[jboss-user] [JBoss Seam] - Re: Seam security with JAAS config

[scotto]

I am having exactly the same problems in that I am porting a Seam application that was working with JAAS FORM authentication to use the new Seam security code:
anonymous wrote : Seam Security only uses JAAS for authentication, not for authorization. I'm guessing that your action is protected with some container security mechanism, rather than the authorization features provided by Seam?
  | 
Is it possible to get Seam Security to work with existing JAAS components for authorization as well? (Is this even planned?)

Let me explain...

For security reasons I have explicitly secured ALL my EJBs with container security annotations. This is because they may be invoked from sources other than just the seam web interface (e.g. web services, remote mbean connections, etc).

To do this, I mark all my business logic with annotations like:
@Stateless
  | @SecurityDomain("myapp")
  | @RolesAllowed({"AppUser","AppSystem","AppAdmin"})

Previously, I was using the standard Tomcat JAAS FORM authentication support (using <security-constraint> and <login-config> in web.xml), which I believe was responsible for injecting the currently authenticated user into the session, so when my authenticated Seam session made calls on EJBs, everything "just worked". In fact, I was even able to get the current logged-in JAAS user from my EJB code by calling SessionContext.getCallerPrincipal().

Since I am now longer using Tomcat to do this, is it possible to get Seam to inject the JAAS principal into the session context so authenticated calls to EJB methods still work?

I do not know enough about the internal workings of this stuff, but would it not be the responsibility of the SeamListener to inject the JAAS context accordingly?

Thanks, Scott

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4029658#4029658

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4029658