Seam SVN: r8429 - trunk/examples/wiki/src/main/org/jboss/seam/wiki/core/wikitext/editor.
by seam-commits@lists.jboss.org
Author: christian.bauer(a)jboss.com
Date: 2008-06-30 09:15:47 -0400 (Mon, 30 Jun 2008)
New Revision: 8429
Modified:
trunk/examples/wiki/src/main/org/jboss/seam/wiki/core/wikitext/editor/WikiTextEditor.java
Log:
Validate wiki text markup on preview enabled
Modified: trunk/examples/wiki/src/main/org/jboss/seam/wiki/core/wikitext/editor/WikiTextEditor.java
===================================================================
--- trunk/examples/wiki/src/main/org/jboss/seam/wiki/core/wikitext/editor/WikiTextEditor.java 2008-06-30 02:06:19 UTC (rev 8428)
+++ trunk/examples/wiki/src/main/org/jboss/seam/wiki/core/wikitext/editor/WikiTextEditor.java 2008-06-30 13:15:47 UTC (rev 8429)
@@ -143,6 +143,11 @@
}
public void setPreviewEnabled(boolean previewEnabled) {
+ if (previewEnabled) {
+ validate();
+ } else {
+ setValid(true);
+ }
this.previewEnabled = previewEnabled;
}
@@ -207,6 +212,7 @@
WikiFormattedTextValidator validator = new WikiFormattedTextValidator();
validator.validate(null, null, value);
}
+ log.debug("value is valid");
setValid(true);
} catch (ValidatorException e) {
log.debug("exception during validation: " + e.getFacesMessage().getSummary());
16 years, 6 months
Seam SVN: r8428 - in trunk/doc/Seam_Reference_Guide/en-US: images and 1 other directory.
by seam-commits@lists.jboss.org
Author: shane.bryzak(a)jboss.com
Date: 2008-06-29 22:06:19 -0400 (Sun, 29 Jun 2008)
New Revision: 8428
Added:
trunk/doc/Seam_Reference_Guide/en-US/images/security-permission-classdiagram.png
trunk/doc/Seam_Reference_Guide/en-US/images/security-permission-sequence.png
Modified:
trunk/doc/Seam_Reference_Guide/en-US/Security.xml
Log:
grammatical editing, added diagrams
Modified: trunk/doc/Seam_Reference_Guide/en-US/Security.xml
===================================================================
--- trunk/doc/Seam_Reference_Guide/en-US/Security.xml 2008-06-27 08:05:34 UTC (rev 8427)
+++ trunk/doc/Seam_Reference_Guide/en-US/Security.xml 2008-06-30 02:06:19 UTC (rev 8428)
@@ -100,7 +100,7 @@
delegates authentication to one of your own Seam components. This login module is already configured inside Seam as
part of a default application policy and as such does not require any additional configuration files. It allows you to
write an authentication method using the entity classes that are provided by your own application, or alternatively to
- authenticate against some other third party provider. Configuring this simplified form of authentication requires the
+ authenticate with some other third party provider. Configuring this simplified form of authentication requires the
<literal>identity</literal> component to be configured in <literal>components.xml</literal>:
</para>
@@ -117,7 +117,7 @@
</components>]]></programlisting>
<para>
- The EL expression <literal>#{authenticator.authenticate}</literal> is a method binding indicating that
+ The EL expression <literal>#{authenticator.authenticate}</literal> is a method binding that indicates
the <literal>authenticate</literal> method of the <literal>authenticator</literal> component will be used
to authenticate the user.
</para>
@@ -130,7 +130,7 @@
<para>
The <literal>authenticate-method</literal> property specified for <literal>identity</literal> in
<literal>components.xml</literal> specifies which method will be used by <literal>SeamLoginModule</literal>
- to authenticate users. This method takes no parameters, and is expected to return a boolean indicating
+ to authenticate users. This method takes no parameters, and is expected to return a boolean, which indicates
whether authentication is successful or not. The user's username and password can be obtained from
<literal>Credentials.getUsername()</literal> and <literal>Credentials.getPassword()</literal>,
respectively. Any roles that the user is a member of should be assigned using
@@ -213,17 +213,17 @@
<para>
If the current session is already authenticated, then calling <literal>Identity.addRole()</literal> will
- have the expected effect of immediate granting the current user the specified role.
