[seam-dev] Seam Hack Night - Seam Security
Marek Schmidt
maschmid at redhat.com
Fri Aug 12 04:38:55 EDT 2011
Hi Shane!
I have taken the liberty to make some pull requests to the Seam Security
External module, even though not on the list of issues for the Night...
I'd be glad if someone could review them...
Cheers!
--
Marek Schmidt
On 08/10/2011 05:28 AM, Shane Bryzak wrote:
> Hey guys,
>
> Sorry about the delay in getting this list of items to work on for the
> next Seam Hack night - I've come down with the flu and it's hard to get
> any work done when it feels like an elephant is sitting on your head.
> Anyways, the two main areas I'd like us to work on for Seam Security are
> Identity Management and ACLs/Permission Management. In the area of
> Identity Management, there's a number of JIRA issues relating to
> JpaIdentityStore, and I'd also like to show some love for our
> integration with PicketLink's LDAP Identity Store too. For ACL
> security, we are actually missing this feature altogether in Seam 3.0
> (it existed in Seam 2) simply because I ran out of time to port it over
> in time for the 3.0 release. For anyone that doesn't know, ACL security
> provides you the ability to grant permissions on individual objects in
> your application, whether they be entity beans or whatever.
>
> To assist us in effectively organising who does which work, I'll give
> each task a unique number. If you'd like to volunteer for certain
> task/s, please do so earlier rather than later - first in first served!
>
> JpaIdentityStore issues
> ==============
>
> 1) SEAMSECURITY-62 Using identity management to add user in group
> prevent user to login
> https://issues.jboss.org/browse/SEAMSECURITY-62
>
> This issue has a comprehensive description and someone has attached a
> patch.
>
> 2) SEAMSECURITY-64 Provide the capability to retrieve the actual entity
> object when a user is created
> https://issues.jboss.org/browse/SEAMSECURITY-64
>
> We had this feature in Seam 2, however since we're now using
> PicketLink in Seam 3 it is a little more challenging to implement this.
> I don't have any solid ideas as yet, however it would be ideal if we
> could fire an event for this somehow.
>
> 3) SEAMSECURITY-65 Criteria queries executed by JPAIdentityStore are not
> setup properly
> https://issues.jboss.org/browse/SEAMSECURITY-65
>
> We seem to be missing a select() call for the Criteria queries,
> should be easy to fix this one.
>
> 4) SEAMSECURITY-70 Calling RoleManager.removeRole(Roletype rt, User u,
> Group g) throws an NPE
> https://issues.jboss.org/browse/SEAMSECURITY-70
>
> Should be an easy fix, as the reporter has included a solution.
>
> 5) SEAMSECURITY-84 identity.hasRole and identity.addRole do not seem to
> be interacting with JpaStore
> https://issues.jboss.org/browse/SEAMSECURITY-84
>
> This one might take a little detective work to reproduce. A user
> within an application that uses Identity Management should have their
> roles populated in Identity.roles automatically when they authenticate.
> One thing to note is that the reporter's assertion at the end of the
> issue description about identity.addRole() adding the role to the
> database is incorrect - persistent roles should only be added through
> the role manager.
>
> 6) SEAMSECURITY-69
> https://issues.jboss.org/browse/SEAMSECURITY-69
>
> This one might take a little bit of analysis also - possibly the
> cause is an unimplemented method in JpaIdentityStore.
>
> LDAP Identity Store issues
> ================
>
> 7) SEAMSECURITY-71 Improve LDAP integration in general
> https://issues.jboss.org/browse/SEAMSECURITY-71
>
> This one is quite a bit of work. The actual LDAP Identity Store
> class is part of PicketLink, so we can't make any direct changes to it.
> What we can do however, is ease the configuration process. We currently
> have a configuration bean for JpaIdentityStore (called
> JpaIdentityStoreConfiguration), that can be used to configure the
> Identity Store via Seam Config. It would be nice to have an equivalent
> class for the LDAP Identity Store. Whoever works on this task will need
> to become familiar with the LDAP configuration in PicketLink. Any work
> done in this area would also require documentation in the Seam Security
> reference guide.
>
> 8) Example application that demonstrates authentication via LDAP
>
> This goes hand in hand with 7). I don't know if we'll have enough
> time to implement a full example, however it would be nice to have a
> basic functioning app that we could point people to.
>
> ACL Security
> ========
>
> 9) Implement PersistentPermissionResolver
>
> This class has been "ported" from Seam 2, however it's currently not
> functional (I think a lot of the code may even be commented out). This
> is an advanced task, so only volunteer for this one if you feel you're
> up to the challenge. One of the biggest issues is how we identify
> users. In Seam 2 this was simple, because all users were local and
> usernames were unique. In Seam 3 however, we can now have either local
> users or external users, thanks to OpenID and SAML authentication.
>
> 10) Example app for ACL security
>
> Goes with 9), we need an example application to demonstrate ACL security.
>
> 11) SEAMSECURITY-13 Custom EntityIdentifierStrategy ignored by
> IdentifierPolicy
> https://issues.jboss.org/browse/SEAMSECURITY-13
>
> If 9) gets done, then this issue probably needs to be addressed also.
>
> Misc
> ====
>
> 12) SEAMSECURITY-66 Separated API/IMPL jars do not allow compilation of
> the SimpleAuthenticator example
> https://issues.jboss.org/browse/SEAMSECURITY-66
>
> Quite an unusual issue, which may have already been solved thanks to
> the removal of the combined jar. Someone needs to test this and close
> the issue if it's out of date.
>
> 13) SEAMSECURITY-52 security-authorization example - IAE on logout
> https://issues.jboss.org/browse/SEAMSECURITY-52
>
> Marek has suggested that this is related to SEAMSECURITY-22, which
> brings us to...
>
> 14) SEAMSECURITY-22 Basic authentication with no security drools and no
> picketlink defined in seam-beans.xml throws exception
> https://issues.jboss.org/browse/SEAMSECURITY-22
>
> Like 13), I think this has to do with the location of the
> security.drl file. We should standardise the location of the
> security.drl file, so someone needs to research the injectable resources
> feature in Solder and determine where the best place is to put this file.
>
> Documentation
> =========
>
> 15) SEAMSECURITY-78 Typos in documentation
> https://issues.jboss.org/browse/SEAMSECURITY-78
>
> Jozef has identified a couple of minor typos that need to be fixed.
>
> 16) SEAMSECURITY-51 A readme.txt points to incorrect url of
> security-openid-rp example
> https://issues.jboss.org/browse/SEAMSECURITY-51
>
> Martin has noticed that the URL in the readme file for this example
> is wrong.
>
>
>
> If anyone has any questions about these tasks, or any suggestions,
> please feel free to bring them up on seam-dev.
>
> Thanks!
> Shane
>
>
>
>
>
>
>
>
>
> _______________________________________________
> seam-dev mailing list
> seam-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/seam-dev
More information about the seam-dev
mailing list