[seam-dev] Seam Hack Night - Seam Security
Jason Porter
lightguard.jp at gmail.com
Fri Aug 12 13:47:19 EDT 2011
It sounds like we had a fairly successful Hack Night!
Sent from my iPhone
On Aug 12, 2011, at 5:57, Shane Bryzak <sbryzak at redhat.com> wrote:
> Thanks Marek! Either George or I will be sure to merge them in the next
> day or so.
>
> On 12/08/11 18:38, Marek Schmidt wrote:
>> Hi Shane!
>>
>> I have taken the liberty to make some pull requests to the Seam
>> Security External module, even though not on the list of issues for
>> the Night...
>>
>> I'd be glad if someone could review them...
>>
>> Cheers!
>>
>> --
>> Marek Schmidt
>>
>> On 08/10/2011 05:28 AM, Shane Bryzak wrote:
>>> Hey guys,
>>>
>>> Sorry about the delay in getting this list of items to work on for the
>>> next Seam Hack night - I've come down with the flu and it's hard to get
>>> any work done when it feels like an elephant is sitting on your head.
>>> Anyways, the two main areas I'd like us to work on for Seam Security are
>>> Identity Management and ACLs/Permission Management. In the area of
>>> Identity Management, there's a number of JIRA issues relating to
>>> JpaIdentityStore, and I'd also like to show some love for our
>>> integration with PicketLink's LDAP Identity Store too. For ACL
>>> security, we are actually missing this feature altogether in Seam 3.0
>>> (it existed in Seam 2) simply because I ran out of time to port it over
>>> in time for the 3.0 release. For anyone that doesn't know, ACL security
>>> provides you the ability to grant permissions on individual objects in
>>> your application, whether they be entity beans or whatever.
>>>
>>> To assist us in effectively organising who does which work, I'll give
>>> each task a unique number. If you'd like to volunteer for certain
>>> task/s, please do so earlier rather than later - first in first served!
>>>
>>> JpaIdentityStore issues
>>> ==============
>>>
>>> 1) SEAMSECURITY-62 Using identity management to add user in group
>>> prevent user to login
>>> https://issues.jboss.org/browse/SEAMSECURITY-62
>>>
>>> This issue has a comprehensive description and someone has
>>> attached a
>>> patch.
>>>
>>> 2) SEAMSECURITY-64 Provide the capability to retrieve the actual entity
>>> object when a user is created
>>> https://issues.jboss.org/browse/SEAMSECURITY-64
>>>
>>> We had this feature in Seam 2, however since we're now using
>>> PicketLink in Seam 3 it is a little more challenging to implement this.
>>> I don't have any solid ideas as yet, however it would be ideal if we
>>> could fire an event for this somehow.
>>>
>>> 3) SEAMSECURITY-65 Criteria queries executed by JPAIdentityStore are not
>>> setup properly
>>> https://issues.jboss.org/browse/SEAMSECURITY-65
>>>
>>> We seem to be missing a select() call for the Criteria queries,
>>> should be easy to fix this one.
>>>
>>> 4) SEAMSECURITY-70 Calling RoleManager.removeRole(Roletype rt, User u,
>>> Group g) throws an NPE
>>> https://issues.jboss.org/browse/SEAMSECURITY-70
>>>
>>> Should be an easy fix, as the reporter has included a solution.
>>>
>>> 5) SEAMSECURITY-84 identity.hasRole and identity.addRole do not seem to
>>> be interacting with JpaStore
>>> https://issues.jboss.org/browse/SEAMSECURITY-84
>>>
>>> This one might take a little detective work to reproduce. A user
>>> within an application that uses Identity Management should have their
>>> roles populated in Identity.roles automatically when they authenticate.
>>> One thing to note is that the reporter's assertion at the end of the
>>> issue description about identity.addRole() adding the role to the
>>> database is incorrect - persistent roles should only be added through
>>> the role manager.
>>>
>>> 6) SEAMSECURITY-69
>>> https://issues.jboss.org/browse/SEAMSECURITY-69
>>>
>>> This one might take a little bit of analysis also - possibly the
>>> cause is an unimplemented method in JpaIdentityStore.
