SeamFramework.orgCommunity Documentation

Chapter 34. Security - Authorization

34.1. Configuration
34.2. Basic Concepts
34.2.1. IdentityType
34.2.2. User
34.2.3. Group
34.2.4. Role
34.2.5. RoleType
34.3. Role and Group-based authorization
34.4. Typesafe authorization
34.4.1. Creating a typesafe security binding
34.4.2. Creating an authorizer method
34.4.3. Applying the binding to your business methods
34.4.4. Built-in security binding annotations

Before using any of Seam's authorization features, you must enable the SecurityInterceptor by adding the following code to your application's beans.xml:


Seam Security provides a number of facilities for restricting access to certain parts of your application. As mentioned previously, the security API is centered around the Identity bean, which is a session-scoped bean used to represent the identity of the current user.

To be able to restrict the sensitive parts of your code, you may inject the Identity bean into your class:

@Inject Identity identity;

Once you have injected the Identity bean, you may invoke its methods to perform various types of authorization. The following sections will examine each of these in more detail.

The security model in Seam Security is based upon the PicketLink API. Let's briefly examine a few of the core interfaces provided by PicketLink that are used in Seam.

This is the simplest type of authorization, used to define coarse-grained privileges for users assigned to a certain role or belonging to a certain group. Users may belong to zero or more roles and groups, and inversely, roles and groups may contain zero or more members.

The Identity bean provides the following two methods for checking role membership:

boolean hasRole(String role, String group, String groupType);
void checkRole(String role, String group, String groupType);

These two methods are similar in function, and both accept the same parameter values. Their behaviour differs when an authorization check fails. The hasRole() returns a value of false when the current user is not a member of the specified role. The checkRole() method on the other hand, will throw an AuthorizationException. Which of the two methods you use will depend on your requirements.

The following code listing contains a usage example for the hasRole() method:

   if (identity.hasRole("manager", "Head Office", "OFFICE")) {

Groups can be used to define a collection of users that meet some common criteria. For example, an application might use groups to define users in different geographical locations, their role in the company, their department or division or some other criteria which may be significant from a security point of view. As can be seen in the above class diagram, groups consist of a unique combination of group name and group type. Some examples of group types may be "OFFICE", "DEPARTMENT", "SECURITY_LEVEL", etc. An individual user may belong to many different groups.

The Identity bean provides the following methods for checking group membership:

boolean inGroup(String name, String groupType);
void checkGroup(String group, String groupType);

These methods are similar in behaviour to the role-specific methods above. The inGroup() method returns a value of false when the current user isn't in the specified group, and the checkGroup() method will throw an exception.

Seam Security provides a way to secure your bean classes and methods by annotating them with a typesafe security binding. Each security binding must have a matching authorizer method, which is responsible for performing the business logic required to determine whether a user has the necessary privileges to invoke a bean method. Creating and applying a security binding is quite simple, and is described in the following steps.