2 Replies Latest reply on Sep 11, 2007 10:13 AM by eethyo

    Security Problem

    eethyo

      Hi, i get an exception and I dont know why when i want to set up a rule in the security.drl.


      Drools are fine configured and other rules are working fine.


      Security.drl

      package Permissions;
      
      import java.security.Principal;
      
      import org.jboss.seam.security.PermissionCheck;
      import org.jboss.seam.security.Role;
      import com.testSeam.session.User;
      
      rule canUserEditProfile
      when
      c: PermissionCheck(name == 'userProfil', action=='editUserProfil")
      Principal(principalName : name)
      User(username == principalName)
      or
      Role(name == "Admin")
      then
      c.grant();
      end
      


      Accessed by:

      <rich:tab label="Edit Details" rendered="#{s:hasPermission('userProfil', 'editUserProfil', user)}">
      <ui:include src="userEdit.xhtml"/>
      </rich:tab>
      



      User class:

      @Entity
      @Name("User")
      @Table(name = "USERTABELLE")
      @Scope(SESSION)
      public class User implements Serializable {
      
       private String username;
      
       private List<UserRole> userRoles;
      
      
       @Id
       @NotNull
       public String getUsername() {
       return username;
       }
      
       public void setUsername(String username) {
       this.username = username;
       }
      
       @ManyToMany
       @JoinTable(name="USERTOROLLE", joinColumns=@JoinColumn(name="username"),
       inverseJoinColumns=@JoinColumn(name="ROLENAME"))
       public List<UserRole> getUserRoles()
       {
       return userRoles;
       }
      
       public void setUserRoles(List<UserRole> userRoles)
       {
       this.userRoles = userRoles;
       }
      
      
      }


      Process:
      User logs in.
      User clicks on user list and wants to edit a user.
      LoggedIn User just may edit his own user!


      Exception if i want to render my userEdit.xhtml:

      javax.faces.FacesException: javax.el.ELException: /userShow.xhtml @19,97 rendered="#{s:hasPermission('userProfil', 'editUserProfil', user)}": java.lang.ClassCastException: org.jboss.seam.security.PermissionCheckShadowProxy
       at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:373)
       at org.richfaces.renderkit.TabPanelRendererBase.encodeTabs(TabPanelRendererBase.java:240)
       at org.richfaces.renderkit.html.TabPanelRenderer.doEncodeBegin(TabPanelRenderer.java:224)
       at org.richfaces.renderkit.html.TabPanelRenderer.doEncodeBegin(TabPanelRenderer.java:180)
       at org.ajax4jsf.framework.renderer.RendererBase.encodeBegin(RendererBase.java:101)
       at javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:788)
       at javax.faces.component.UIComponent.encodeAll(UIComponent.java:884)
       at javax.faces.component.UIComponent.encodeAll(UIComponent.java:892)
       at com.sun.facelets.FaceletViewHandler.renderView(FaceletViewHandler.java:577)
       at org.ajax4jsf.framework.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:108)
       at org.ajax4jsf.framework.ajax.AjaxViewHandler.renderView(AjaxViewHandler.java:233)
       at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:106)
       at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:251)
       at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:144)
       at javax.faces.webapp.FacesServlet.service(FacesServlet.java:245)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
       at org.jboss.seam.debug.hot.HotDeployFilter.doFilter(HotDeployFilter.java:63)
       at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
       at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:87)
       at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
       at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:63)
       at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
       at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:46)
       at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
       at org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:127)
       at org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:277)
       at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:40)
       at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
       at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:140)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
       at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
       at java.lang.Thread.run(Thread.java:595)
      Caused by: javax.el.ELException: /userShow.xhtml @19,97 rendered="#{s:hasPermission('editProfil', 'editProfil', User)}": java.lang.ClassCastException: org.jboss.seam.security.PermissionCheckShadowProxy
       at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:76)
       at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:370)
       ... 49 more
      Caused by: java.lang.ClassCastException: org.jboss.seam.security.PermissionCheckShadowProxy
       at org.drools.base.java.security.Principal$getName.getValue(Unknown Source)
       at org.drools.base.extractors.BaseObjectClassFieldExtractor.getHashCode(BaseObjectClassFieldExtractor.java:136)
       at org.drools.base.ClassFieldExtractor.getHashCode(ClassFieldExtractor.java:160)
       at org.drools.rule.Declaration.getHashCode(Declaration.java:192)
       at org.drools.util.AbstractHashTable$SingleIndex.hashCodeOf(AbstractHashTable.java:459)
       at org.drools.util.TupleIndexHashTable.getOrCreate(TupleIndexHashTable.java:259)
       at org.drools.util.TupleIndexHashTable.add(TupleIndexHashTable.java:171)
       at org.drools.reteoo.JoinNode.assertTuple(JoinNode.java:109)
       at org.drools.reteoo.CompositeTupleSinkAdapter.propagateAssertTuple(CompositeTupleSinkAdapter.java:30)
       at org.drools.reteoo.JoinNode.assertTuple(JoinNode.java:117)
       at org.drools.reteoo.SingleTupleSinkAdapter.createAndPropagateAssertTuple(SingleTupleSinkAdapter.java:55)
       at org.drools.reteoo.LeftInputAdapterNode.assertObject(LeftInputAdapterNode.java:144)
       at org.drools.reteoo.SingleObjectSinkAdapter.propagateAssertObject(SingleObjectSinkAdapter.java:20)
       at org.drools.reteoo.AlphaNode.assertObject(AlphaNode.java:147)
       at org.drools.reteoo.SingleObjectSinkAdapter.propagateAssertObject(SingleObjectSinkAdapter.java:20)
       at org.drools.reteoo.ObjectTypeNode.assertObject(ObjectTypeNode.java:183)
       at org.drools.reteoo.Rete.assertObject(Rete.java:121)
       at org.drools.reteoo.ReteooRuleBase.assertObject(ReteooRuleBase.java:201)
       at org.drools.reteoo.ReteooWorkingMemory.doAssertObject(ReteooWorkingMemory.java:70)
       at org.drools.common.AbstractWorkingMemory.assertObject(AbstractWorkingMemory.java:724)
       at org.drools.common.AbstractWorkingMemory.assertObject(AbstractWorkingMemory.java:548)
       at org.jboss.seam.security.RuleBasedIdentity.hasPermission(RuleBasedIdentity.java:123)
       at org.jboss.seam.security.SecurityFunctions.hasPermission(SecurityFunctions.java:19)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:325)
       at org.jboss.el.parser.AstFunction.getValue(AstFunction.java:84)
       at org.jboss.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:186)
       at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71)
       ... 50 more
      



