Adding to the stockpile of features that I've packed into seam-gen in recent months, I just committed a new seam-gen command that generates a front-end to Seam's identity management API (JBSEAM-3717). Identity management is one of the most significant additions to Seam in the Seam 2 code base. But since its just set of framework classes, you need something to tie it into your application to truly appreciate (or even give notice to) its potential.
With that in mind, I've introduced the new seam-gen command add-identity-management. This command weaves the components, views, and configurations of a front-end for managing users and roles using Seam's identity management API, adopted from the seamspace example, into an existing seam-gen project. By manage, I mean create, read, update, and delete (CRUD). While that may sound like it requires a lot of supplemental code, it really doesn't. The API not only provides data access components, it also includes Seam components that prep the data for the view and respond to UI events (i.e., UI controllers), glue code which you would otherwise have to write when creating these screens. The command also generates three JPA entity classes that bridge the API to your database, which I'll introduce shortly. But first, I want to encourage you to just try it.
Trying it out
You can put Seam's identity management to practice using seam-gen in three simple steps:
- Check out the Seam trunk from SVN and build it (or simply download Seam 2.1.2.GA when it's available)
- Seed a new project by invoking seam setup
- Generate the new project complete with identity management screens by invoking seam create-project add-identity-management
If you already have a seam-gen project started, and you haven't changed it too much (at least you haven't touched the <identity:security> component definition), you simply run seam add-identity-management from inside your project (use the full path to seam if it's not in your PATH environment variable). In either case, be sure to follow the post-operative instructions that get printed to the console, which are contingent on how your application is setup (in particular, your hibernate.hbm2ddl.auto setting).
Taking a peek
So what do you get for your labor? Weeks worth of effort saved. On the next deployment of the application, you'll be able to manage users and roles, then be able to immediately turn around and login in using any one of the users you create. Here's a screenshot of the identity management launch page:
You can then check out the user management page, which lists each user, the roles the user is granted, and whether the user is enabled.
From the user management screen, you can add, edit, or delete a user. The add and edit operations take you to the user detail/editor page, shown here:
There are similar screens for managing the roles that can be assigned to a user. Here's the role management screen, which shows the roles and groups. A group is a role of a role, which is an easy way to assign the same roles to multiple users or to have role inheritance (e.g., a person in the admin role is also a member).
The role management page also supports the add, edit, and delete operations. Here's the detail/editor page for a role:
You'll notice that there is one user and three roles that are supplied out of the box. SQL statements that insert three common roles (admin, member and guest) and a user (admin, who is granted the admin role) into the database get appended to the project's resources/import-dev.sql script. You'll need to run these statements manually unless the database is set to be created by Hibernate's schema export tool when the application starts (i.e., hibernate.hbm2ddl.auto is create or create-drop).
How access is granted
What about security? That is the topic of the day after all. Well, you don't have to worry about locking down access, it's already covered. The identity management screens are secured by two built-in permissions, seam.user and seam.role, which are enforced by Seam's permission resolver. Both permissions are granted to users with the admin role by the following rule that gets appended to the project's security rules file, resources/security.drl, by seam-gen. This rule is consulted by Seam's rule-based permission resolver when any identity management CRUD operation is performed.
rule ManageAccount no-loop activation-group "permissions" when $perm: PermissionCheck(name == "seam.user" || == "seam.role", granted == false) Role(name == "admin") then $perm.grant(); end
You can customize this rule as needed, as well as the names of the role and even the admin user. Just use the identity management screens!
Where to look for accounts
Of course, there's still some work you have to do to solder Seam's notion of a user account onto your domain model, but that's to be expected. Speaking of the user account, let's see how that gets mapped.
Seam provides a pluggable mechanism for defining an identity store. An identity store is what performs that data access for users and roles. Seam provides a JPA and an LDAP provider. We're going to focus on the JPA provider since that's what seam-gen sets up.
In the spirit of a declarative style of programming, you sprinkle identity-related annotations over a handful of properties on the JPA entity classes which you plan on using to map user accounts and roles to the database. These annotations, which are explained in detail in the reference documentation but are pretty self explanatory, are @UserPrincipal, @UserPassword, @UserEnabled, @UserRoles, @RoleName, @RoleGroups (and also @RoleConditional, which has special meaning). You then activate the JPA identity store in the Seam component descriptor and tell it which JPA entity class has the user annotations and which one the role annotations.
<security:jpa-identity-store
user-class="com.domain.model.UserAccount"
role-class="com.domain.model.UserRole"/>
Seam has parallel support for persistent permissions, which function as ACLs. Again, you have to instruct Seam as to which annotated JPA entity class will map a permission to the database using a component definition in the component descriptor:
<security:jpa-permission-store user-permission-class="com.domain.model.UserPermission"/>
At this point, you have to do the legwork for creating a front-end to manage persistence permissions since they are so closely tied to the business case. But at least the API is all setup and ready to employ. See the seamspace example in the Seam distribution for an example of persistence permissions, as well as how the identity management API is used as a whole. You should also check out the security chapter of the Seam reference documentation to learn about all the components in the identity and permissions management API and how they work.
