[jboss-user] [JBoss Seam] - Re: Seam security with JAAS config

Tue, 20 Mar 2007 00:51:42 -0800 

I am having exactly the same problems in that I am porting a Seam application 
that was working with JAAS FORM authentication to use the new Seam security 
code:
anonymous wrote : Seam Security only uses JAAS for authentication, not for 
authorization. I'm guessing that your action is protected with some container 
security mechanism, rather than the authorization features provided by Seam?
  | 
Is it possible to get Seam Security to work with existing JAAS components for 
authorization as well? (Is this even planned?)

Let me explain...

For security reasons I have explicitly secured ALL my EJBs with container 
security annotations. This is because they may be invoked from sources other 
than just the seam web interface (e.g. web services, remote mbean connections, 
etc).

To do this, I mark all my business logic with annotations like:
@Stateless
  | @SecurityDomain("myapp")
  | @RolesAllowed({"AppUser","AppSystem","AppAdmin"})

Previously, I was using the standard Tomcat JAAS FORM authentication support 
(using <security-constraint> and <login-config> in web.xml), which I believe 
was responsible for injecting the currently authenticated user into the 
session, so when my authenticated Seam session made calls on EJBs, everything 
"just worked". In fact, I was even able to get the current logged-in JAAS user 
from my EJB code by calling SessionContext.getCallerPrincipal().

Since I am now longer using Tomcat to do this, is it possible to get Seam to 
inject the JAAS principal into the session context so authenticated calls to 
EJB methods still work?

I do not know enough about the internal workings of this stuff, but would it 
not be the responsibility of the SeamListener to inject the JAAS context 
accordingly?

Thanks, Scott

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4029658#4029658

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4029658
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to