+ have the expected effect of immediately granting the specified role to the current user.
</para>
</sect3>
<sect3>
- <title>Writing an event observers for security-related events</title>
+ <title>Writing an event observer for security-related events</title>
<para>
- Let's say for example that upon a successful login that some user statistics must be
- updated. We would do this by writing an event observer for the
+ Say for example, that upon a successful login that some user statistics must be
+ updated. This would be done by writing an event observer for the
<literal>org.jboss.seam.security.loginSuccessful</literal> event, like this:
</para>
@@ -318,15 +318,16 @@
</para>
<note>
+ <title>IMPORTANT NOTE</title>
<para>
- IMPORTANT: Automatic client authentication with a persistent cookie stored on the client machine is dangerous.
+ Automatic client authentication with a persistent cookie stored on the client machine is dangerous.
While convenient for users, any cross-site scripting security hole in your website would have dramatically more
serious effects than usual. Without the authentication cookie, the only cookie to steal for an attacker with XSS
is the cookie of the current session of a user. This means the attack only works when the user has an open session -
which should be a short timespan. However, it is much more attractive and dangerous if an attacker has the possibility
to steal a persistent Remember Me cookie that allows him to login without authentication, at any time. Note that this
all depends on how well you protect your website against XSS attacks - it's up to you to make sure that your website
- is 100% XSS safe - a non-trival achievement for any website that allows user input to be rendered on a page.
+ is 100% XSS safe - a non-trival achievement for any website that allows user input to be rendered on a page.
</para>
<para>
@@ -379,7 +380,7 @@
</para>
<para>
- The first step is to create a new Entity which will contain the tokens. The following example shows the possible
+ The first step is to create a new Entity which will contain the tokens. The following example shows a possible
structure that you may use:
</para>
@@ -3042,7 +3043,155 @@
</sect2>
+
+ <sect2>
+ <title>The Permission Authorization Model</title>
+
+ <para>
+ Seam Security provides an extensible framework for resolving application permissions. The following class diagram
+ shows an overview of the main components of the permission framework:
+ </para>
+ <mediaobject>
+ <imageobject role="fo">
+ <imagedata fileref="images/security-permission-classdiagram.png" align="center"/>
+ </imageobject>
+ <imageobject role="html">
+ <imagedata fileref="images/security-permission-classdiagram.png" align="center"/>
+ </imageobject>
+ </mediaobject>
+
+ <para>
+ Each of these classes are explained in more detail in the following sections.
+ </para>
+
+ <sect3>
+ <title>PermissionResolver</title>
+
+ <para>
+ This is actually an interface, which provides methods for resolving individual object permissions. Seam provides
+ the following built-in <literal>PermissionResolver</literal> implementations, which are described in more detail later
+ in the chapter:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para><literal>RuleBasedPermissionResolver</literal> - This permission resolver uses Drools to resolve rule-based
+ permission checks.</para>
+ </listitem>
+ <listitem>
+ <para><literal>PersistentPermissionResolver</literal> - This permission resolver stores object permissions in a
+ persistent store, such as a relational database.</para>
+ </listitem>
+ </itemizedlist>
+
+ <sect4>
+ <title>Writing your own PermissionResolver</title>
+
+ <para>
+ It is very simple to implement your own permission resolver. The <literal>PermissionResolver</literal>
+ interface defines only two methods that must be implemented:
+ </para>
+
+ <table>
+ <title>PermissionResolver interface</title>
+
+ <tgroup cols="2">
+ <colspec colnum="1" colwidth="2*" />
+ <colspec colnum="2" colwidth="3*" />
+ <colspec colnum="3" colwidth="3*" />
+ <colspec colnum="4" colwidth="4*" />
+
+ <thead>
+ <row>
+ <entry align="center">
+ <para>Return type</para>
+ </entry>
+ <entry align="center">
+ <para>Method</para>
+ </entry>
+ <entry align="center">
+ <para>Description</para>
+ </entry>
+ </row>
+ </thead>
+
+ <tbody>
+
+ <row>
+ <entry>
+ <para>
+ <literal>boolean</literal>
+ </para>
+ </entry>
+ <entry>
+ <para>
+ <literal>hasPermission(Object target, String action)</literal>
+ </para>
+ </entry>
+ <entry>
+ <para>
+ This method must resolve whether the currently authenticated user (obtained via a call to
+ <literal>Identity.getPrincipal()</literal>) has the permission specified by the <literal>target</literal>
+ and <literal>action</literal> parameters. It should return <literal>true</literal> if the user has
+ the permission, or <literal>false</literal> if they don't.
