Hello:
After going through Seam examples and Reference Doc and also through the
postings in this forums, we have decided on a strategy for authentication and
authorization with Seam.
1. Use JAAS for authentication (FORM based)
Put all the pages to be protected under a JSP or JSF directory. Put
login.html, loginerr.html and all the resources needed for these pages (images,
stylesheets etc) outside the protected dir and configure JAAS.
2. Authorisation.
Use the page uris (for initial page request) and page uri + action method
as the view id for uniquely identifing the request and associate this with a
role name in the database. Write a filter for "/*" below the Seam Exception
Filter in the filter chain. Get the user name from the JAAS caller principal
and get his roles from db / cache. Get the URI and action from the request, and
get needed role from db / cache and check whether the user has the role and
proceed accordngly.
Why we didn't went for declarative authorisation with JAAS is because of the
inconveniance of arranging the pages in dirs according to roles or writing uri
regular expression for role matching. Since we needed fine grained acces
control to page, we thought this will be better method.
Pls suggest is there any better approach to do the above with Seam or any
problems that anyone can in this approach from their experience.
thanks and regards,
-- Kannan.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3967615#3967615
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3967615
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
