ACL Security In Seam, Part 1
Before we can start assigning permissions for our objects, we first need to do a little preparation. Most importantly we need a place to store the actual permissions themselves. Seam provides a PermissionStore interface that declares the methods required for managing ACL object permissions. While it is theoretically possible to store permissions in any type of persistent storage (e.g. in files, in LDAP, etc) it generally makes most sense to use a relational database. To that effect Seam comes with a PermissionStore implementation called JpaPermissionStore, which allows permissions to be stored in a database using JPA. To use JpaPermissionStore we need to do two things; create an entity bean to hold the permission records, and configure that entity bean in Seam's component.xml.
A special set of annotations is used to configure which properties of the entity represent the aspects of the permission. The following code shows a bare minimum example (for the sake of brevity the annotations are shown on the fields, and getter/setter methods are omitted):
public class AccountPermission implements Serializable
@Id @GeneratedValue public Integer permissionId;
@PermissionUser @PermissionRole public String recipient;
@PermissionTarget public String target;
@PermissionAction public String action;
@PermissionDiscriminator public String discriminator;
The @PermissionUser and @PermissionRole annotations indicate the property containing the recipient of the permission. In this example we are using a single table to hold both user and role permissions, so we put both of the annotations on the recipient field - and since we are storing both types of permission in the same table we also need a discriminator (annotated with @PermissionDiscriminator) property so that Seam can tell which entries are for users and which are for roles. Finally, we need a property to store the permission target (annotated with @PermissionTarget) and a property for the permission action (annotated with @PermissionAction).
Once we have created our entity, we simply need to configure JpaPermissionStore to use it by adding the following entry to Seam's components.xml configuration file:
Now that we have created and configured our permission store entity, we can start assigning permissions. Seam's Security API provides a convenient component called PermissionManager, which allows us to easily manage object permissions. Its methods look very similar to those found in the PermissionStore interface, and in fact they essentially delegate to the underlying PermissionStore however with one small restriction - each permission related operation that is invoked is first checked to ensure that the calling user has the necessary privileges to invoke that operation. More details about this can be found in the Seam Reference Guide, however suffice it to say that not just any user can manage object permissions, they must first have the required privileges to do so.
(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)