+ </para>
+ </entry>
+ </row>
+
+ <row>
+ <entry>
+ <para>
+ <literal>void</literal>
+ </para>
+ </entry>
+ <entry>
+ <para>
+ <literal>filterSetByAction(Set<Object> targets, String action)</literal>
+ </para>
+ </entry>
+ <entry>
+ <para>
+ This method should iterate through the specified set of objects, and remove any that would otherwise
+ return <literal>false</literal> if passed to the <literal>hasPermission()</literal> method with the
+ same <literal>action</literal> parameter value.
+ </para>
+ </entry>
+ </row>
+
+ </tbody>
+ </tgroup>
+ </table>
+
+ </sect4>
+ </sect3>
+
+ <sect3>
+ <title>ResolverChain</title>
+
+ <para>
+ A <literal>ResolverChain</literal> contains an ordered list of <literal>PermissionResolver</literal>s, for the
+ purpose of resolving object permissions for a particular object class or permission target.
+ </para>
+ </sect3>
+
+ <para>
+ The following sequence diagram shows the interaction between the components of the permission framework during a
+ permission check (explanation follows):
+ </para>
+
+ <mediaobject>
+ <imageobject role="fo">
+ <imagedata fileref="images/security-permission-sequence.png" align="center"/>
+ </imageobject>
+ <imageobject role="html">
+ <imagedata fileref="images/security-permission-sequence.png" align="center"/>
+ </imageobject>
+ </mediaobject>
+
+
+ </sect2>
+
<sect2>
<title>Rule-based Permissions</title>
Added: trunk/doc/Seam_Reference_Guide/en-US/images/security-permission-classdiagram.png
===================================================================
(Binary files differ)
Property changes on: trunk/doc/Seam_Reference_Guide/en-US/images/security-permission-classdiagram.png
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: trunk/doc/Seam_Reference_Guide/en-US/images/security-permission-sequence.png
===================================================================
(Binary files differ)
Property changes on: trunk/doc/Seam_Reference_Guide/en-US/images/security-permission-sequence.png
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
16 years, 6 months
Seam SVN: r8427 - branches/Seam_2_0_FP.
by seam-commits@lists.jboss.org
Author: manaRH
Date: 2008-06-27 04:05:34 -0400 (Fri, 27 Jun 2008)
New Revision: 8427
Modified:
branches/Seam_2_0_FP/build.xml
Log:
SEAM-FP4
Modified: branches/Seam_2_0_FP/build.xml
===================================================================
--- branches/Seam_2_0_FP/build.xml 2008-06-26 19:12:00 UTC (rev 8426)
+++ branches/Seam_2_0_FP/build.xml 2008-06-27 08:05:34 UTC (rev 8427)
@@ -182,11 +182,6 @@
<target name="jarcore" depends="compilecore" description="Build the distribution .jar file using M2 dependency management">
<archive classesdir="${classes.core.dir}" module="jboss-seam" pom="${core.pom}" srcdir="${src.core.dir}" />
- <archive classesdir="${classes.core.dir}" module="jboss-seam-wls-compatible" pom="${core.wls.pom}" srcdir="${src.core.dir}" outputdir="${lib.dir}/interop">
- <excludes>
- <exclude name="org/jboss/seam/async/TimerServiceDispatcher*" />
- </excludes>
- </archive>
</target>
<!-- ########################### PDF TARGETS ###########################-->
16 years, 6 months
Seam SVN: r8426 - trunk/build and 1 other directory.
by seam-commits@lists.jboss.org
Author: jbalunas(a)redhat.com
Date: 2008-06-26 15:12:00 -0400 (Thu, 26 Jun 2008)
New Revision: 8426
Modified:
branches/Seam_2_0/build/ci.build.xml
trunk/build/ci.build.xml
Log:
Removed JDK 6 specific CI build targets as they are not needed any longer.
