[jboss-user] [JBoss Seam] - Re: Application Permissions

petemuir do-not-reply at jboss.com
Sat Aug 12 08:33:43 EDT 2006


Permissions/Roles/Users

Isn't this just a semantic mismatch?  If you consider a JAAS role as a Permission, then have Group(s) of Permission(s) (JAAS roles), and place in a User in a group then IMO you have solved the mismatch.

Hard-coding in web.xml

It depends how you want to control access to views.  I find more often than not that I want to control access to sections of view, not the whole thing (e.g. for a bog standard user don't display password reset control, display username but with no change permission, allow editing on email address).  In this case you can use something like isUserInRole provided by Seam. You can of course deny or allow access to a view with this as well.

The only security constraint I put in web.xml is that only authenticated users can access the 'secure' area - which then pops up a login for when they try to go there.

You can of course use JAAS roles (Permissions) to allow/deny access at the method level as well.

Solution?

Define security in the view itself, and only render those components that can be seen by this user.  Take a look at the JAAS example on the wiki, its a bit nasty to set up, but does work.

Just my tuppence ha'penny's worth :)

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964759#3964759

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3964759



More information about the jboss-user mailing list