...
In all examples described above single group can have several users with same role.
This specifically can be addressed with the Domain ACL type approach, as prototyped in Seam Security:
One of the biggest problems of Java web app security to date, and what will also be a problem in our framework, is that Java EE, Seam Security have not been able to satisfy a very common type of Authentication, domain authentication, and have focused solely on global role-based security authorisation:
E.g: Global authentication is "Is the user an Admin of the application," as opposed to domain authentication, which asks, "Is the user an Admin of this Domain Object,"
Developers typically have to implement their own security system (via direct method calls, or etc...) for this type of business logic.
REST endpoint or RPC: (Lincoln's prototyped API - functional in Seam Security)
| Code Block |
|---|
@SecurityBinding
public @interface ProjectAdmin
{
// empty
}
@SecurityMethodBinding
public @interface ProjectBinding
{
// empty
}
@ProjectAdmin
public void updateName(@ProjectBinding Project p, String name)
{
// save project name
}
@Secures
@ProjectAdmin
public boolean isProjectAdmin(@ProjectBinding Project p, Identity identity)
{
if(identity.hasRole("project" + p.getId() + "_admin")
{
...
}
}
|
Note that the @Project annotation is not a CDI bean Qualifier / Stereotype annotation, it is a method parameter security binding annotation that tells Seam Security to use the value of the Project passed to the method call in the security binding check itself.
Scenario
The developer needs to define single user or group that will serve as super users (aka root users. Those will have any available permissions.
...