Modified: branches/Seam_2_0/build/ci.build.xml
===================================================================
--- branches/Seam_2_0/build/ci.build.xml 2008-06-26 15:29:17 UTC (rev 8425)
+++ branches/Seam_2_0/build/ci.build.xml 2008-06-26 19:12:00 UTC (rev 8426)
@@ -38,19 +38,6 @@
<build target="copytestoutput" />
<build target="testreport" />
</target>
-
- <target name="tests-java16">
- <build target="cleanall" />
- <copyInlineDependencies id="endorsed" scope="compile" todir="${endorsed.dir}">
- <dependency groupId="javax.xml.bind" artifactId="jaxb-api" version="2.1">
- <exclusion groupId="javax.xml.stream" artifactId="stax-api" />
- <exclusion groupId="javax.activation" artifactId="activation" />
- </dependency>
- </copyInlineDependencies>
- <build target="testall" testngjvmargs="-Dsun.lang.ClassLoader.allowArraySyntax=true" />
- <build target="copytestoutput" />
- <build target="testreport" />
- </target>
<target name="snapshot">
<build target="cleanall" />
Modified: trunk/build/ci.build.xml
===================================================================
--- trunk/build/ci.build.xml 2008-06-26 15:29:17 UTC (rev 8425)
+++ trunk/build/ci.build.xml 2008-06-26 19:12:00 UTC (rev 8426)
@@ -40,19 +40,6 @@
<build target="copytestoutput" />
<build target="testreport" />
</target>
-
- <target name="tests-java16">
- <build target="cleanall" />
- <copyInlineDependencies id="endorsed" scope="compile" todir="${endorsed.dir}">
- <dependency groupId="javax.xml.bind" artifactId="jaxb-api" version="2.1">
- <exclusion groupId="javax.xml.stream" artifactId="stax-api" />
- <exclusion groupId="javax.activation" artifactId="activation" />
- </dependency>
- </copyInlineDependencies>
- <build target="testall" testngjvmargs="-Dsun.lang.ClassLoader.allowArraySyntax=true" />
- <build target="copytestoutput" />
- <build target="testreport" />
- </target>
<target name="snapshot">
<build target="cleanall" />
16 years, 6 months
Seam SVN: r8425 - in trunk: examples and 1 other directories.
by seam-commits@lists.jboss.org
Author: jbalunas(a)redhat.com
Date: 2008-06-26 11:29:17 -0400 (Thu, 26 Jun 2008)
New Revision: 8425
Modified:
trunk/build.xml
trunk/examples/build.xml
trunk/examples/wiki/build.xml
Log:
Added jvm property so that JBoss embedded executes correctly during test suite execution with JDK6- -Dsun.lang.ClassLoader.allowArraySyntax=true
Modified: trunk/build.xml
===================================================================
--- trunk/build.xml 2008-06-26 15:05:33 UTC (rev 8424)
+++ trunk/build.xml 2008-06-26 15:29:17 UTC (rev 8425)
@@ -680,6 +680,8 @@
<testng outputdir="${test.dir}">
<jvmarg value="-Demma.coverage.out.file=${coverage.ec}" />
<jvmarg line="-Djava.awt.headless=true" />
+ <!--added for JDK6 compatibility with JBoss embedded-->
+ <jvmarg line="-Dsun.lang.ClassLoader.allowArraySyntax=true"/>
<classpath>
<path path="${classes.test.core.dir}" />
<path path="${classes.test.dir}" />
Modified: trunk/examples/build.xml
===================================================================
--- trunk/examples/build.xml 2008-06-26 15:05:33 UTC (rev 8424)
+++ trunk/examples/build.xml 2008-06-26 15:29:17 UTC (rev 8425)
@@ -948,6 +948,8 @@
<jvmarg line="-Djava.awt.headless=true" />
<jvmarg line="-Demma.coverage.out.file=${coverage.ec}" />
<jvmarg line="-Djava.endorsed.dirs=${endorsed.dir}" />
+ <!--added for JDK6 compatibility with JBoss embedded-->
+ <jvmarg line="-Dsun.lang.ClassLoader.allowArraySyntax=true"/>
<jvmarg line="${testng.jvmargs}" />
<classpath>
<path refid="test.classpath" />
