Maturing Your Application's Security with Seam Security

March 17, 2009

I'll be speaking at two conferences back-to-back in March, which is about as much madness as I can handle. First I'll be traveling to Vegas to speak at TheServerSide Symposium at Caesar's Palace on my birthday (March 20th). It's interesting to note that just over 6 months ago I was near Caesar's real palace, or what's left of it. Then I'll be coming back home and speaking at Emerging Technologies for the Enterprise in nearby Philadelphia the following Friday. In both cities, I'll be speaking about Seam Security.

Always wanting to put on a good show (I mean, it is Vegas after all) I put together a fresh application that leverages Seam's new identity and permissions management API. It's a design comp manager that allows a designer to share designs with clients. The application showcases how Seam Security blends ACLs and rules in a truly unique and revolutionary way to provide a powerful and expressive security model.

While creating an application like that may sound difficult to achieve, my talk demonstrates that it's shockingly simple setup and start using. Like poker, though, it does take time to perfect. Authoring complex rules are not always easy. I spent nearly two days getting a feel for the API. But then again, I've got a killer app to show for my labor.

The full abstract of the talk is below.

Security is the cornerstone of your application's integrity and, consequently, you need to weave it throughout each layer, often in diverse ways. Seam Security allows you to evolve the security model of your application over time, keeping pace with the development cycle. You can start with a very simple configuration that applies an exclusive security blanket over the application to keep out guests and establish a basic identity for the user. You can then mature the security infrastructure gradually by adopting Seam's declarative approach to authentication or defining fine-grained authorization rules that enforce contextual restrictions at the level of database records, database fields, object fields and UI fragments.

Seam's security module, a central aspect of the Seam framework, offers a significantly simpler alternative to JAAS - the monolithic and cumbersome security model in Java EE. The talk begins with some definitions to sort out what we mean when we say "security". The talk then switches to a tutorial style, showing you first how to get your foot in the door by setting up a JSF form-based authentication routine in Seam using either a custom authentication method or a declarative approach where the authentication is handled by the framework. You are then presented with the numerous authorization styles that Seam supports ranging from binary, role-based, rule-based (Drools), and ACLs. Examples are presented to help you differentiate the four styles of authorization and when it is appropriate to use each one. In the process, you learn to appreciate that Seam's authorization is able to take the context (the target) of the restriction into account, a feature than many security frameworks overlook. Finally, the talk zooms out to show how to bring authentication under one roof using Seam's Open ID module.

See you at the, I mean conferences!

Posted at 05:26 AM in Java, Seam | Permalink Icon Permalink

4 Comments from the Peanut Gallery

1 | Posted by victor on April 08, 2009 at 10:57 AM EST

Hi Dan, I'm reading your book Seam in Action, and I'm loving it

Here in our company there are several applications that deal with different concerns: Customers, Contracts, Services etc... One EAR by app. We use jsf and tiles, we are planing to move all them to Seam :)

but I have a big question, let me explain:

We developed a simple auth framework based on one SFSB (with roles and permissions) We have a front login screen that give access (links) for the real apps, so users can switch from one to another without relogin.

I don't understand yet completely seam security and auth framework, so I'm asking for guidence or ideas on how it could be implemented using seam builtin framework.

I'm sory for my newbieness but this is the only step I'm afraid of, prior to starting the migration, the jsf, ejb, jpa stuff it's fine.

Thank You very much


2 | Posted by Lawrence Smith on August 15, 2011 at 10:34 PM EST

do you know of samples of using seam authentication on websphere portal?

3 | Posted by Clarence H. on July 29, 2012 at 10:09 PM EST

It is very rare these days to find blogs that provide information someone is looking for. I am glad to see that your blog share valued information that can help to many readers.

4 | Posted by Conway on December 07, 2012 at 08:41 AM EST

That all depends on the requirements of your application. If you have minimal security requirements, for example if you only wish to restrict certain pages and actions to users who are logged in, or who belong to a certain role, then the simplified mode will probably be sufficient. The advantages of this is a more simplified configuration, significantly less libraries to include, and a smaller memory footprint.