Implementing context senstive permissions and authorization in JSF Seam

Often there are scenarios in web applications where a given user with the same set of roles has different permissions depending on what data the user is acting upon. For example, if I am logged in to a bulletin board, I can read all the posts but I can edit only my own posts. This article shows how to use Seam Framework to implement data sensitive roles.

Seam security allows you to specify roles and permissions at the Component or method level by using the @Restrict annotation. Roles are usually granted to users upon login and therefore they cannot be used for fine grained control. For example, in the above example I am an “author” of my own blogs but a “reader” of all blogs. My role is context senstive and therefore I cannot use seam roles in a traditional way.

For such fine grained scenarios Seam allows you to write custom ‘permissions’. You can use the following expression to express this scenario:

#{s:hasPermission('editPostAllowed',null,postEditor.currentPost)}

Here the permission name is ‘editPostAllowed’, action is null and argument list to this method is the Post object in question. Seam routes this EL to the hasPermission method on the Identity object.

Idenity.hasPermission(String permission, String action, Object... arg)

The default implementation of this object returns false if security is enabled, otherwise returns true. You need to extend the Identity object and provide your own implementation.

@Name("org.jboss.seam.security.identity")
 @Scope(ScopeType.SESSION)
 @Install(precedence = Install.APPLICATION)
 @BypassInterceptors
 @Startup
 public class MyIdentity extends Identity {
/**
 * Add project owner permission
  */
 @Override
 public boolean hasPermission(String name, String action, Object... arg) {
      if (name.equals("editPostAllowed")) {
         // ignore action
         Post post = (Post) arg[0]);
         return post.getAuthor().equals(getUsername());
      }
 // implement other permissions
 ....
 }
}

You will need to register your custom Identity class in the components.xml file.

<component name="org.jboss.seam.security.identity" class="com.vineetmanohar.Identity" />

The rule above was simple and you could have accomplished the same thing using the following EL

#{postEditor.currentPost.author == identity.username}

While EL is useful for simple rules, seam provides the permission framework for more complex rules. For example, ‘allow anyone with the same last name as the author to edit their post’ or ‘allow anyone who has more experience than the author to edit their posts’.

Please refer to Seam security documentation for details about basic use of s:hasPermission and s:hasRole

Related posts:

  1. How to configure multiple page.xml files in Seam 2.2
  2. Seam Asynchronous Email
  3. A common configuration mistake which makes Seam slow
  4. Securing a JBoss web application
  5. New Java Framework “Clickframes” 0.9 beta released!

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Get Adobe Flash playerPlugin by wpburn.com wordpress themes