Dan Allen, Seam Project Team, JBoss
Date & Time/Location: 3-27-09, 11:30am-12:30pm, Salon C
Security is the cornerstone of your application's integrity and, consequently, you need to weave it throughout each layer, often in diverse ways. Seam Security allows you to evolve the security model of your application over time, keeping pace with the development cycle. You can start with a very simple configuration that applies an exclusive security blanket over the application to keep out guests and establish a basic identity for the user. You can then mature the security infrastructure gradually by adopting Seam's declarative approach to authentication or defining fine-grained authorization rules that enforce contextual restrictions at the level of database records, database fields, object fields and UI fragments.

Seam's security module, a central aspect of the Seam framework, offers a significantly simpler alternative to JAAS - the monolithic and cumbersome security model in Java EE. The talk begins with some definitions to sort out what we mean when we say "security". The talk then switches to a tutorial style, showing you first how to get your foot in the door by setting up a JSF form-based authentication routine in Seam using either a custom authentication method or a declarative approach where the authentication is handled by the framework. You are then presented with the numerous authorization styles that Seam supports ranging from binary, role-based, rule-based (Drools), and ACLs. Examples are presented to help you differentiate the four styles of authorization and when it is appropriate to use each one. In the process, you learn to appreciate that Seam's authorization is able to take the context (the target) of the restriction into account, a feature than many security frameworks overlook. Finally, the talk zooms out to show how to bring authentication under one roof using Seam's Open ID module.