@@ -961,11 +963,13 @@
<target name="testclass" depends="buildtest, copyjbossembedded,getemma" description="Run a specific test">
<taskdef resource="testngtasks" classpathref="build.classpath" />
<testng outputdir="${test-report.dir}" testname="${className}" suitename="${className}" >
- <jvmarg value="-Xmx800M" />
- <jvmarg value="-Djava.awt.headless=true" />
- <jvmarg value="-Demma.coverage.out.file=${coverage.ec}" />
- <jvmarg value="-Djava.endorsed.dirs=${endorsed.dir}" />
- <jvmarg value="${testng.jvmargs}" />
+ <jvmarg line="-Xmx800M" />
+ <jvmarg line="-Djava.awt.headless=true" />
+ <jvmarg line="-Demma.coverage.out.file=${coverage.ec}" />
+ <jvmarg line="-Djava.endorsed.dirs=${endorsed.dir}" />
+ <!--added for JDK6 compatibility with JBoss embedded-->
+ <jvmarg line="-Dsun.lang.ClassLoader.allowArraySyntax=true"/>
+ <jvmarg line="${testng.jvmargs}" />
<classpath>
<path refid="test.classpath" />
<path refid="runtime.emma.path" />
Modified: trunk/examples/wiki/build.xml
===================================================================
--- trunk/examples/wiki/build.xml 2008-06-26 15:05:33 UTC (rev 8424)
+++ trunk/examples/wiki/build.xml 2008-06-26 15:29:17 UTC (rev 8425)
@@ -498,6 +498,7 @@
<jvmarg line="${testng.jvmargs}"/>
<jvmarg line="-Demma.coverage.out.file=${coverage.ec}" />
<!-- Needed for running Embedded JBoss under JDK 6 -->
+ <jvmarg line="-Dsun.lang.ClassLoader.allowArraySyntax=true"/>
<jvmarg line="-Djava.endorsed.dirs=${seam.dir}/classes/endorsed" />
</testng>
<echo message="Please read the test output in directory: ${test.output.dir}"/>
16 years, 6 months
Seam SVN: r8424 - trunk/src/pdf/org/jboss/seam/pdf/ui.
by seam-commits@lists.jboss.org
Author: norman.richards(a)jboss.com
Date: 2008-06-26 11:05:33 -0400 (Thu, 26 Jun 2008)
New Revision: 8424
Modified:
trunk/src/pdf/org/jboss/seam/pdf/ui/UIDocument.java
Log:
JBSEAM-3069
Modified: trunk/src/pdf/org/jboss/seam/pdf/ui/UIDocument.java
===================================================================
--- trunk/src/pdf/org/jboss/seam/pdf/ui/UIDocument.java 2008-06-26 14:54:42 UTC (rev 8423)
+++ trunk/src/pdf/org/jboss/seam/pdf/ui/UIDocument.java 2008-06-26 15:05:33 UTC (rev 8424)
@@ -21,6 +21,7 @@
import com.lowagie.text.Element;
import com.lowagie.text.Rectangle;
import com.lowagie.text.html.HtmlWriter;
+import com.lowagie.text.pdf.PdfContentByte;
import com.lowagie.text.pdf.PdfTemplate;
import com.lowagie.text.pdf.PdfWriter;
import com.lowagie.text.rtf.RtfWriter2;
@@ -141,8 +142,8 @@
// do nothing
} else if (orientation.equalsIgnoreCase("landscape")) {
Rectangle currentSize = document.getPageSize();
- document.setPageSize(new Rectangle(currentSize.height(),
- currentSize.width()));
+ document.setPageSize(new Rectangle(currentSize.getHeight(),
+ currentSize.getWidth()));
} else {
throw new RuntimeException("orientation value " + orientation + "unknown");
}
@@ -321,11 +322,15 @@
return writer;
}
- public PdfTemplate createPdfTemplate(float width, float height) {
+ public PdfContentByte getPdfContent() {
PdfWriter writer = (PdfWriter) getWriter();
- return writer.getDirectContent().createTemplate(width, height);
+ return writer.getDirectContent();
}
+ public PdfTemplate createPdfTemplate(float width, float height) {
+ return getPdfContent().createTemplate(width, height);
+ }
+
private DocumentType documentTypeForName(String typeName) {
if (typeName != null) {
if (typeName.equalsIgnoreCase("pdf")) {
16 years, 6 months
Seam SVN: r8423 - in branches/Seam_2_0: examples and 1 other directories.
