From seam-commits at lists.jboss.org Sun Jun 29 22:06:20 2008
Content-Type: multipart/mixed; boundary="===============5259136387732177031=="
MIME-Version: 1.0
From: seam-commits at lists.jboss.org
To: seam-commits at lists.jboss.org
Subject: [seam-commits] Seam SVN: r8428 - in
 trunk/doc/Seam_Reference_Guide/en-US: images and 1 other directory.
Date: Sun, 29 Jun 2008 22:06:19 -0400
Message-ID: <E1KD8mZ-0000by-VH@committer01.frg.pub.inap.atl.jboss.com>

--===============5259136387732177031==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Author: shane.bryzak(a)jboss.com
Date: 2008-06-29 22:06:19 -0400 (Sun, 29 Jun 2008)
New Revision: 8428

Added:
   trunk/doc/Seam_Reference_Guide/en-US/images/security-permission-classdia=
gram.png
   trunk/doc/Seam_Reference_Guide/en-US/images/security-permission-sequence=
.png
Modified:
   trunk/doc/Seam_Reference_Guide/en-US/Security.xml
Log:
grammatical editing, added diagrams

Modified: trunk/doc/Seam_Reference_Guide/en-US/Security.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- trunk/doc/Seam_Reference_Guide/en-US/Security.xml	2008-06-27 08:05:34 U=
TC (rev 8427)
+++ trunk/doc/Seam_Reference_Guide/en-US/Security.xml	2008-06-30 02:06:19 U=
TC (rev 8428)
@@ -100,7 +100,7 @@
         delegates authentication to one of your own Seam components.  This=
 login module is already configured inside Seam as
         part of a default application policy and as such does not require =
any additional configuration files.  It allows you to
         write an authentication method using the entity classes that are p=
rovided by your own application, or alternatively to =

-        authenticate against some other third party provider.  Configuring=
 this simplified form of authentication requires the =

+        authenticate with some other third party provider.  Configuring th=
is simplified form of authentication requires the =

         <literal>identity</literal> component to be configured in <literal=
>components.xml</literal>:
       </para>
 =

@@ -117,7 +117,7 @@
 </components>]]></programlisting>
 =

       <para>
-        The EL expression <literal>#{authenticator.authenticate}</literal>=
 is a method binding indicating that
+        The EL expression <literal>#{authenticator.authenticate}</literal>=
 is a method binding that indicates
         the <literal>authenticate</literal> method of the <literal>authent=
icator</literal> component will be used
         to authenticate the user.
       </para>
@@ -130,7 +130,7 @@
       <para>
         The <literal>authenticate-method</literal> property specified for =
<literal>identity</literal> in
         <literal>components.xml</literal> specifies which method will be u=
sed by <literal>SeamLoginModule</literal>
-        to authenticate users.  This method takes no parameters, and is ex=
pected to return a boolean indicating
+        to authenticate users.  This method takes no parameters, and is ex=
pected to return a boolean, which indicates
         whether authentication is successful or not.  The user's username =
and password can be obtained from
         <literal>Credentials.getUsername()</literal> and <literal>Credenti=
als.getPassword()</literal>,
         respectively.  Any roles that the user is a member of should be as=
signed using
@@ -213,17 +213,17 @@
         =

         <para>
           If the current session is already authenticated, then calling <l=
iteral>Identity.addRole()</literal> will
-          have the expected effect of immediate granting the current user =
the specified role.
+          have the expected effect of immediately granting the specified r=
ole to the current user.
         </para>
 =

       </sect3>
 =

       <sect3>
-        <title>Writing an event observers for security-related events</tit=
le>
+        <title>Writing an event observer for security-related events</titl=
e>
 =

         <para>
-          Let's say for example that upon a successful login that some use=
r statistics must be
-          updated.  We would do this by writing an event observer for the
+          Say for example, that upon a successful login that some user sta=
tistics must be
+          updated.  This would be done by writing an event observer for the
           <literal>org.jboss.seam.security.loginSuccessful</literal> event=
, like this:
         </para>
 =

@@ -318,15 +318,16 @@
       </para>
       =

       <note>
+        <title>IMPORTANT NOTE</title>
         <para>
-          IMPORTANT: Automatic client authentication with a persistent coo=
kie stored on the client machine is dangerous.  =

+          Automatic client authentication with a persistent cookie stored =
on the client machine is dangerous.  =

           While convenient for users, any cross-site scripting security ho=
le in your website would have dramatically more =

           serious effects than usual. Without the authentication cookie, t=
he only cookie to steal for an attacker with XSS =

           is the cookie of the current session of a user. This means the a=
ttack only works when the user has an open session - =

           which should be a short timespan. However, it is much more attra=
ctive and dangerous if an attacker has the possibility =

           to steal a persistent Remember Me cookie that allows him to logi=
n without authentication, at any time. Note that this =

           all depends on how well you protect your website against XSS att=
acks - it's up to you to make sure that your website =

-          is 100% XSS safe - a non-trival achievement for any website that=
 allows user input to be rendered on a page.
+          is 100% XSS safe - a non-trival achievement for any website that=
 allows user input to be rendered on a page.          =

         </para>
         =

         <para>
@@ -379,7 +380,7 @@
         </para>
         =

         <para>
-          The first step is to create a new Entity which will contain the =
tokens.  The following example shows the possible
+          The first step is to create a new Entity which will contain the =
tokens.  The following example shows a possible
           structure that you may use:
         </para>
         =

