | 
  | 	private void doSeamLogin() {
  | 		Identity.instance().setUsername("user");
  | 		Identity.instance().setPassword("Demo987!");
  | 		Identity.instance().login();
  | 	}
  | 
  | 	private void doSeamLogout() {
  | 		Identity.instance().logout();
  | 	}
  | 
  | 	private Restrict getRestriction(final Method theMethod,
  | 			final Object theTarget) {
  | 		if (theMethod.isAnnotationPresent(Restrict.class)) {
  | 			return theMethod.getAnnotation(Restrict.class);
  | 		} else if (this.getComponent(theTarget).getBeanClass()
  | 				.isAnnotationPresent(Restrict.class)) {
  | 			if (!this.getComponent(theTarget).isLifecycleMethod(theMethod)) {
  | 				return this.getComponent(theTarget).getBeanClass()
  | 						.getAnnotation(Restrict.class);
  | 			}
  | 		}
  | 		return null;
  | 	}
  | 
  | 	/**
  | 	 * Creates a default security expression for a specified method. The method
  | 	 * must be a method of a Seam component.
  | 	 * 
  | 	 * @param theMethod
  | 	 *            The method for which to create a default permission expression
  | 	 * @return The generated security expression.
  | 	 */
  | 	private String createDefaultExpr(final Method theMethod,
  | 			final Object theTarget) {
  | 		return String.format("#{s:hasPermission('%s','%s', null)}", this
  | 				.getComponent(theTarget).getName(), theMethod.getName());
  | 	}
  | }
  | 

This enabled the recognition of the @Restrict("s:hasRole('user')") annotation on EJB methods.

Next problem - the Drools rules doesn't seem to work. Well, they work if I run from the JSF's but not from my Quartz POJO job.

I've tried to debug to see how and if my RuleBasedIdentity uses the rules but I got lost in the Drools code :-(
At least I can see that the RuleBasedIdentity is created and that my Drools rule file is read.

I'll guess I'll use default Java EE security and where I need more advanced security constraints I'll have to implement it myself... too bad.

Is there a possibility to file this feature to JIRA?

Kind regards, Andreas


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4109040#4109040

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4109040



More information about the jboss-user mailing list