by seam-commits@lists.jboss.org
Author: jbalunas(a)redhat.com
Date: 2008-06-26 10:54:42 -0400 (Thu, 26 Jun 2008)
New Revision: 8423
Modified:
branches/Seam_2_0/build.xml
branches/Seam_2_0/examples/build.xml
branches/Seam_2_0/examples/wiki/build.xml
Log:
Added jvm property so that JBoss embedded executes correctly during test suite execution - -Dsun.lang.ClassLoader.allowArraySyntax=true
Modified: branches/Seam_2_0/build.xml
===================================================================
--- branches/Seam_2_0/build.xml 2008-06-26 11:47:40 UTC (rev 8422)
+++ branches/Seam_2_0/build.xml 2008-06-26 14:54:42 UTC (rev 8423)
@@ -640,6 +640,8 @@
<jvmarg line="-Djava.awt.headless=true" />
<jvmarg line="-Demma.coverage.out.file=${coverage.ec}" />
<jvmarg line="-Djava.endorsed.dirs=${endorsed.dir}" />
+ <!--added for JDK6 compatibility with JBoss embedded-->
+ <jvmarg line="-Dsun.lang.ClassLoader.allowArraySyntax=true"/>
<jvmarg line="${testng.jvmargs}" />
<classpath>
<path path="${classes.test.core.dir}" />
Modified: branches/Seam_2_0/examples/build.xml
===================================================================
--- branches/Seam_2_0/examples/build.xml 2008-06-26 11:47:40 UTC (rev 8422)
+++ branches/Seam_2_0/examples/build.xml 2008-06-26 14:54:42 UTC (rev 8423)
@@ -925,6 +925,8 @@
<jvmarg line="-Djava.awt.headless=true" />
<jvmarg line="-Demma.coverage.out.file=${coverage.ec}" />
<jvmarg line="-Djava.endorsed.dirs=${endorsed.dir}" />
+ <!--added for JDK6 compatibility with JBoss embedded-->
+ <jvmarg line="-Dsun.lang.ClassLoader.allowArraySyntax=true"/>
<jvmarg line="${testng.jvmargs}" />
<classpath>
<path refid="test.classpath" />
@@ -942,6 +944,8 @@
<jvmarg line="-Djava.awt.headless=true" />
<jvmarg line="-Demma.coverage.out.file=${coverage.ec}" />
<jvmarg line="-Djava.endorsed.dirs=${endorsed.dir}" />
+ <!--added for JDK6 compatibility with JBoss embedded-->
+ <jvmarg line="-Dsun.lang.ClassLoader.allowArraySyntax=true"/>
<jvmarg line="${testng.jvmargs}" />
<classpath>
<path refid="test.classpath" />
Modified: branches/Seam_2_0/examples/wiki/build.xml
===================================================================
--- branches/Seam_2_0/examples/wiki/build.xml 2008-06-26 11:47:40 UTC (rev 8422)
+++ branches/Seam_2_0/examples/wiki/build.xml 2008-06-26 14:54:42 UTC (rev 8423)
@@ -538,6 +538,7 @@
<jvmarg line="${testng.jvmargs}"/>
<jvmarg line="-Demma.coverage.out.file=${coverage.ec}" />
<!-- Needed for running Embedded JBoss under JDK 6 -->
+ <jvmarg line="-Dsun.lang.ClassLoader.allowArraySyntax=true"/>
<jvmarg line="-Djava.endorsed.dirs=${seam.dir}/classes/endorsed" />
</testng>
<echo message="Please read the test output in directory: ${test.output.dir}"/>
16 years, 6 months
Seam SVN: r8422 - branches/Seam_2_0_FP/build.
by seam-commits@lists.jboss.org
Author: manaRH
Date: 2008-06-26 07:47:40 -0400 (Thu, 26 Jun 2008)
New Revision: 8422
Modified:
branches/Seam_2_0_FP/build/common.build.xml
Log:
SEAM-FP4
Modified: branches/Seam_2_0_FP/build/common.build.xml
===================================================================
--- branches/Seam_2_0_FP/build/common.build.xml 2008-06-26 08:31:44 UTC (rev 8421)
+++ branches/Seam_2_0_FP/build/common.build.xml 2008-06-26 11:47:40 UTC (rev 8422)
@@ -96,8 +96,7 @@
<install pom="${root.pom}" />
<pomfile name="parent.pom" value="${build.dir}/parent.pom.xml" />
<install pom="${parent.pom}" />
- <pomfile name="core.pom" value="${build.dir}/core.pom.xml" artifactName="jboss-seam" />
- <pomfile name="core.wls.pom" value="${build.dir}/core.pom.xml" artifactName="jboss-seam-wls-compatible" />
+ <pomfile name="core.pom" value="${build.dir}/core.pom.xml" artifactName="jboss-seam" />
<pomfile name="debug.pom" value="${build.dir}/debug.pom.xml" />
<pomfile name="gen.pom" value="${build.dir}/gen.pom.xml" />
<pomfile name="ioc.pom" value="${build.dir}/ioc.pom.xml" />
16 years, 6 months
Seam SVN: r8421 - branches/Seam_2_0_FP.
