Seam Hack Night - Seam Security
by Shane Bryzak
Hey guys,
Sorry about the delay in getting this list of items to work on for the
next Seam Hack night - I've come down with the flu and it's hard to get
any work done when it feels like an elephant is sitting on your head.
Anyways, the two main areas I'd like us to work on for Seam Security are
Identity Management and ACLs/Permission Management. In the area of
Identity Management, there's a number of JIRA issues relating to
JpaIdentityStore, and I'd also like to show some love for our
integration with PicketLink's LDAP Identity Store too. For ACL
security, we are actually missing this feature altogether in Seam 3.0
(it existed in Seam 2) simply because I ran out of time to port it over
in time for the 3.0 release. For anyone that doesn't know, ACL security
provides you the ability to grant permissions on individual objects in
your application, whether they be entity beans or whatever.
To assist us in effectively organising who does which work, I'll give
each task a unique number. If you'd like to volunteer for certain
task/s, please do so earlier rather than later - first in first served!
JpaIdentityStore issues
==============
1) SEAMSECURITY-62 Using identity management to add user in group
prevent user to login
https://issues.jboss.org/browse/SEAMSECURITY-62
This issue has a comprehensive description and someone has attached a
patch.
2) SEAMSECURITY-64 Provide the capability to retrieve the actual entity
object when a user is created
https://issues.jboss.org/browse/SEAMSECURITY-64
We had this feature in Seam 2, however since we're now using
PicketLink in Seam 3 it is a little more challenging to implement this.
I don't have any solid ideas as yet, however it would be ideal if we
could fire an event for this somehow.
3) SEAMSECURITY-65 Criteria queries executed by JPAIdentityStore are not
setup properly
https://issues.jboss.org/browse/SEAMSECURITY-65
We seem to be missing a select() call for the Criteria queries,
should be easy to fix this one.
4) SEAMSECURITY-70 Calling RoleManager.removeRole(Roletype rt, User u,
Group g) throws an NPE
https://issues.jboss.org/browse/SEAMSECURITY-70
Should be an easy fix, as the reporter has included a solution.
5) SEAMSECURITY-84 identity.hasRole and identity.addRole do not seem to
be interacting with JpaStore
https://issues.jboss.org/browse/SEAMSECURITY-84
This one might take a little detective work to reproduce. A user
within an application that uses Identity Management should have their
roles populated in Identity.roles automatically when they authenticate.
One thing to note is that the reporter's assertion at the end of the
issue description about identity.addRole() adding the role to the
database is incorrect - persistent roles should only be added through
the role manager.
6) SEAMSECURITY-69
https://issues.jboss.org/browse/SEAMSECURITY-69
This one might take a little bit of analysis also - possibly the
cause is an unimplemented method in JpaIdentityStore.
LDAP Identity Store issues
================
7) SEAMSECURITY-71 Improve LDAP integration in general
https://issues.jboss.org/browse/SEAMSECURITY-71
This one is quite a bit of work. The actual LDAP Identity Store
class is part of PicketLink, so we can't make any direct changes to it.
What we can do however, is ease the configuration process. We currently
have a configuration bean for JpaIdentityStore (called
JpaIdentityStoreConfiguration), that can be used to configure the
Identity Store via Seam Config. It would be nice to have an equivalent
class for the LDAP Identity Store. Whoever works on this task will need
to become familiar with the LDAP configuration in PicketLink. Any work
done in this area would also require documentation in the Seam Security
reference guide.
8) Example application that demonstrates authentication via LDAP
This goes hand in hand with 7). I don't know if we'll have enough
time to implement a full example, however it would be nice to have a
basic functioning app that we could point people to.
ACL Security
========
9) Implement PersistentPermissionResolver
This class has been "ported" from Seam 2, however it's currently not
functional (I think a lot of the code may even be commented out). This
is an advanced task, so only volunteer for this one if you feel you're
up to the challenge. One of the biggest issues is how we identify
users. In Seam 2 this was simple, because all users were local and
usernames were unique. In Seam 3 however, we can now have either local
users or external users, thanks to OpenID and SAML authentication.
