2 Replies Latest reply on Sep 11, 2007 10:13 AM by eethyo

    Security Problem

    eethyo
    eethyo Sep 11, 2007 6:46 AM

      Hi, i get an exception and I dont know why when i want to set up a rule in the security.drl.


      Drools are fine configured and other rules are working fine.


      Security.drl

      package Permissions;

import java.security.Principal;

import org.jboss.seam.security.PermissionCheck;
import org.jboss.seam.security.Role;
import com.testSeam.session.User;

rule canUserEditProfile
when
c: PermissionCheck(name == 'userProfil', action=='editUserProfil")
Principal(principalName : name)
User(username == principalName)
or
Role(name == "Admin")
then
c.grant();
end


      Accessed by: 

      <rich:tab label="Edit Details" rendered="#{s:hasPermission('userProfil', 'editUserProfil', user)}">
<ui:include src="userEdit.xhtml"/>
</rich:tab>



      User class: 

      @Entity
@Name("User")
@Table(name = "USERTABELLE")
@Scope(SESSION)
public class User implements Serializable {

 private String username;

 private List<UserRole> userRoles;


 @Id
 @NotNull
 public String getUsername() {
 return username;
 }

 public void setUsername(String username) {
 this.username = username;
 }

 @ManyToMany
 @JoinTable(name="USERTOROLLE", joinColumns=@JoinColumn(name="username"),
 inverseJoinColumns=@JoinColumn(name="ROLENAME"))
 public List<UserRole> getUserRoles()
 {
 return userRoles;
 }

 public void setUserRoles(List<UserRole> userRoles)
 {
 this.userRoles = userRoles;
 }


}


      Process:
      User logs in.
      User clicks on user list and wants to edit a user.
      LoggedIn User just may edit his own user!


      Exception if i want to render my userEdit.xhtml: 