Running it by you one more time
In summary, here's what seam-gen adds to your project when you issue the command seam add-identity-management
- The /view/useradmin directory containing views for managing users and roles as well as images and a stylesheet to support them
- A link in the main menu bar to the identity management launch page
- UserAccount, UserRole, and UserPermission annotated JPA entity classes
- A blanket security rule for allowing the admin role to manage users and roles
- SQL statements for seeding the database with an admin user and a typical set of roles
- The component definitions that activate the JPA identity and permission stores
Now you have no excuse not to give Seam's identity management a try!
Credit goes to Shane Bryzak for developing the management screens and providing instructions for how to integrate them into a standalone application.
UPDATE: Thanks to Jason Porter, the add-identity-management command is available for ICEfaces projects in addition to RichFaces projects.
You do wonderful work!
Thank you, Shane and Dan, very much! Keep good work :)
Is it i18n prepared?
Would it be a good idea to provide a separated seam-gen download? Or separated seam-gen releases? Thanks.
That's the future as Seam moves to a more modular structure. I just didn't want to make people wait any longer to get their feet wet with this stuff, which is why I have still been putting effort into seam-gen as it is today.
As for the i18n question, not right now. At this point, this is really about reducing the barrier as much as possible for folks to try Seam's identity and permissions management. A revamped seam-gen will likely be cognizant of i18n requirements from the start. Of course, you are free to tweak the output ;)
Excellent work! This is really a great boon to the QUICK creation of productive web apps.
Great work.
Now, I hope someone would develop a general Authentication and SSO Application using Seam's Identity Management like this one which would be really useful.
YES.. that would be Wonderful
checking out trunk will not work since it doesn't contain the lib/gen folder which will be used by the seam-gen. So how to get this jar files for 2.1.2 release? I'm getting ant task errors from trunk while running seam create-project add-identity-management.dwtn
Use Latest 2.1 Unstable Nightly Build link.
Thanks for pointing that out Mitja. Follow this link to get the latest stable nightly build of Seam 2.1 from Hudson.
Hi Dan, I'm reading your book Seam in Action, and I'm loving it
Here in our company there are several applications that deal with different concerns: Customers, Contracts, Services etc... One EAR by app. We use jsf and tiles, we are planing to move all them to Seam :)
but I have a big question, let me explain:
We developed a simple auth framework based on one SFSB (with roles and permissions) We have a front login screen that give access (links) for the real apps, so users can switch from one to another without relogin.
I didn't understand yet completely seam security and auth framework, so I'm asking for guidence or ideas on how it could be implemented using seam builtin framework.
I'm sory for my newbieness but this is the only step I'm afraid of, prior to starting the migration, the jsf, ejb, jpa stuff it's fine.
Thank You very much
Victor
After you checkout from SVN, you need to run . Then you can use seam-gen.
plz help I don't find any view who contains permission and I don't understand how it works, ca I have more explication plzzzzzzzzzzzzz
I'm using Glassfish instead of JBoss and I'd like to create IdentityManager but can't get to default seam-gen's example. Can you just put the basic code and files to be edited plz?
Excellent framework however it would be nice to be able to distinguish between a user which does not exist and a user which has not yet had their account enabled. I can't see a way to do this
I'am (still) enthusiastic about Seam. I've read some books (yours included) and articlec, and tried the delivered examples. It worked fine.
The problems have started as I tried to develop my own app using the following technologies:
- Seam 2.2.0 - JBossAS 5.1 - JBossTools 3.1M2 (based on eclipse-3.5-jee) - H2 database - seam-gen
It looks like all these technologies - at least these versions - are not going to work together properly.
E.g. if I used seam-gen's generate-entities or generate-ui nothing really happend!
Is there any good/recommended place to go for information about versions they work together?
Do I have to configure something to be able to do forward/reverse engineering with seam-gen?
Thx in advance
Jan
However, followings are needed:
1. How to create first user account with hashed password? Any SQL script?
2. Option in Jboss Tool for add-identity-management, Eclipse.
3. Seam in Action, any new release?
Please have the feasible needful done!
I NEED THE ANSWER FOR THAT TOO.
Tried to do it manually but no success. Im getting Authorization Exception when trying to enter to User or Role creation page
RuntimeException: Invalid userPermissionClass com.test2.model.UserPermission - required annotation @PermissionUser not found on any Field or Method
When I run: seam create-project seam generate seam add-identity-management
(or reverse add-identity-management and generate)
all the security related annotations @UserPrincipal etc. get stripped out. Any ideas?
Have you resolved with deployment errors: RuntimeException: Invalid userPermissionClass com.test2.model.UserPermission - required annotation @PermissionUser not found on any Field or Method.
Please, Let me know... Thanks in advance
It's still an unresolved problem with seam add-identity-management in SEAM 2.2.1.Final
Hi all,
I've just started using Seam for a few days, and I'm quite impressed by all the features provided. I've created a little test project with the seam-gen command, with support of identity management. I'm facing some issues with the code generated by the seam add-identity-management option.But I have a big problem. I insert a new user. When I try to login with this new user, the authentication fails and it makes sense too, because the login.xhtml relies on the credentials object. How works the authentication with identity management?
Could you please help me? As I see it, I have to modify the user creation mechanism for the application to work as expected.
Thanks for your answers