10) Example app for ACL security
Goes with 9), we need an example application to demonstrate ACL security.
11) SEAMSECURITY-13 Custom EntityIdentifierStrategy ignored by
IdentifierPolicy
https://issues.jboss.org/browse/SEAMSECURITY-13
If 9) gets done, then this issue probably needs to be addressed also.
Misc
====
12) SEAMSECURITY-66 Separated API/IMPL jars do not allow compilation of
the SimpleAuthenticator example
https://issues.jboss.org/browse/SEAMSECURITY-66
Quite an unusual issue, which may have already been solved thanks to
the removal of the combined jar. Someone needs to test this and close
the issue if it's out of date.
13) SEAMSECURITY-52 security-authorization example - IAE on logout
https://issues.jboss.org/browse/SEAMSECURITY-52
Marek has suggested that this is related to SEAMSECURITY-22, which
brings us to...
14) SEAMSECURITY-22 Basic authentication with no security drools and no
picketlink defined in seam-beans.xml throws exception
https://issues.jboss.org/browse/SEAMSECURITY-22
Like 13), I think this has to do with the location of the
security.drl file. We should standardise the location of the
security.drl file, so someone needs to research the injectable resources
feature in Solder and determine where the best place is to put this file.
Documentation
=========
15) SEAMSECURITY-78 Typos in documentation
https://issues.jboss.org/browse/SEAMSECURITY-78
Jozef has identified a couple of minor typos that need to be fixed.
16) SEAMSECURITY-51 A readme.txt points to incorrect url of
security-openid-rp example
https://issues.jboss.org/browse/SEAMSECURITY-51
Martin has noticed that the URL in the readme file for this example
is wrong.
If anyone has any questions about these tasks, or any suggestions,
please feel free to bring them up on seam-dev.
Thanks!
Shane
12 years, 9 months
Seam Cron module
by Martin Kouba
Hi!
Recently I tested Seam Cron module, especially scheduling features. From
my point of view Seam Cron module (as well as Seam 2) is still not
usable for quite common scheduling scenarios. Below are some
comments/observations/suggestions - most of them come from real app
needs and are closely related to quartz because I used this lib in many
JEE apps before.
In any case I don't want to criticize but make Seam 3 more useful :-) !
If needed I can offer some help.
* *Seam Cron has fixed quartz configuration* (no way to change it); this
is not a good idea and will surely limit module user (QUARTZ -
org.jboss.seam.cron.scheduling.quartz.QuartzScheduleProvider)
* *I'm missing operations on scheduler*; e.g. send event to pause or
resume all jobs (API)
* *job observers "may be/and may inject" @Dependant or
@ApplicationScoped beans only*; sometimes its very useful to reuse
request scoped components - e.g. inject service used also from GUI
(API/QUARTZ, in weld/quartz this could be accomplished with
org.quartz.JobListener and org.jboss.weld.context.bound.BoundRequestContext)
* *it's not possible to schedule jobs dynamically* - for instance first
get definitions (DB, XML, WS) and then schedule them (API, maybe
schedule job by firing some special event)
* *fired jobs are always stateless*; sometimes its very practical to
have stateful jobs / implement org.quartz.StatefulJob (API, QUARTZ -
org.jboss.seam.cron.scheduling.quartz.TriggerJob implements org.quartz.Job)
* *trigger may contain next fire time info* - sometimes very practical
to know (API - org.jboss.seam.cron.api.scheduling.Trigger)
* *finally is there a reason not to use new stable versions of quartz,
e.g. 1.8.x or 2.0.x*?
