[seam-dev] Seam Hack Night - Seam Security

Tue Aug 9 23:28:33 EDT 2011

Hey guys,

Sorry about the delay in getting this list of items to work on for the 
next Seam Hack night - I've come down with the flu and it's hard to get 
any work done when it feels like an elephant is sitting on your head.  
Anyways, the two main areas I'd like us to work on for Seam Security are 
Identity Management and ACLs/Permission Management.  In the area of 
Identity Management, there's a number of JIRA issues relating to 
JpaIdentityStore, and I'd also like to show some love for our 
integration with PicketLink's LDAP Identity Store too.  For ACL 
security, we are actually missing this feature altogether in Seam 3.0 
(it existed in Seam 2) simply because I ran out of time to port it over 
in time for the 3.0 release.  For anyone that doesn't know, ACL security 
provides you the ability to grant permissions on individual objects in 
your application, whether they be entity beans or whatever.

To assist us in effectively organising who does which work, I'll give 
each task a unique number.  If you'd like to volunteer for certain 
task/s, please do so earlier rather than later - first in first served!

JpaIdentityStore issues
==============

1) SEAMSECURITY-62 Using identity management to add user in group 
prevent user to login
https://issues.jboss.org/browse/SEAMSECURITY-62

   This issue has a comprehensive description and someone has attached a 
patch.

2) SEAMSECURITY-64 Provide the capability to retrieve the actual entity 
object when a user is created
https://issues.jboss.org/browse/SEAMSECURITY-64

   We had this feature in Seam 2, however since we're now using 
PicketLink in Seam 3 it is a little more challenging to implement this.  
I don't have any solid ideas as yet, however it would be ideal if we 
could fire an event for this somehow.

3) SEAMSECURITY-65 Criteria queries executed by JPAIdentityStore are not 
setup properly
https://issues.jboss.org/browse/SEAMSECURITY-65

   We seem to be missing a select() call for the Criteria queries, 
should be easy to fix this one.

4) SEAMSECURITY-70 Calling RoleManager.removeRole(Roletype rt, User u, 
Group g) throws an NPE
https://issues.jboss.org/browse/SEAMSECURITY-70

   Should be an easy fix, as the reporter has included a solution.

5) SEAMSECURITY-84 identity.hasRole and identity.addRole do not seem to 
be interacting with JpaStore
https://issues.jboss.org/browse/SEAMSECURITY-84

   This one might take a little detective work to reproduce.  A user 
within an application that uses Identity Management should have their 
roles populated in Identity.roles automatically when they authenticate.  
One thing to note is that the reporter's assertion at the end of the 
issue description about identity.addRole() adding the role to the 
database is incorrect - persistent roles should only be added through 
the role manager.

6) SEAMSECURITY-69
https://issues.jboss.org/browse/SEAMSECURITY-69

   This one might take a little bit of analysis also - possibly the 
cause is an unimplemented method in JpaIdentityStore.

LDAP Identity Store issues
================

7) SEAMSECURITY-71 Improve LDAP integration in general
https://issues.jboss.org/browse/SEAMSECURITY-71

   This one is quite a bit of work.  The actual LDAP Identity Store 
class is part of PicketLink, so we can't make any direct changes to it.  
What we can do however, is ease the configuration process.  We currently 
have a configuration bean for JpaIdentityStore (called 
JpaIdentityStoreConfiguration), that can be used to configure the 
Identity Store via Seam Config.  It would be nice to have an equivalent 
class for the LDAP Identity Store.  Whoever works on this task will need 
to become familiar with the LDAP configuration in PicketLink.  Any work 
done in this area would also require documentation in the Seam Security 
reference guide.

8) Example application that demonstrates authentication via LDAP

   This goes hand in hand with 7).  I don't know if we'll have enough 
time to implement a full example, however it would be nice to have a 
basic functioning app that we could point people to.

ACL Security
========

9) Implement PersistentPermissionResolver

   This class has been "ported" from Seam 2, however it's currently not 
functional (I think a lot of the code may even be commented out).  This 
is an advanced task, so only volunteer for this one if you feel you're 
up to the challenge.  One of the biggest issues is how we identify 
users.  In Seam 2 this was simple, because all users were local and 
usernames were unique.  In Seam 3 however, we can now have either local 
users or external users, thanks to OpenID and SAML authentication.

10) Example app for ACL security

   Goes with 9), we need an example application to demonstrate ACL security.

11) SEAMSECURITY-13 Custom EntityIdentifierStrategy ignored by 
IdentifierPolicy
https://issues.jboss.org/browse/SEAMSECURITY-13

   If 9) gets done, then this issue probably needs to be addressed also.

Misc
====

12) SEAMSECURITY-66 Separated API/IMPL jars do not allow compilation of 
the SimpleAuthenticator example
https://issues.jboss.org/browse/SEAMSECURITY-66

   Quite an unusual issue, which may have already been solved thanks to 
the removal of the combined jar.  Someone needs to test this and close 
the issue if it's out of date.

13) SEAMSECURITY-52 security-authorization example - IAE on logout
https://issues.jboss.org/browse/SEAMSECURITY-52

   Marek has suggested that this is related to SEAMSECURITY-22, which 
brings us to...

14) SEAMSECURITY-22 Basic authentication with no security drools and no 
picketlink defined in seam-beans.xml throws exception
https://issues.jboss.org/browse/SEAMSECURITY-22

   Like 13), I think this has to do with the location of the 
security.drl file.  We should standardise the location of the 
security.drl file, so someone needs to research the injectable resources 
feature in Solder and determine where the best place is to put this file.

Documentation
=========

15) SEAMSECURITY-78 Typos in documentation
https://issues.jboss.org/browse/SEAMSECURITY-78

   Jozef has identified a couple of minor typos that need to be fixed.

16) SEAMSECURITY-51 A readme.txt points to incorrect url of 
security-openid-rp example
https://issues.jboss.org/browse/SEAMSECURITY-51

   Martin has noticed that the URL in the readme file for this example 
is wrong.

If anyone has any questions about these tasks, or any suggestions, 
please feel free to bring them up on seam-dev.

Thanks!
Shane