2 Replies Latest reply on Jul 6, 2007 2:54 PM by tim_ph

    Security rules for Role in document not working..

    tim_ph

      I follow the documentation of Seam 2.0.0.Beta1 to put some security rules to check for page access permission, but it didn't work the way it documented. If anyone can explain how Role got created and used in the framework, that would be real helpful.

      In security.drl (as documentation explains in security chapter)

      package Permissions;
      
      import java.security.Principal;
      import org.jboss.seam.security.PermissionCheck;
      import org.jboss.seam.security.Role;
      
      rule CanUserCreateAccount
      when
       c: PermissionCheck(name == "/AccountEdit.xhtml", action == "render")
       Role(name == "admin")
      then
       c.grant();
      end;
      

      anyone can explain how Role is asserted in there..

      in pages.xml
       <page view-id="/AccountEdit.xhtml">
       <restrict/>
       </page>
      


      I got the role added to Identity at authenticate() call and go through another rule working memory with no problem. I see username as "tim as admin" after logged in.
      rule AssignUserRole
      when
       i: Identity(username == "tim")
      then
       i.addRole("admin");
       i.setUsername("tim as admin");
      end;
      


      ... and then I check into error stack and find out that Identity.hasPermission(..) always return false... :( BETA ):

       public boolean hasPermission(String name, String action, Object...arg)
       {
       return false;
       }
      


        • 1. Re: Security rules for Role in document not working..
          shane.bryzak

          Is the user already authenticated before you invoke addRole() in your rule? If not, then calling addRole() simply puts the role into a temporary "holding" area until authentication is successful, at which point it becomes a "real" role which will then return true for a hasRole() check.

          • 2. Re: Security rules for Role in document not working..
            tim_ph

            Yes, I return true in authenticate() call

             public boolean authenticate() {
             String user = identity.getUsername();
             log.info("authenticating #0", user);
             if ("tim".equals(user)) {
             //identity.addRole("admin");
             assignRole();
             } else {
             identity.addRole("user");
             }
             return true;
             }
            
             public void assignRole() {
             administrationWorkingMemory.assertObject(identity);
             administrationWorkingMemory.fireAllRules();
             }