Shane has posted 1 posts at DZone. View Full User Profile

ACL Security In Seam, Part 1

  • submit to reddit

Let's grant our first permission!  Imagine that your application contains a table of customers (represented by an entity bean called Customer) and you would like to grant update privileges on certain customers to your various salespeople.  Let's say that you want to allow Bob the salesman to manage the details of your best customer, the Jones account (which happens to have a customer ID of 1234).  We grant permission to Bob to manage this customer by invoking the following method:

  PermissionManager.instance().grantPermission(new Permission(entityManager.find(Customer.class, 1234), 
"update", new SimplePrincipal("bob")));

 In doing this, the PermissionManager will delegate the grantPermission() call to the configured JpaPermissionStore (after validating that the current user has the necessary privileges to do so) and a new permission record will be created in the database.  Let's diverge for a moment to see exactly what gets written to the AccountPermission table:

bob        Customer:1234  update  user

Here we can obviously see from the column values that the recipient is "bob", the action is "update" and the discriminator is "user" (because Bob is a user, not a role).  The contents of the target column are a little more interesting.  The value that is displayed here is known as the object identifier, and is used to uniquely identify a particular instance of an object.  In this case, the target in question is an entity and fortunately for us Seam already knows how to generate unique object identifiers for entities.  If however the target of the permission isn't an entity but an instance of some other type of class then Seam must be told how to generate an object identifier for that class.  This is done by adding the @Identifier annotation to the class in question, and specifying an implementation of IdentifierStrategy like so:

public class MyNonEntityClassThatIWantToAssignPermissionsTo {
public String getUniqueProperty() { return foo; }

The IdentifierStrategy interface is extremely simple, declaring only two methods.  The canIdentify() method returns true if the IdentifierStrategy implementation is capable of generating an identifier for the specified class, and the getIdentifier() method returns a unique identifier String for the specified object.  For example, the EntityIdentifierStrategy implementation that is included with Seam produces identifiers for entities by concatenating the name of the entity with its ID property.

Here's an example of what an implementation might look like:

  public class CustomIdentifierStrategy implements IdentifierStrategy {
public boolean canIdentify(Class targetClass) {
return targetClass.equals(MyNonEntityClassThatIWantToAssignPermissionsTo.class);
public String getIdentifier(Object target) {
return ((MyNonEntityClassThatIWantToAssignPermissionsTo) object).getUniqueProperty();

It is also worth mentioning that it is possible to assign permissions for literal string constants.  I.e, the permission target isn't always required to be an entity or other object instance.  The PermissionManager will happily allow you to grant permissions against a string literal, which may be useful if you need to maintain a set of arbitrary permissions.  The same goes for classes, for example if you'd like to assign a "create" permission for a certain class then it is possible to do so (obviously it's not possible to assign a "create" permission for an object instance when it doesn't exist yet).

Once all the pieces are in place, you can use the standard mechanisms provided by Seam to secure your objects in the view and within your action components (see the Seam Reference Guide for more info).

In the next article, we'll look in more detail at the way that permission actions can be defined and stored, and also look at how we can create permission management views to more easily manage our object permissions through a nice user interface.

Published at DZone with permission of its author, Shane Bryzak.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)


Dist Iller replied on Thu, 2009/01/15 - 4:01pm

I stopped reading when I saw "Best Practices". 


If you don't know what I mean read this:

Johnson Hsu replied on Wed, 2009/01/21 - 12:32am in response to: Dist Iller

I think it is not the term's sin.  The full description could be "Best Practice for XXX", somewhat of "Pattern", which means "problem-solution pairs" (see POSA I, p.2).  There is No Silver Bullet and everybody knows that.


Great article, looking forward to part2.

Hantsy Bai replied on Thu, 2009/01/22 - 4:04am

Excellent  post.

Look forward to the second part.

Chris Wash replied on Sat, 2009/01/24 - 4:43pm

acl is a level of granularity that you often need for securing components of software.  this fits into seam's sweeping component model well.  it should make for a much more consistent and intuitive interface that's much easier to use than alternatives.  kodos.

@distiller - more offensive to me than someone using the term "best practice" is someone who derails/trolls a comment thread.  please add something meaningful to the conversation when posting a comment.  also, the theory you're espousing is essentially an argument for open mindedness and deeper understanding, not pejoratively ignoring everyone who uses the term.  you've missed the point completely.

Brian Armieri replied on Tue, 2009/01/27 - 2:31pm

When I set Seam to use JPA-based permission management, the first things I run into on the PermissionManager are:

  1. You have to be logged in to call methods off the PermissionManager
  2. You have to have the grant permission on a logged in user to call the grantPermission method described in the article.

Being logged in is not an issue, but it seems there are required steps (perhaps seeding the Permission table?) before calling the grantPermission method.

Judes Tumuhairwe replied on Sat, 2009/03/07 - 3:27pm

Excellent article, Shane! Can't wait for the Part 2. Seam's permission management (and security model, in general) seems the best (i.e. most intuitive and well documented) and well thought-through of all frameworks.


Yasser Hawari replied on Mon, 2009/03/09 - 1:46am

nice and clear ... still waiting for article 2 though !!

y z replied on Thu, 2009/03/19 - 3:29am

Thanks for your effort and contribution.they really help a lot.I am new to seam but I like it. Can't wait for part 2.

Shi Yun replied on Thu, 2009/07/02 - 2:49am

"ACL Security In Seam, Part 2 " ??

marissa (not verified) replied on Mon, 2010/11/15 - 11:56am

Some of those changes are good and some are pretty long-winded in use.  In just the last few months, (diets after pregnancy) there’s been a lot of polishing, especially making better use of enums and little things like that. belly after pregnancy | post pregnancy tummy  I also couldn't find part two but I hope my links will help you find ways to help you or your wife after pregnancy burn fat.

Online Update replied on Sat, 2010/11/27 - 5:15am

Very interesting post. But I would like to know in a files ystem containing entries that specify individual user or group if I want to use ACL what kind of data structure should I use? Business Security Software

Ionel Kistruy replied on Mon, 2011/04/18 - 5:15am in response to: Johnson Hsu

AVG is a great security suite , it has a great detection rate.And it work great as a business security software package that does not take a lot of resources and is easy to use.

Ion Alose replied on Fri, 2012/03/30 - 8:44am in response to: Dist Iller

The problem with pocket software is that it does not work for every type of player, and the internet protection is low so anyone can catch you getting a little help.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.