// http://seamframework.org/Community/SeamIdentityLogin @Name("authenticator") public class AuthenticatorAction { @In Session myDatabase; @Out(required = false, scope = SESSION) private User user; @Logger private Log log; @In Identity identity; public boolean authenticate() { String password = DigestUtils.shaHex(identity.getPassword()); log.info("Authenticating user: #{identity.username} with password: #{identity.password}"); List results = nikoniansDatabase.createQuery("select u from User u where " + "u.email=#{identity.username} and u.password=:password").setParameter("password", password).list(); if (results.size() == 0) { log.info("User: #{identity.username} was not found"); return false; } else { user = (User)results.get(0); log.info("User: #{user.email} (user.userId) was authenticated"); return true; } } } /* http://seamframework.org/Community/SeamIdentityLogin http://odyssi.blogspot.com/2008/02/intro-to-jboss-seam-security-part-2.html */ package session; import static org.jboss.seam.ScopeType.SESSION; import java.util.List; import javax.ejb.Stateless; import javax.persistence.EntityManager; import javax.persistence.PersistenceContext; import entite.Utilisateur; import org.jboss.seam.annotations.Name; import org.jboss.seam.annotations.Out; @Stateless @Name("authenticator") public class AuthenticatorAction // implements Authenticator { @PersistenceContext private EntityManager em; @Out(required=false, scope = SESSION) private Utilisateur user; public boolean authenticate() { List results = em.createQuery("select u from utilisateur u where u.username=#{identity.username} and u.password=#{identity.password}") .getResultList(); if ( results.size()==0 ) { return false; } else { user = (Utilisateur) results.get(0); return true; } } } // http://www.developpez.net/forums/showthread.php?t=506408 protected String getUserAccountSalt(Object user) { // By default, we'll use the user's username as the password salt return userPrincipalProperty.getValue(user).toString(); } // http://blog.hibernate.org/Bloggers/SeamSecurityGetsAnUpgrade // http://72.14.205.104/search?q=cache:R5Tgm83lHTEJ:www.michaelyuan.com/download/seam/JBossSeam-nejug-20071018.pdf+seam+identity+db&hl=fr&ct=clnk&cd=10 http://kurtstam.blogspot.com/2008/02/single-signon-sso-with-seam-using-josso.html http://josso.svn.sourceforge.net/viewvc/josso/trunk/josso/src/josso_console/src/action/org/josso/seam/console/JossoAuthenticator.java?view=markup http://docs.jboss.com/seam/2.0.1.GA/reference/en/html/security.html An empty @Restrict implies a permission check of componentName:methodName if (!Identity.instance().hasRole("admin")) throw new AuthorizationException("Must be admin to perform this action"); if (!Identity.instance().hasPermission("customer", "create", null)) throw new AuthorizationException("You may not create new customers"); If the user isn't logged in, then the login form will be rendered - very straight forward so far. Now let's pretend there is a menu on the page that contains some actions which should only be accessible to users in the manager role. Here's one way that these could be written: Manager Reports http://docs.jboss.com/seam/2.0.1.GA/reference/en/html/security.html http://www.josso.org/confluence/display/JOSSO1/JBoss+4.2 http://edemmorny.wordpress.com/2008/01/10/seam-simple-data-table-conversation-example/ http://www.jsfcentral.com/listings/R9486?link http://www.ibm.com/developerworks/java/library/j-seam2/ Items Descriptions Locations Events Tasks Sites Contacts Users Roles Permissions http://docs.jboss.org/seam/2.0.0.CR2/reference/en/pdf/seam_reference.pdf