Shane has posted 1 posts at DZone. View Full User Profile

ACL Security In Seam, Part 1

  • submit to reddit

Seam has always been about solving the common issues faced by web application developers.  By providing a selection of "Best Practice" solutions to various development challenges in a unified component model, the developer is free to work on the business logic of their application without having to worry as much about the concerns that should be rightly addressed by the framework.  Seam makes it very easy to do things such as generate PDF documents, generate and send e-mails, and internationalise your application.  It also integrates with third party projects such as jBPM and Drools to provide support for long running business processes and business rules.  Support for CAPTCHA, and a wiki-style markup language are also there, as well as a number of ways of doing AJAX.

One of the most important areas of enterprise application development though is security.  Seam has long provided a robust Security API allowing the components and views that a typical application consists of to be secured via user and role security, or rule-based security permissions.  Recently though (as of version 2.1.0.GA) Seam has overhauled its security engine to provide a number of new features offering even more ways to secure your sensitive data.  This article will look at one of these new features, persistent permissions to see how ACL, or "instance" based security can be used to secure your application at the object level.

To get started, let's examine the differences between rule-based and ACL-based security.  Rule-based security is great for applying blanket permissions to a particular class of object.  For example, let's take a look at the following security rule from one of the Seam examples:

  rule DeleteImage
    activation-group "permissions"
    acct: MemberAccount()
    image: MemberImage(mbr : member -> (mbr.memberId.equals(acct.member.memberId)))
    check: PermissionCheck(target == image, action == "delete", granted == false)

The conditional part of this rule (which allows users to delete images that they've previously uploaded) essentially says, "if you're the owner of this image, then you're allowed to delete it".  In this example, the security permission applies to all images and is dependent on the fact that there is a relational link between the image and its owner.  It is through this relationship that the security rule can determine that the current user is the owner of the image, and in turn grant permission to execute the action.  However, what if there was no relationship between the target of the permission check and the user (who we'll refer to as the principal from here on)?  This is where ACL security comes in.

An ACL (Access Control List) is a list of explicit permissions assigned to a particular object.  Each entry in the list contains a recipient (the principal who is granted the permission) and an action.  If you've ever used a *nix based operating system then you should already be familiar with a particular type of ACL - the file system contains a table of read, write and execute permissions for each file (yes, Windows has similar file security but it's not as obvious).  ACL-based security in Seam works much the same way, except that it is used to secure object instances instead of files.  In a typical application these object instances will generally be entities, however we'll soon see that it is possible to secure any type of object.

Published at DZone with permission of its author, Shane Bryzak.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)


Dist Iller replied on Thu, 2009/01/15 - 4:01pm

I stopped reading when I saw "Best Practices". 


If you don't know what I mean read this:

Johnson Hsu replied on Wed, 2009/01/21 - 12:32am in response to: Dist Iller

I think it is not the term's sin.  The full description could be "Best Practice for XXX", somewhat of "Pattern", which means "problem-solution pairs" (see POSA I, p.2).  There is No Silver Bullet and everybody knows that.


Great article, looking forward to part2.

Hantsy Bai replied on Thu, 2009/01/22 - 4:04am

Excellent  post.

Look forward to the second part.

Chris Wash replied on Sat, 2009/01/24 - 4:43pm

acl is a level of granularity that you often need for securing components of software.  this fits into seam's sweeping component model well.  it should make for a much more consistent and intuitive interface that's much easier to use than alternatives.  kodos.

@distiller - more offensive to me than someone using the term "best practice" is someone who derails/trolls a comment thread.  please add something meaningful to the conversation when posting a comment.  also, the theory you're espousing is essentially an argument for open mindedness and deeper understanding, not pejoratively ignoring everyone who uses the term.  you've missed the point completely.

Brian Armieri replied on Tue, 2009/01/27 - 2:31pm

When I set Seam to use JPA-based permission management, the first things I run into on the PermissionManager are:

  1. You have to be logged in to call methods off the PermissionManager
  2. You have to have the grant permission on a logged in user to call the grantPermission method described in the article.

Being logged in is not an issue, but it seems there are required steps (perhaps seeding the Permission table?) before calling the grantPermission method.

Judes Tumuhairwe replied on Sat, 2009/03/07 - 3:27pm

Excellent article, Shane! Can't wait for the Part 2. Seam's permission management (and security model, in general) seems the best (i.e. most intuitive and well documented) and well thought-through of all frameworks.


Yasser Hawari replied on Mon, 2009/03/09 - 1:46am

nice and clear ... still waiting for article 2 though !!

y z replied on Thu, 2009/03/19 - 3:29am

Thanks for your effort and contribution.they really help a lot.I am new to seam but I like it. Can't wait for part 2.

Shi Yun replied on Thu, 2009/07/02 - 2:49am

"ACL Security In Seam, Part 2 " ??

marissa (not verified) replied on Mon, 2010/11/15 - 11:56am

Some of those changes are good and some are pretty long-winded in use.  In just the last few months, (diets after pregnancy) there’s been a lot of polishing, especially making better use of enums and little things like that. belly after pregnancy | post pregnancy tummy  I also couldn't find part two but I hope my links will help you find ways to help you or your wife after pregnancy burn fat.

Online Update replied on Sat, 2010/11/27 - 5:15am

Very interesting post. But I would like to know in a files ystem containing entries that specify individual user or group if I want to use ACL what kind of data structure should I use? Business Security Software

Ionel Kistruy replied on Mon, 2011/04/18 - 5:15am in response to: Johnson Hsu

AVG is a great security suite , it has a great detection rate.And it work great as a business security software package that does not take a lot of resources and is easy to use.

Ion Alose replied on Fri, 2012/03/30 - 8:44am in response to: Dist Iller

The problem with pocket software is that it does not work for every type of player, and the internet protection is low so anyone can catch you getting a little help.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.