@@ -3042,7 +3043,155 @@
       =

       =

     </sect2>
+    =

+    <sect2>
+      <title>The Permission Authorization Model</title>
+    =

+      <para>
+        Seam Security provides an extensible framework for resolving appli=
cation permissions.  The following class diagram
+        shows an overview of the main components of the permission framewo=
rk:
+      </para>
 =

+      <mediaobject>
+        <imageobject role=3D"fo">
+          <imagedata fileref=3D"images/security-permission-classdiagram.pn=
g" align=3D"center"/>
+        </imageobject>
+        <imageobject role=3D"html">
+          <imagedata fileref=3D"images/security-permission-classdiagram.pn=
g" align=3D"center"/>
+        </imageobject>
+      </mediaobject>     =

+      =

+      <para>
+        Each of these classes are explained in more detail in the followin=
g sections.
+      </para>
+      =

+      <sect3>
+        <title>PermissionResolver</title>
+        =

+        <para>
+          This is actually an interface, which provides methods for resolv=
ing individual object permissions.  Seam provides
+          the following built-in <literal>PermissionResolver</literal> imp=
lementations, which are described in more detail later
+          in the chapter:
+        </para>
+        =

+        <itemizedlist>
+          <listitem>
+            <para><literal>RuleBasedPermissionResolver</literal> - This pe=
rmission resolver uses Drools to resolve rule-based
+            permission checks.</para>
+          </listitem>
+          <listitem>
+            <para><literal>PersistentPermissionResolver</literal> - This p=
ermission resolver stores object permissions in a
+            persistent store, such as a relational database.</para>
+          </listitem>
+        </itemizedlist>
+        =

+        <sect4>
+          <title>Writing your own PermissionResolver</title>
+
+          <para>
+            It is very simple to implement your own permission resolver.  =
The <literal>PermissionResolver</literal>
+            interface defines only two methods that must be implemented:
+          </para>          =

+          =

+          <table>
+            <title>PermissionResolver interface</title>
+      =

+            <tgroup cols=3D"2">
+              <colspec colnum=3D"1" colwidth=3D"2*" />
+              <colspec colnum=3D"2" colwidth=3D"3*" />
+              <colspec colnum=3D"3" colwidth=3D"3*" />
+              <colspec colnum=3D"4" colwidth=3D"4*" />
+      =

+              <thead>
+                <row>
+                  <entry align=3D"center">
+                    <para>Return type</para>
+                  </entry>
+                  <entry align=3D"center">
+                    <para>Method</para>
+                  </entry>
+                  <entry align=3D"center">
+                    <para>Description</para>
+                  </entry>
+                </row>
+              </thead>
+      =

+              <tbody>
+      =

+                <row>
+                  <entry>
+                    <para>
+                      <literal>boolean</literal>
+                    </para>
+                  </entry>
+                  <entry>
+                    <para>
+                      <literal>hasPermission(Object target, String action)=
</literal>
+                    </para>
+                  </entry>
+                  <entry>
+                    <para>
+                      This method must resolve whether the currently authe=
nticated user (obtained via a call to
+                      <literal>Identity.getPrincipal()</literal>) has the =
permission specified by the <literal>target</literal>
+                      and <literal>action</literal> parameters.  It should=
 return <literal>true</literal> if the user has
+                      the permission, or <literal>false</literal> if they =
don't.
+                    </para>
+                  </entry>
+                </row>   =

+                =

+                <row>
+                  <entry>
+                    <para>
+                      <literal>void</literal>
+                    </para>
+                  </entry>
+                  <entry>
+                    <para>
+                      <literal>filterSetByAction(Set&lt;Object&gt; targets=
, String action)</literal>
+                    </para>
+                  </entry>
+                  <entry>
+                    <para>
+                      This method should iterate through the specified set=
 of objects, and remove any that would otherwise
+                      return <literal>false</literal> if passed to the <li=
teral>hasPermission()</literal> method with the =

+                      same <literal>action</literal> parameter value.
+                    </para>
+                  </entry>
+                </row>                 =

+                =

+              </tbody>
+            </tgroup>
+          </table>       =

+          =

+        </sect4>
+      </sect3>
+      =

+      <sect3>
+        <title>ResolverChain</title>
+        =

+        <para>
+          A <literal>ResolverChain</literal> contains an ordered list of <=
literal>PermissionResolver</literal>s, for the
+          purpose of resolving object permissions for a particular object =
class or permission target.
+        </para>
+      </sect3>
+      =

+      <para>
+        The following sequence diagram shows the interaction between the c=
omponents of the permission framework during a
+        permission check (explanation follows):
+      </para>
+      =

+      <mediaobject>
+        <imageobject role=3D"fo">
+          <imagedata fileref=3D"images/security-permission-sequence.png" a=
lign=3D"center"/>
+        </imageobject>
+        <imageobject role=3D"html">
+          <imagedata fileref=3D"images/security-permission-sequence.png" a=
lign=3D"center"/>
+        </imageobject>
+      </mediaobject>         =

+      =

+      =

+    </sect2>
+
     <sect2>
       <title>Rule-based Permissions</title>
       =


Added: trunk/doc/Seam_Reference_Guide/en-US/images/security-permission-clas=
sdiagram.png
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
(Binary files differ)


Property changes on: trunk/doc/Seam_Reference_Guide/en-US/images/security-p=
ermission-classdiagram.png
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: trunk/doc/Seam_Reference_Guide/en-US/images/security-permission-sequ=
ence.png
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
(Binary files differ)


Property changes on: trunk/doc/Seam_Reference_Guide/en-US/images/security-p=
ermission-sequence.png
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream


--===============5259136387732177031==--