Authentication is the act of establishing, or confirming, the identity of a user. In many applications a user confirms their identity by providing a username and password (also known as their credentials). Seam Security allows the developer to control how users are authenticated, by providing a flexible Authentication API that can be easily configured to allow authentication against any number of sources, including but not limited to databases, LDAP directory servers or some other external authentication service.

If none of the built-in authentication providers are suitable for your application, then it is also possible to write your own custom Authenticator implementation.

Identity Management is a set of useful APIs for managing the users, groups and roles within your application. The identity management features in Seam are provided by PicketLink IDM, and allow you to manage users stored in a variety of backend security stores, such as in a database or LDAP directory.

Seam Security contains an external authentication sub-module that provides a number of features for authenticating your application users against external authentication services, such as OpenID and SAML.

While authentication is used to confirm the identity of the user, authorization is used to control which actions a user may perform within your application. Authorization can be roughly divided into two categories; coarse-grained and fine-grained. An example of a coarse-grained restriction is allowing only members of a certain group or role to perform a privileged operation. A fine-grained restriction on the other hand may allow only a certain individual user to perform a specific action on a specific object within your application.

There are also rule-based permissions, which bridge the gap between fine-grained and coarse-grained restrictions. These permissions may be used to determine a user's privileges based on certain business logic.

The Maven artifacts for all Seam modules are hosted within the JBoss Maven repository. Please refer to the Maven Getting Started Guide for information about configuring your Maven installation to use the JBoss repository.

To use Seam Security within your Maven-based project, it is advised that you import the Seam BOM (Bill of Materials) which declares the versions for all Seam modules. First declare a property value for ${seam.version} as follows:

<properties>

  <seam.version>3.0.0.Final</seam.version>

</properties>

You can check the JBoss Maven Repository directly to determine the latest version of the Seam BOM to use.

Now add the following lines to the list of dependencies within the dependencyManagement section of your project's pom.xml file:

<dependency>

  <groupId>org.jboss.seam</groupId>

  <artifactId>seam-bom</artifactId>

  <version>${seam.version}</version>

  <type>pom</type>

  <scope>import</scope>

</dependency>

Once that is done, add the following dependency (no version is required as it comes from seam-bom):

<dependency>

  <groupId>org.jboss.seam.security</groupId>

  <artifactId>seam-security</artifactId>

</dependency>

It is also possible to import the security module as separate API and implementation modules, for situations where you may not want to use the default implementation (such as testing environments where you may wish to substitute mock objects instead of the actual implementation). To do this, the following dependencies may be declared instead:

<dependency>

  <groupId>org.jboss.seam.security</groupId>

  <artifactId>seam-security-api</artifactId>

</dependency>



<dependency>

  <groupId>org.jboss.seam.security</groupId>

  <artifactId>seam-security-impl</artifactId>

</dependency>

If you wish to use the external authentication module in your application to allow authentication using OpenID or SAML, then add the following dependency also:

<dependency>

  <groupId>org.jboss.seam.security</groupId>

  <artifactId>seam-security-external</artifactId>

</dependency>

To enable many of the features of Seam Security, the Security interceptor must be configured in your application's beans.xml file. Add the following configuration to your beans.xml to enable the Security Interceptor:

    <interceptors>
        <class>org.jboss.seam.security.SecurityInterceptor</class>
    </interceptors>