      javax.faces.FacesException: javax.el.ELException: /userShow.xhtml @19,97 rendered="#{s:hasPermission('userProfil', 'editUserProfil', user)}": java.lang.ClassCastException: org.jboss.seam.security.PermissionCheckShadowProxy
 at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:373)
 at org.richfaces.renderkit.TabPanelRendererBase.encodeTabs(TabPanelRendererBase.java:240)
 at org.richfaces.renderkit.html.TabPanelRenderer.doEncodeBegin(TabPanelRenderer.java:224)
 at org.richfaces.renderkit.html.TabPanelRenderer.doEncodeBegin(TabPanelRenderer.java:180)
 at org.ajax4jsf.framework.renderer.RendererBase.encodeBegin(RendererBase.java:101)
 at javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:788)
 at javax.faces.component.UIComponent.encodeAll(UIComponent.java:884)
 at javax.faces.component.UIComponent.encodeAll(UIComponent.java:892)
 at com.sun.facelets.FaceletViewHandler.renderView(FaceletViewHandler.java:577)
 at org.ajax4jsf.framework.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:108)
 at org.ajax4jsf.framework.ajax.AjaxViewHandler.renderView(AjaxViewHandler.java:233)
 at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:106)
 at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:251)
 at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:144)
 at javax.faces.webapp.FacesServlet.service(FacesServlet.java:245)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
 at org.jboss.seam.debug.hot.HotDeployFilter.doFilter(HotDeployFilter.java:63)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
 at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:87)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
 at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:63)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
 at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:46)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
 at org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:127)
 at org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:277)
 at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:40)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
 at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:140)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
 at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
 at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
 at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
 at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
 at java.lang.Thread.run(Thread.java:595)
Caused by: javax.el.ELException: /userShow.xhtml @19,97 rendered="#{s:hasPermission('editProfil', 'editProfil', User)}": java.lang.ClassCastException: org.jboss.seam.security.PermissionCheckShadowProxy
 at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:76)
 at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:370)
 ... 49 more
Caused by: java.lang.ClassCastException: org.jboss.seam.security.PermissionCheckShadowProxy
 at org.drools.base.java.security.Principal$getName.getValue(Unknown Source)
 at org.drools.base.extractors.BaseObjectClassFieldExtractor.getHashCode(BaseObjectClassFieldExtractor.java:136)
 at org.drools.base.ClassFieldExtractor.getHashCode(ClassFieldExtractor.java:160)
 at org.drools.rule.Declaration.getHashCode(Declaration.java:192)
 at org.drools.util.AbstractHashTable$SingleIndex.hashCodeOf(AbstractHashTable.java:459)
 at org.drools.util.TupleIndexHashTable.getOrCreate(TupleIndexHashTable.java:259)
 at org.drools.util.TupleIndexHashTable.add(TupleIndexHashTable.java:171)
 at org.drools.reteoo.JoinNode.assertTuple(JoinNode.java:109)
 at org.drools.reteoo.CompositeTupleSinkAdapter.propagateAssertTuple(CompositeTupleSinkAdapter.java:30)
 at org.drools.reteoo.JoinNode.assertTuple(JoinNode.java:117)
 at org.drools.reteoo.SingleTupleSinkAdapter.createAndPropagateAssertTuple(SingleTupleSinkAdapter.java:55)
 at org.drools.reteoo.LeftInputAdapterNode.assertObject(LeftInputAdapterNode.java:144)
 at org.drools.reteoo.SingleObjectSinkAdapter.propagateAssertObject(SingleObjectSinkAdapter.java:20)
 at org.drools.reteoo.AlphaNode.assertObject(AlphaNode.java:147)
 at org.drools.reteoo.SingleObjectSinkAdapter.propagateAssertObject(SingleObjectSinkAdapter.java:20)
 at org.drools.reteoo.ObjectTypeNode.assertObject(ObjectTypeNode.java:183)
 at org.drools.reteoo.Rete.assertObject(Rete.java:121)
 at org.drools.reteoo.ReteooRuleBase.assertObject(ReteooRuleBase.java:201)
 at org.drools.reteoo.ReteooWorkingMemory.doAssertObject(ReteooWorkingMemory.java:70)
 at org.drools.common.AbstractWorkingMemory.assertObject(AbstractWorkingMemory.java:724)
 at org.drools.common.AbstractWorkingMemory.assertObject(AbstractWorkingMemory.java:548)
 at org.jboss.seam.security.RuleBasedIdentity.hasPermission(RuleBasedIdentity.java:123)
 at org.jboss.seam.security.SecurityFunctions.hasPermission(SecurityFunctions.java:19)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:325)
 at org.jboss.el.parser.AstFunction.getValue(AstFunction.java:84)
 at org.jboss.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:186)
 at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71)
 ... 50 more



      Using seam 2 beta.
      Using drools: 4.0.0 MR2

      any ideas?

      • 5149 Views
      • Tags:
        • 1. Re: Security Problem
          eethyo
          eethyo Sep 11, 2007 8:15 AM (in response to eethyo)

          Got it work with, even if i dont know why it works now and it didnt work before...

          rule canUserEditProfile
when
c: PermissionCheck(name == 'userProfil', action=='editUserProfil')

Principal(principalName : name)
User(username : username -> (username.equals(principalName)))
then
c.grant();
end



          but as soon as i put in: 

          or
Role(name == 'Admin')


          doesnt work anymore.