by seam-commits@lists.jboss.org
Author: manaRH
Date: 2008-06-26 04:31:44 -0400 (Thu, 26 Jun 2008)
New Revision: 8421
Modified:
branches/Seam_2_0_FP/readme.txt
Log:
Added note about JVM 6 required parameter
Modified: branches/Seam_2_0_FP/readme.txt
===================================================================
--- branches/Seam_2_0_FP/readme.txt 2008-06-26 01:52:56 UTC (rev 8420)
+++ branches/Seam_2_0_FP/readme.txt 2008-06-26 08:31:44 UTC (rev 8421)
@@ -1,6 +1,6 @@
JBoss Seam FP - Contextual Component framework for Java EE 5
=========================================================
-version 1.0.GA, May 2008
+version 2.0.2-FP, May 2008
This software is distributed under the terms of the FSF Lesser Gnu
Public License (see lgpl.txt).
@@ -31,6 +31,11 @@
Then checkout the report in the /test-report directory.
+Note: If you use JVM 6 instead of targeted JVM 5, TestNG tests should fail.
+ JVM 6 needs to add the following parameter:
+ "-Dsun.lang.ClassLoader.allowArraySyntax=true" to various build.xml files to execute
+ TestNG tests correctly.
+
Running the TestNG Tests in Eclipse
-----------------------------------
16 years, 6 months
Seam SVN: r8420 - trunk/doc/Seam_Reference_Guide/en-US.
by seam-commits@lists.jboss.org
Author: shane.bryzak(a)jboss.com
Date: 2008-06-25 21:52:56 -0400 (Wed, 25 Jun 2008)
New Revision: 8420
Modified:
trunk/doc/Seam_Reference_Guide/en-US/Security.xml
Log:
documented "remember me"
Modified: trunk/doc/Seam_Reference_Guide/en-US/Security.xml
===================================================================
--- trunk/doc/Seam_Reference_Guide/en-US/Security.xml 2008-06-26 00:48:02 UTC (rev 8419)
+++ trunk/doc/Seam_Reference_Guide/en-US/Security.xml 2008-06-26 01:52:56 UTC (rev 8420)
@@ -301,7 +301,155 @@
</itemizedlist>
</sect2>
+
+ <sect2>
+ <title>Remember Me</title>
+
+ <para>
+ Seam Security supports the same kind of "Remember Me" functionality that is commonly encountered in many
+ online web-based applications. It is actually supported in two different "flavours", or modes - the first
+ mode allows the username to be stored in the user's browser as a cookie, and leaves the entering of the
+ password up to the browser (many modern browsers are capable of remembering passwords).
+ </para>
+
+ <para>
+ The second mode supports the storing of a unique token in a cookie, and allows a user to authenticate
+ automatically upon returning to the site, without having to provide a password.
+ </para>
+
+ <note>
+ <para>
+ IMPORTANT: Automatic client authentication with a persistent cookie stored on the client machine is dangerous.
+ While convenient for users, any cross-site scripting security hole in your website would have dramatically more
+ serious effects than usual. Without the authentication cookie, the only cookie to steal for an attacker with XSS
+ is the cookie of the current session of a user. This means the attack only works when the user has an open session -
+ which should be a short timespan. However, it is much more attractive and dangerous if an attacker has the possibility
+ to steal a persistent Remember Me cookie that allows him to login without authentication, at any time. Note that this
+ all depends on how well you protect your website against XSS attacks - it's up to you to make sure that your website
+ is 100% XSS safe - a non-trival achievement for any website that allows user input to be rendered on a page.
