-
1. Re: Question regarding Identity.hasPermission(...)
gavin.king Feb 16, 2007 4:06 PM (in response to spambob)Look in RuleBasedIdentity.
-
2. Re: Question regarding Identity.hasPermission(...)
spambob Feb 16, 2007 4:46 PM (in response to spambob)As I said: I'm missing the obvious - thanks for enlightening me :D
However, I have 3 more questions (regarding the security stuff in the seamspace example):
1. the security-rules.drl requires - i.e. - a Member in the working memory: is it right that those objects are inserted into the working memory via s:hasPermission / RuleBasedIdentity.hasPermission(...) (the 3rd+ parameter) and they stay there only for one evaluation ?
2. The PermissionCheck objects & the additional facts live in the working memory only for one evaluation - so if I have 2 permissions checks within 1 request that check for the same permission all the stuff is reevaluated a 2nd time ?
3. The most important one: Why do you add "activation-group permissions" in the security-rules.drl file (the rules should be mutually exclusive because there is just one PermissionCheck in the working memory) ? -
3. Re: Question regarding Identity.hasPermission(...)
spambob Feb 16, 2007 5:52 PM (in response to spambob)Having played a bit with the security API I assume the answer on 1. & 2. is Yes - please correct me if I'm wrong.
Regarding 3.:Why do you add "activation-group permissions" in the security-rules.drl file (the rules should be mutually exclusive because there is just one PermissionCheck in the working memory) ?
Is the answer: If they don't belong to the same activation group the rules engine would evaluate the remaining rules (after it found a match) although they obviously would evaluate to false - so you put them in the same activation-group to ensure it doesn't waste its time ? -
4. Re: Question regarding Identity.hasPermission(...)
shane.bryzak Feb 16, 2007 6:02 PM (in response to spambob)"spambob" wrote:
1. the security-rules.drl requires - i.e. - a Member in the working memory: is it right that those objects are inserted into the working memory via s:hasPermission / RuleBasedIdentity.hasPermission(...) (the 3rd+ parameter) and they stay there only for one evaluation ?
Yes, they only stay there for a single permission evaluation."spambob" wrote:
2. The PermissionCheck objects & the additional facts live in the working memory only for one evaluation - so if I have 2 permissions checks within 1 request that check for the same permission all the stuff is reevaluated a 2nd time ?
That's right."spambob" wrote:
3. The most important one: Why do you add "activation-group permissions" in the security-rules.drl file (the rules should be mutually exclusive because there is just one PermissionCheck in the working memory) ?
Strictly speaking you probably don't need this. I've just included it as a safety mechanism to ensure that only one of the rules will match (I previously had a catch-all rule to deal with role permissions, but these have been removed). -
5. Re: Question regarding Identity.hasPermission(...)
spambob Feb 16, 2007 6:08 PM (in response to spambob)Thank you Shane for clearing this up! I think I get it now :)