Martin
--
Martin Kouba
JBoss Quality Assurance Engineer
E-mail: mkouba(a)redhat.com
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
12 years, 9 months
Removing the combined jars
by Shane Bryzak
Hi module leads,
In preparation for the 3.1.0.Beta1 release which we are planning for
this weekend, could you please take the following steps to remove the
combined jar from your module if you haven't already done so:
1) Delete the "combined" directory from your module.
2) Remove the combined module declaration from your module's parent pom.xml
3) Rename your module's implementation. If you have only one
implementation then this should be simple - for example seam-catch-impl
will become just seam-catch. If you have more than one implementation
then name it likewise - e.g. seam-reports-jasper.
4) Update the dependency management section of your parent pom.xml - it
will probably contain something like this:
<dependency>
<groupId>org.jboss.seam.security</groupId>
<artifactId>seam-security-api</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.jboss.seam.security</groupId>
<artifactId>seam-security-impl</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.jboss.seam.security</groupId>
<artifactId>seam-security</artifactId>
<version>${project.version}</version>
</dependency>
In this example for Seam Security, the seam-security-impl dependency
should be removed (as the seam-security dependency will now refer to the
implementation).
5) Update the dependencies for the distribution build. In dist/pom.xml,
you'll find dependencies for the api, impl and combined jar, so like in
step 4 you should be able to just delete the -impl dependency to fix the
dependency list.
6) Update the assembly - edit dist/src/main/assembly/assembly.xml, and
update the dependencies, in particular the list of source dependencies.
7) Update your documentation - somewhere near the beginning of most
modules we list Maven dependencies, take a look at
http://docs.jboss.org/seam/3/faces/latest/reference/en-US/html/faces.inst...
for an example. I'm open to suggestions for this however I think the
easiest thing we can instruct our users to do is simply add the
implementation dependency to their project, which will automatically
pull in the API.
8) Build your module! Run mvn clean install -Drelease to confirm that
the distribution builds ok, and spend a few minutes checking over the
distribution archive to confirm that everything looks in order.
If you have any questions, please feel free to ask!
Shane
12 years, 9 months
Fwd: [JBoss JIRA] Updated: (AS7-1375) UnsupportedDataTypeException sending email
by Ove Ranheim
I thought this might be of interest to seam-dev mailing list.
Cody are you aware of this issue?
Cheers,
Ove
Begin forwarded message:
> From: "David Lloyd (JIRA)" <jira-events(a)lists.jboss.org>
> Subject: [JBoss JIRA] Updated: (AS7-1375) UnsupportedDataTypeException sending email
> Date: August 8, 2011 6:56:24 PM GMT+02:00
> To: oranheim(a)gmail.com
>
>
> [ https://issues.jboss.org/browse/AS7-1375?page=com.atlassian.jira.plugin.s... ]
>
> David Lloyd updated AS7-1375:
> -----------------------------
>
> Fix Version/s: 7.0.1.Final
> Complexity: Low
>
>
> Okay so at best we're looking at changing a module definition, at worst we need to patch one or two EE APIs. But either way it should be a small change so let's try to get it in for 7.0.1 if we can!
>
>> UnsupportedDataTypeException sending email
>> -------------------------------------------
>>
>> Key: AS7-1375
>> URL: https://issues.jboss.org/browse/AS7-1375
>> Project: Application Server 7
>> Issue Type: Bug
>> Environment: jdk-u26, jboss-as-7.1.0.Alpha1-SNAPSHOT(07/22/2011)
>> Reporter: Tomáš Remeš
>> Fix For: 7.0.1.Final
>>
>>
>> Seam 3 send mail example fails on:
>> javax.activation.UnsupportedDataTypeException: no object DCH for MIME type multipart/mixed;
>> boundary="----=_Part_1_340486764.1311336438303"
>> at javax.activation.ObjectDataContentHandler.writeTo(DataHandler.java:905) [activation-1.1.1.jar:1.1.1]
>> at javax.activation.DataHandler.writeTo(DataHandler.java:330) [activation-1.1.1.jar:1.1.1]
>> at javax.mail.internet.MimeBodyPart.writeTo(MimeBodyPart.java:1476) [mail-1.4.4.jar:1.4.4]
>> at javax.mail.internet.MimeMessage.writeTo(MimeMessage.java:1772) [mail-1.4.4.jar:1.4.4]
>> at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:1099) [mail-1.4.4.jar:1.4.4]
>> ... 42 more
>
> --
> This message is automatically generated by JIRA.