>>>
>>> LDAP Identity Store issues
>>> ================
>>>
>>> 7) SEAMSECURITY-71 Improve LDAP integration in general
>>> https://issues.jboss.org/browse/SEAMSECURITY-71
>>>
>>> This one is quite a bit of work. The actual LDAP Identity Store
>>> class is part of PicketLink, so we can't make any direct changes to it.
>>> What we can do however, is ease the configuration process. We currently
>>> have a configuration bean for JpaIdentityStore (called
>>> JpaIdentityStoreConfiguration), that can be used to configure the
>>> Identity Store via Seam Config. It would be nice to have an equivalent
>>> class for the LDAP Identity Store. Whoever works on this task will need
>>> to become familiar with the LDAP configuration in PicketLink. Any work
>>> done in this area would also require documentation in the Seam Security
>>> reference guide.
>>>
>>> 8) Example application that demonstrates authentication via LDAP
>>>
>>> This goes hand in hand with 7). I don't know if we'll have enough
>>> time to implement a full example, however it would be nice to have a
>>> basic functioning app that we could point people to.
>>>
>>> ACL Security
>>> ========
>>>
>>> 9) Implement PersistentPermissionResolver
>>>
>>> This class has been "ported" from Seam 2, however it's currently not
>>> functional (I think a lot of the code may even be commented out). This
>>> is an advanced task, so only volunteer for this one if you feel you're
>>> up to the challenge. One of the biggest issues is how we identify
>>> users. In Seam 2 this was simple, because all users were local and
>>> usernames were unique. In Seam 3 however, we can now have either local
>>> users or external users, thanks to OpenID and SAML authentication.
>>>
>>> 10) Example app for ACL security
>>>
>>> Goes with 9), we need an example application to demonstrate ACL
>>> security.
>>>
>>> 11) SEAMSECURITY-13 Custom EntityIdentifierStrategy ignored by
>>> IdentifierPolicy
>>> https://issues.jboss.org/browse/SEAMSECURITY-13
>>>
>>> If 9) gets done, then this issue probably needs to be addressed
>>> also.
>>>
>>> Misc
>>> ====
>>>
>>> 12) SEAMSECURITY-66 Separated API/IMPL jars do not allow compilation of
>>> the SimpleAuthenticator example
>>> https://issues.jboss.org/browse/SEAMSECURITY-66
>>>
>>> Quite an unusual issue, which may have already been solved thanks to
>>> the removal of the combined jar. Someone needs to test this and close
>>> the issue if it's out of date.
>>>
>>> 13) SEAMSECURITY-52 security-authorization example - IAE on logout
>>> https://issues.jboss.org/browse/SEAMSECURITY-52
>>>
>>> Marek has suggested that this is related to SEAMSECURITY-22, which
>>> brings us to...
>>>
>>> 14) SEAMSECURITY-22 Basic authentication with no security drools and no
>>> picketlink defined in seam-beans.xml throws exception
>>> https://issues.jboss.org/browse/SEAMSECURITY-22
>>>
>>> Like 13), I think this has to do with the location of the
>>> security.drl file. We should standardise the location of the
>>> security.drl file, so someone needs to research the injectable resources
>>> feature in Solder and determine where the best place is to put this
>>> file.
>>>
>>> Documentation
>>> =========
>>>
>>> 15) SEAMSECURITY-78 Typos in documentation
>>> https://issues.jboss.org/browse/SEAMSECURITY-78
>>>
>>> Jozef has identified a couple of minor typos that need to be fixed.
>>>
>>> 16) SEAMSECURITY-51 A readme.txt points to incorrect url of
>>> security-openid-rp example
>>> https://issues.jboss.org/browse/SEAMSECURITY-51
>>>
>>> Martin has noticed that the URL in the readme file for this example
>>> is wrong.
>>>
>>>
>>>
>>> If anyone has any questions about these tasks, or any suggestions,
>>> please feel free to bring them up on seam-dev.
>>>
>>> Thanks!
>>> Shane
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> seam-dev mailing list
>>> seam-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/seam-dev
>>
>
> _______________________________________________
> seam-dev mailing list
> seam-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/seam-dev
More information about the seam-dev
mailing list