          following exception: 
          javax.faces.FacesException: javax.el.ELException: /userShow.xhtml @19,102 rendered="#{s:hasPermission('userProfil', 'editUserProfil' , user)}": org.drools.RuntimeDroolsException: Exception executing predicate Permissions.Rule_canUserEditProfile_0ReturnValue0Invoker@ca3754e1
 at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:373)
 at org.richfaces.renderkit.TabPanelRendererBase.encodeTabs(TabPanelRendererBase.java:240)
 at org.richfaces.renderkit.html.TabPanelRenderer.doEncodeBegin(TabPanelRenderer.java:224)
 at org.richfaces.renderkit.html.TabPanelRenderer.doEncodeBegin(TabPanelRenderer.java:180)
 at org.ajax4jsf.framework.renderer.RendererBase.encodeBegin(RendererBase.java:101)
 at javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:788)
 at javax.faces.component.UIComponent.encodeAll(UIComponent.java:884)
 at javax.faces.component.UIComponent.encodeAll(UIComponent.java:892)
 at com.sun.facelets.FaceletViewHandler.renderView(FaceletViewHandler.java:577)
 at org.ajax4jsf.framework.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:108)
 at org.ajax4jsf.framework.ajax.AjaxViewHandler.renderView(AjaxViewHandler.java:233)
 at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:106)
 at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:251)
 at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:144)
 at javax.faces.webapp.FacesServlet.service(FacesServlet.java:245)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
 at org.jboss.seam.debug.hot.HotDeployFilter.doFilter(HotDeployFilter.java:63)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
 at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:87)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
 at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:63)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
 at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:46)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
 at org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:127)
 at org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:277)
 at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:40)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
 at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:140)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
 at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
 at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
 at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
 at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
 at java.lang.Thread.run(Thread.java:595)
Caused by: javax.el.ELException: /userShow.xhtml @19,102 rendered="#{s:hasPermission('userProfil', 'editUserProfil' , user)}": org.drools.RuntimeDroolsException: Exception executing predicate Permissions.Rule_canUserEditProfile_0ReturnValue0Invoker@ca3754e1
 at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:76)
 at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:370)
 ... 49 more
Caused by: org.drools.RuntimeDroolsException: Exception executing predicate Permissions.Rule_canUserEditProfile_0ReturnValue0Invoker@ca3754e1
 at org.drools.rule.PredicateConstraint.isAllowedCachedRight(PredicateConstraint.java:228)
 at org.drools.common.SingleBetaConstraints.isAllowedCachedRight(SingleBetaConstraints.java:110)
 at org.drools.reteoo.JoinNode.assertObject(JoinNode.java:154)
 at org.drools.reteoo.SingleObjectSinkAdapter.propagateAssertObject(SingleObjectSinkAdapter.java:20)
 at org.drools.reteoo.ObjectTypeNode.assertObject(ObjectTypeNode.java:183)
 at org.drools.reteoo.Rete.assertObject(Rete.java:121)
 at org.drools.reteoo.ReteooRuleBase.assertObject(ReteooRuleBase.java:201)
 at org.drools.reteoo.ReteooWorkingMemory.doAssertObject(ReteooWorkingMemory.java:70)
 at org.drools.common.AbstractWorkingMemory.assertObject(AbstractWorkingMemory.java:724)
 at org.drools.common.AbstractWorkingMemory.assertObject(AbstractWorkingMemory.java:548)
 at org.jboss.seam.security.RuleBasedIdentity.hasPermission(RuleBasedIdentity.java:139)
 at org.jboss.seam.security.SecurityFunctions.hasPermission(SecurityFunctions.java:19)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:325)
 at org.jboss.el.parser.AstFunction.getValue(AstFunction.java:84)
 at org.jboss.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:186)
 at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71)
 ... 50 more
Caused by: java.lang.ClassCastException: org.jboss.seam.security.PermissionCheckShadowProxy
 at org.drools.base.java.security.Principal$getName.getValue(Unknown Source)
 at org.drools.base.ClassFieldExtractor.getValue(ClassFieldExtractor.java:86)
 at org.drools.rule.Declaration.getValue(Declaration.java:156)
 at Permissions.Rule_canUserEditProfile_0ReturnValue0Invoker.evaluate(Rule_canUserEditProfile_0ReturnValue0Invoker.java:14)
 at org.drools.rule.PredicateConstraint.isAllowedCachedRight(PredicateConstraint.java:222)
 ... 69 more



          i am getting crazy.
          is there another way to express an "or" expression?!


            • Actions
          • 2. Re: Security Problem
            eethyo
            eethyo Sep 11, 2007 10:13 AM (in response to eethyo)

            if i leave the Principal(pName:name) away and put a
            hardcoded pName in my equals it works fine.
            so there must be a conflict between the pName:name and the
            Role(name=='anyrole').

            so and now i dont know what i am doing wrong.
            do i miss some ( ) or something?

            package Permissions;

import java.security.Principal;

import org.jboss.seam.security.PermissionCheck;
import org.jboss.seam.security.Role;
import com.mydomain.session.User;

rule canUserEditProfile
when
c: PermissionCheck(name == 'userProfil', action=='editUserProfil');
(User(username : username -> (username.equals("hardcodedUser")))
or
Role(name =='Admin' ))
then
c.grant();
end;


              • Actions