+ </para>
+
+ <para>
+ Browser vendors recognized this issue and introduced a "Remember Passwords" feature - today almost all browsers support
+ this. Here, the browser remembers the login username and password for a particular website and domain, and fills out the
+ login form automatically when you don't have an active session with the website. If you as a website designer then offer
+ a convenient login keyboard shortcut, this approach is almost as convenient as a "Remember Me" cookie and much safer.
+ Some browsers (e.g. Safari on OS X) even store the login form data in the encrypted global operation system keychain.
+ Or, in a networked environment, the keychain can be transported with the user (between laptop and desktop for example),
+ while browser cookies are usually not synchronized.
+ </para>
+
+ <para>
+ To summarize: While everyone is doing it, persistent "Remember Me" cookies with automatic authentication are a bad
+ practice and should not be used. Cookies that "remember" only the users login name, and fill out the login form with
+ that username as a convenience, are not an issue.
+ </para>
+ </note>
+
+ <para>
+ To enable the remember me feature for the default (safe, username only) mode, no special configuration is required.
+ In your login form, simply bind the remember me checkbox to <literal>rememberMe.enabled</literal>, like in the following
+ example:
+ </para>
+
+ <programlisting><![CDATA[ <div>
+ <h:outputLabel for="name" value="User name"/>
+ <h:inputText id="name" value="#{credentials.username}"/>
+ </div>
+
+ <div>
+ <h:outputLabel for="password" value="Password"/>
+ <h:inputSecret id="password" value="#{credentials.password}" redisplay="true"/>
+ </div>
+
+ <div class="loginRow">
+ <h:outputLabel for="rememberMe" value="Remember me"/>
+ <h:selectBooleanCheckbox id="rememberMe" value="#{rememberMe.enabled}"/>
+ </div>]]></programlisting>
+
+ <sect3>
+ <title>Token-based Remember-me Authentication</title>
+
+ <para>
+ To use the automatic, token-based mode of the remember me feature, you must first configure a token store. The
+ most common scenario is to store these authentication tokens within a database (which Seam supports), however it
+ is possible to implement your own token store by implementing the <literal>org.jboss.seam.security.TokenStore</literal>
+ interface. This section will assume you will be using the provided <literal>JpaTokenStore</literal> implementation
+ to store authentication tokens inside a database table.
+ </para>
+
+ <para>
+ The first step is to create a new Entity which will contain the tokens. The following example shows the possible
+ structure that you may use:
+ </para>
+
+ <programlisting><![CDATA[@Entity
+public class AuthenticationToken implements Serializable {
+ private Integer tokenId;
+ private String username;
+ private String value;
+
+ @Id @GeneratedValue
+ public Integer getTokenId() {
+ return tokenId;
+ }
+
+ public void setTokenId(Integer tokenId) {
+ this.tokenId = tokenId;
+ }
+
+ @TokenUsername
+ public String getUsername() {
+ return username;
+ }
+
+ public void setUsername(String username) {
+ this.username = username;
+ }
+
+ @TokenValue
+ public String getValue() {
+ return value;
+ }
+
+ public void setValue(String value) {
+ this.value = value;
+ }
+}]]></programlisting>
+ <para>
+ As you can see from this listing, a couple of special annotations, <literal>@TokenUsername</literal> and
+ <literal>@TokenValue</literal> are used to configure the username and token properties of the entity. These
+ annotations are required for the entity that will contain the authentication tokens.
+ </para>
+
+ <para>
+ The next step is to configure <literal>JpaTokenStore</literal> to use this entity bean to store and retrieve
+ authentication tokens. This is done in <literal>components.xml</literal> by specifying the <literal>token-class</literal>
+ attribute:
+ </para>
+
+ <programlisting><![CDATA[
+ <security:jpa-token-store token-class="org.jboss.seam.example.seamspace.AuthenticationToken"/>
+ ]]></programlisting>
+
+ <para>
+ Once this is done, the last thing to do is to configure the <literal>RememberMe</literal> component in
+ <literal>components.xml</literal> also. Its <literal>mode</literal> should be set to <literal>autoLogin</literal>:
+ </para>
+
+ <programlisting><![CDATA[ <security:remember-me mode="autoLogin"/>
+ ]]></programlisting>
+
+ <para>
+ That is all that is required - automatic authentication will now occur for users revisiting your site (as long as they
+ check the "remember me" checkbox).
+ </para>
+
+ </sect3>
+
+ </sect2>
+
<sect2>
<title>Handling Security Exceptions</title>
16 years, 6 months