36.13. Security
The Seam 2 Security API provides a multitude of security-related features as follows:
- Authentication - an extensible, JAAS-based authentication layer that allows users to authenticate against any security provider.
- Identity Management - an API for managing the users and roles of a Seam application at runtime.
- Authorization - an extremely comprehensive authorization framework, supporting user roles, persistent and rule-based permissions, and a pluggable permission resolver for easily implementing customised security logic.
- Permission Management - a set of built-in Seam components to allow easy management of an application security policy.
- CAPTCHA support - to assist in the prevention of automated software/scripts abusing your Seam-based site.
All of these Seam 2 security areas and more are implemented by PicketLink, which is integrated with CDI technology and has an API very similar to that of Seam 2 Security API.
PicketLink is distributed as a Red Hat JBoss Enterprise Application Platform module so you can easily add the Identity Management and Federation features to your application by referencing it in the
jboss-deployment-structure.xml file in your application archive. For more information, see PicketLink JBoss AS subsystem.
36.13.1. Authentication
The simplest way to enable authentication in Seam 2 was to include the identity component in
components.xml, as demonstrated here. You need to provide the Seam component, @Name(authenticator), with an implemented authenticate method.
Example 36.2. Seam 2 Security Simple Authentication
<components>
...
<security:identity authenticate-method="#{authenticator.authenticate}"/>
...
</components>
With PicketLink, authentication is implemented as just an annotated authenticator class, as illustrated here.
Example 36.3. PicketLink Simple Authentication
@PicketLink
public class SimplePicketLinkAuthenticator extends BaseAuthenticator {
@Inject DefaultLoginCredentials credentials;
@Override
public void authenticate() { ... }
}
Migration to PicketLink is straightforward. For more information, see the PicketLink documentation.
36.13.2. Authorization
In Seam 2, the security configuration resided in
components.xml. To enable annotation-based authorization with PicketLink, you must enable a security interceptor in the beans.xml descriptor placed in the WEB-INF or META-INF directory. PicketLink then intercepts invocations of secured beans and checks for authorization rules and policies before processing their methods.
Example 36.4. Security Setup in beans.xml
<interceptors> <class>org.apache.deltaspike.security.impl.extension.SecurityInterceptor</class> </interceptors>
PicketLink authorization is based on the DeltaSpike Security API.
36.13.3. Identity Management
Identity Management is a fundamental module of PicketLink to which you can easily migrate from the Seam 2 IDM model.
36.13.4. Captcha support
PicketLink can use Google’s reCaptcha implementation service. For a demonstration, see PicketLink quickstart demo.
36.13.5. Migrating Seam 2 Security annotations
The following table provides suggestions for migrating Seam security annotations to PicketLink alternatives:
Table 36.9. Seam 2 Security Annotation Alternatives in PicketLink
| Seam Security | PicketLink | Note |
|---|---|---|
@Identifier
| @Identifier
| |
@PasswordSalt
|
No direct match.
| |
@TokenUsername
|
No direct match.
| |
@TokenValue
|
No direct match.
| |
@Restrict
| @Restrict
| |
@UserPrincipal
|
No direct match.
|
PicketLink uses
@IdentityStereotype(USER) for a class and @StereotypeProperty for class field or method.
|
@UserEnabled
|
No direct match.
|
PicketLink uses
@IdentityStereotype(USER) for a class and @StereotypeProperty for class field or method.
|
@UserFirstName
|
No direct match.
|
PicketLink uses
@IdentityStereotype(USER) for a class and @StereotypeProperty(IDENTITY_USER_NAME) for class field or method.
|
@UserRoles
|
No direct match.
|
PicketLink uses
@IdentityStereotype(USER) for a class and @StereotypeProperty() for class field or method.
|
@UserLastName
|
No direct match.
|
PicketLink uses
@IdentityStereotype(USER) for a class and @StereotypeProperty(IDENTITY_USER_NAME) for class field or method.
|
@UserPassword
|
No direct match.
|
PicketLink uses
@IdentityStereotype(USER) for a class and @StereotypeProperty for class field or method.
|
@Admin
| @RolesAllowed("Administrator")
| |
@RoleConditional
|
No direct match.
| |
@RoleCheck
| @RolesAllowed
| |
@RoleGroups
| @GroupsAllowed
| |
@RoleName
|
No direct match.
|
PicketLink uses
@IdentityStereotype(ROLE) for a class and @StereotypeProperty(IDENTITY_ROLE_NAME) for class field or method.
|
@Insert
| @AllowedOperations({@AllowedOperation(value = "CREATE")})
| |
@Update
| @AllowedOperations({@AllowedOperation(value = "UPDATE")})
| |
@Read
| @AllowedOperations({@AllowedOperation(value = "READ")})
| |
@Delete
| @AllowedOperations({@AllowedOperation(value = "DELETE")})
| |
@PermissionCheck
|
No direct match.
|
You can use the DeltaSpike Security module for creating your own security annotation.
|
@Permission
|
No direct match.
| |
@Permissions
|
No direct match.
| |
@PermissionTarget
|
No direct match.
| |
@PermissionRole
|
No direct match.
| |
@PermissionDiscriminator
|
No direct match.
| |
@PermissionAction
|
No direct match.
| |
@PermissionUser
|
No direct match.
|