[seam-dev] Seam Hack Night - Seam Security

Shane Bryzak sbryzak at redhat.com
Fri Aug 12 07:57:52 EDT 2011 

Thanks Marek!  Either George or I will be sure to merge them in the next 
day or so.

On 12/08/11 18:38, Marek Schmidt wrote:
> Hi Shane!
>
> I have taken the liberty to make some pull requests to the Seam 
> Security External module, even though not on the list of issues for 
> the Night...
>
> I'd be glad if someone could review them...
>
> Cheers!
>
> -- 
> Marek Schmidt
>
> On 08/10/2011 05:28 AM, Shane Bryzak wrote:
>> Hey guys,
>>
>> Sorry about the delay in getting this list of items to work on for the
>> next Seam Hack night - I've come down with the flu and it's hard to get
>> any work done when it feels like an elephant is sitting on your head.
>> Anyways, the two main areas I'd like us to work on for Seam Security are
>> Identity Management and ACLs/Permission Management.  In the area of
>> Identity Management, there's a number of JIRA issues relating to
>> JpaIdentityStore, and I'd also like to show some love for our
>> integration with PicketLink's LDAP Identity Store too.  For ACL
>> security, we are actually missing this feature altogether in Seam 3.0
>> (it existed in Seam 2) simply because I ran out of time to port it over
>> in time for the 3.0 release.  For anyone that doesn't know, ACL security
>> provides you the ability to grant permissions on individual objects in
>> your application, whether they be entity beans or whatever.
>>
>> To assist us in effectively organising who does which work, I'll give
>> each task a unique number.  If you'd like to volunteer for certain
>> task/s, please do so earlier rather than later - first in first served!
>>
>> JpaIdentityStore issues
>> ==============
>>
>> 1) SEAMSECURITY-62 Using identity management to add user in group
>> prevent user to login
>> https://issues.jboss.org/browse/SEAMSECURITY-62
>>
>>     This issue has a comprehensive description and someone has 
>> attached a
>> patch.
>>
>> 2) SEAMSECURITY-64 Provide the capability to retrieve the actual entity
>> object when a user is created
>> https://issues.jboss.org/browse/SEAMSECURITY-64
>>
>>     We had this feature in Seam 2, however since we're now using
>> PicketLink in Seam 3 it is a little more challenging to implement this.
>> I don't have any solid ideas as yet, however it would be ideal if we
>> could fire an event for this somehow.
>>
>> 3) SEAMSECURITY-65 Criteria queries executed by JPAIdentityStore are not
>> setup properly
>> https://issues.jboss.org/browse/SEAMSECURITY-65
>>
>>     We seem to be missing a select() call for the Criteria queries,
>> should be easy to fix this one.
>>
>> 4) SEAMSECURITY-70 Calling RoleManager.removeRole(Roletype rt, User u,
>> Group g) throws an NPE
>> https://issues.jboss.org/browse/SEAMSECURITY-70
>>
>>     Should be an easy fix, as the reporter has included a solution.
>>
>> 5) SEAMSECURITY-84 identity.hasRole and identity.addRole do not seem to
>> be interacting with JpaStore
>> https://issues.jboss.org/browse/SEAMSECURITY-84
>>
>>     This one might take a little detective work to reproduce.  A user
>> within an application that uses Identity Management should have their
>> roles populated in Identity.roles automatically when they authenticate.
>> One thing to note is that the reporter's assertion at the end of the
>> issue description about identity.addRole() adding the role to the
>> database is incorrect - persistent roles should only be added through
>> the role manager.
>>
>> 6) SEAMSECURITY-69
>> https://issues.jboss.org/browse/SEAMSECURITY-69
>>
>>     This one might take a little bit of analysis also - possibly the
>> cause is an unimplemented method in JpaIdentityStore.
>>
>> LDAP Identity Store issues
>> ================
>>
>> 7) SEAMSECURITY-71 Improve LDAP integration in general
>> https://issues.jboss.org/browse/SEAMSECURITY-71
>>
>>     This one is quite a bit of work.  The actual LDAP Identity Store
>> class is part of PicketLink, so we can't make any direct changes to it.
>> What we can do however, is ease the configuration process.  We currently
>> have a configuration bean for JpaIdentityStore (called
>> JpaIdentityStoreConfiguration), that can be used to configure the
>> Identity Store via Seam Config.  It would be nice to have an equivalent
>> class for the LDAP Identity Store.  Whoever works on this task will need
>> to become familiar with the LDAP configuration in PicketLink.  Any work
>> done in this area would also require documentation in the Seam Security
>> reference guide.
>>
>> 8) Example application that demonstrates authentication via LDAP
>>
>>     This goes hand in hand with 7).  I don't know if we'll have enough
>> time to implement a full example, however it would be nice to have a
>> basic functioning app that we could point people to.
>>
>> ACL Security
>> ========
>>
>> 9) Implement PersistentPermissionResolver
>>
>>     This class has been "ported" from Seam 2, however it's currently not
>> functional (I think a lot of the code may even be commented out).  This
>> is an advanced task, so only volunteer for this one if you feel you're
>> up to the challenge.  One of the biggest issues is how we identify
>> users.  In Seam 2 this was simple, because all users were local and
>> usernames were unique.  In Seam 3 however, we can now have either local
>> users or external users, thanks to OpenID and SAML authentication.
>>
>> 10) Example app for ACL security
>>
>>     Goes with 9), we need an example application to demonstrate ACL 
>> security.
>>
>> 11) SEAMSECURITY-13 Custom EntityIdentifierStrategy ignored by
>> IdentifierPolicy
>> https://issues.jboss.org/browse/SEAMSECURITY-13
>>
>>     If 9) gets done, then this issue probably needs to be addressed 
>> also.
>>
>> Misc
>> ====
>>
>> 12) SEAMSECURITY-66 Separated API/IMPL jars do not allow compilation of
>> the SimpleAuthenticator example
>> https://issues.jboss.org/browse/SEAMSECURITY-66
>>
>>     Quite an unusual issue, which may have already been solved thanks to
>> the removal of the combined jar.  Someone needs to test this and close
>> the issue if it's out of date.
>>
>> 13) SEAMSECURITY-52 security-authorization example - IAE on logout
>> https://issues.jboss.org/browse/SEAMSECURITY-52
>>
>>     Marek has suggested that this is related to SEAMSECURITY-22, which
>> brings us to...
>>
>> 14) SEAMSECURITY-22 Basic authentication with no security drools and no
>> picketlink defined in seam-beans.xml throws exception
>> https://issues.jboss.org/browse/SEAMSECURITY-22
>>
>>     Like 13), I think this has to do with the location of the
>> security.drl file.  We should standardise the location of the
>> security.drl file, so someone needs to research the injectable resources
>> feature in Solder and determine where the best place is to put this 
>> file.
>>
>> Documentation
>> =========
>>
>> 15) SEAMSECURITY-78 Typos in documentation
>> https://issues.jboss.org/browse/SEAMSECURITY-78
>>
>>     Jozef has identified a couple of minor typos that need to be fixed.
>>
>> 16) SEAMSECURITY-51 A readme.txt points to incorrect url of
>> security-openid-rp example
>> https://issues.jboss.org/browse/SEAMSECURITY-51
>>
>>     Martin has noticed that the URL in the readme file for this example
>> is wrong.
>>
>>
>>
>> If anyone has any questions about these tasks, or any suggestions,
>> please feel free to bring them up on seam-dev.
>>
>> Thanks!
>> Shane
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> seam-dev mailing list
>> seam-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/seam-dev
>

More information about the seam-dev mailing list