ok...
I am really confused about what is going on.
I have this in my rules:

canUserRenderSettings
when
c: PermissionCheck(name == "/settings.xhtml", action == "render")
then
c.grant()
end;

Which if I have understood things correctly should always grant access for everyone that wants to render the settings.xhtml.

I still get the exception... So, I wonder what is really going on here.
For starters - is the rule correct as I have written it?

How should the case be handled when the user does not get permissions? Should I use a mechanism that redirects when there is an exception?
(Confused - as you can tell).

Regards
- henrik

Thanks, looked at what was in CVS. That was helpful.
If you want to improve on the text, maybe point out that the exceptions.xml file should be under WEB-INF. (It is mentioned in the handling exceptions section thoug - that is how I figured out where to put the file.

I added the exception handling as suggested, but still have the same problem.

I can see that if I am not logged in I get a NotLoggedInException, and if logged in I get an Authorization exception.

I am not redirected, there is no error page being shown, the exception is simply swallowed by AbstractSeamFaceListener (it says so in the console output).

Oh, and the page I am trying to protect is still rendered.

Could there be something else that is wrong?
When I do a build clean of the project I sometimes see that it was impossible to remove certain files. Security and drools related files most of the time. When this happens I try again (sometimes several times) until the clean build works. (I am using JBoss IDE)

The files are not opened by some other application (that I know of).
Basically the things running/using/producing these files are Eclipse (JBoss IDE), and JBoss app server.

At the moment, I can not trigger the problem on purpose - but I have a suspicion that it may have to do with having an automatic rebuild followed by a build clean and that the consequences of the first operation has not completed.

Thanks Gvin for fixing things with the exceptions. What I don't understand is how anyone can protect a page using the rules...

Thanks, I will try that. It is different than what was said in the manual (in CVS) about putting the exceptions in exceptions.xml

I tried it - does not work for me. Is it supposed to work for 1.1.5.GA, or does this depends on things only in CVS?

This is what I have done

In security.drl

canUserRenderSettings
 no-loop
 activation-group "permissions"
when
 c: PermissionCheck(name == "/settings.xhtml" || "settings", action == "render", granted == false)
then
 c.grant();
 modify(c);
end;

<!-- When NotLoggedInException occurs - redirect to login -->
<exception class="org.jboss.seam.security.NotLoggedInException">
 <redirect view-id="/login.xhtml">
 <faces-message>You must be a member to use this feature</faces-message>
 </redirect>
 <end-conversation/>
</exception>

<!-- When AuthorizationException occurs - redirect to error page -->
<exception class="org.jboss.seam.security.AuthorizationException">
 <redirect view-id="/security_error.xhtml">
 <faces-message>You do not have permission to do this</faces-message>
 </redirect>
 <end-conversation/>
</exception>
</pages>

Then, when I actually restrict the settings page (in pages.xml) like this:

<page view-id="/settings.xhtml">
 <restrict/>
</page>

18:00:36,890 ERROR [AbstractSeamPhaseListener] Swallowing exception thrown by page action
org.jboss.seam.security.AuthorizationException: Authorization check failed for expression [#{s:hasPermission('/settings.xhtml', 'ren
der', null)}]
 at org.jboss.seam.security.Identity.checkRestriction(Identity.java:165)
 at org.jboss.seam.pages.Page.enter(Page.java:185)
 at org.jboss.seam.core.Pages.enterPage(Pages.java:239)
 at org.jboss.seam.jsf.AbstractSeamPhaseListener.enterPage(AbstractSeamPhaseListener.java:241)
 at org.jboss.seam.jsf.AbstractSeamPhaseListener.beforeRender(AbstractSeamPhaseListener.java:192)
 at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.java:53)
 at org.apache.myfaces.lifecycle.PhaseListenerManager.informPhaseListenersBefore(PhaseListenerManager.java:70)
 at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:373)
 at javax.faces.webapp.FacesServlet.service(FacesServlet.java:138)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
 at org.jboss.seam.servlet.SeamRedirectFilter.doFilter(SeamRedirectFilter.java:32)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
 at org.jboss.seam.servlet.SeamExceptionFilter.doFilter(SeamExceptionFilter.java:46)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
 at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
 at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
 at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
 at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
 at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
 at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
 at java.lang.Thread.run(Thread.java:619)

Which was the exception that I thought the declaration in pages.xml should handle.

But... maybe I am confused, and what Gavin said about "fixing the exception" actually ment that this (restricting a page as in the example) has no chance of working until the problem with this exception is fixed.

Something telling is perhaps that it says

check failed for expression [#{s:hasPermission('/settings.xhtml', 'ren
der', null)}]

Sounds like an idea worth trying :-)