> For more information on JIRA, see: http://www.atlassian.com/software/jira
>
>
12 years, 9 months
PageContext Listener
by kamil büküm
Hi everyone,
I need PageContext Listener. How i can listen PageContext ,
I think PageContext Listener Doesn't have in java Servlet Listeners,
Thank you,
12 years, 9 months
Working on examples and tutorials
by Hanneli Tavante
Hi all!
I've been working on Seam 3 tutorials and examples. I decided to do a
'multitask' approach. There are lots of people trying to learn Seam 3, since
totally JEE newbies until JEE experts. So I decided to work on 3 levels of
tutorials/examples at the same time...
1. Some stuf for absolute beginners - check it
here<http://hannelita.wordpress.com/2011/08/06/creating-seam-3-project/>(Where
I talk about Seam Forge, creating a Seam 3 project, I intend to write
about CDI, ...)
2. Intermediate - Starting with the call 4 papers app (which I called
Call4All - github project here <https://github.com/hannelita/call4all> - I
will be commiting code this weekend), I am writing about Seam 3 features,
how to use them into this project, ... - check the post
here<http://hannelita.wordpress.com/2011/08/06/the-call4all-app-call-4-papers-...>.
I might work into other examples soon. I do accept some help on that -
commits are always welcome :)
3. Some enhanced app - A Seam 3 proposal for the Smart
Tasks<https://github.com/Salaboy/emergency-service-drools-app>app from
@salaboy <http://twitter.com/salaboy>. It's a little bit more complex app,
involving some other technologies like jbpm, infinispan, hornetq and other
concepts about event processing. You can read more about it
here<http://salaboy.wordpress.com/2011/06/14/ad-hoc-human-tasks-for-monitoring...>.
My fork here <https://github.com/hannelita/emergency-service-drools-app>.
So, what do you think?
Sorry if I'm too slow to do this work :/
I'm trying to write posts (usually telling stupid stories), because my blog
experience tells that users prefer information that involves them into
reading... Most of technical failures after following instructions of a
tutorial is not because the tutorial is wrong or missing something, but
because user skipped some steps or could not understand what he actually
should do... Thats why I think it's important to have a newbie session with
really detailed (with pictures!) session!
Finally i will try to connect the content of the posts - The characters, the
stories and the example projects, as I did with confbuzz and the Call4All
app.
The posts are not finished yet, I will release and improve them everyday. :)
I also wrote a post<http://hannelita.wordpress.com/2011/08/06/seam-3-tutorials-and-examples/>explaining
that.
I'd be glad if you could send me some feedback if it's good or not. Hope to
do the kind of job you expected! :)
So, if you take a look and say it's ok, I'll start tweeting about it!
Thanks!
--
Hanneli Carolina Andreazzi Tavante
---------------------------------------------------------------------------------
Unifei - Universidade Federal de Itajubá
10º Período - Engenharia da Computação
---------------------------------------------------------------------------------
12 years, 9 months
about the hack night next thursday
by José Rodolfo Freitas
Hey guys good morning/afternoon/night
which issues will we be targeting on seam security?
Best Regards,
José Rodoflo Freitas
12 years, 9 months
Anyone have the CDI extention Guide?
by yuanqixun
Recently, I want to write myself seam module, any guys have some guideline resources?
Please give me any,thanks.
Best Regards
Yuan
12 years, 9 months