      Using seam 2 beta.
      Using drools: 4.0.0 MR2

      any ideas?

        • 1. Re: Security Problem
          eethyo

          Got it work with, even if i dont know why it works now and it didnt work before...

          rule canUserEditProfile
          when
          c: PermissionCheck(name == 'userProfil', action=='editUserProfil')
          
          Principal(principalName : name)
          User(username : username -> (username.equals(principalName)))
          then
          c.grant();
          end



          but as soon as i put in:

          or
          Role(name == 'Admin')


          doesnt work anymore.

          following exception:
          javax.faces.FacesException: javax.el.ELException: /userShow.xhtml @19,102 rendered="#{s:hasPermission('userProfil', 'editUserProfil' , user)}": org.drools.RuntimeDroolsException: Exception executing predicate Permissions.Rule_canUserEditProfile_0ReturnValue0Invoker@ca3754e1
           at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:373)
           at org.richfaces.renderkit.TabPanelRendererBase.encodeTabs(TabPanelRendererBase.java:240)
           at org.richfaces.renderkit.html.TabPanelRenderer.doEncodeBegin(TabPanelRenderer.java:224)
           at org.richfaces.renderkit.html.TabPanelRenderer.doEncodeBegin(TabPanelRenderer.java:180)
           at org.ajax4jsf.framework.renderer.RendererBase.encodeBegin(RendererBase.java:101)
           at javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:788)
           at javax.faces.component.UIComponent.encodeAll(UIComponent.java:884)
           at javax.faces.component.UIComponent.encodeAll(UIComponent.java:892)
           at com.sun.facelets.FaceletViewHandler.renderView(FaceletViewHandler.java:577)
           at org.ajax4jsf.framework.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:108)
           at org.ajax4jsf.framework.ajax.AjaxViewHandler.renderView(AjaxViewHandler.java:233)
           at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:106)
           at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:251)
           at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:144)
           at javax.faces.webapp.FacesServlet.service(FacesServlet.java:245)
           at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
           at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
           at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
           at org.jboss.seam.debug.hot.HotDeployFilter.doFilter(HotDeployFilter.java:63)
           at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
           at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:87)
           at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
           at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:63)
           at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
           at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:46)
           at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
           at org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:127)
           at org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:277)
           at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:40)
           at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
           at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:140)
           at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
           at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
           at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
           at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
           at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
           at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
           at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
           at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
           at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
           at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
           at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
           at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
           at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
           at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
           at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
           at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
           at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
           at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
           at java.lang.Thread.run(Thread.java:595)
          Caused by: javax.el.ELException: /userShow.xhtml @19,102 rendered="#{s:hasPermission('userProfil', 'editUserProfil' , user)}": org.drools.RuntimeDroolsException: Exception executing predicate Permissions.Rule_canUserEditProfile_0ReturnValue0Invoker@ca3754e1
           at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:76)
           at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:370)
           ... 49 more
          Caused by: org.drools.RuntimeDroolsException: Exception executing predicate Permissions.Rule_canUserEditProfile_0ReturnValue0Invoker@ca3754e1
           at org.drools.rule.PredicateConstraint.isAllowedCachedRight(PredicateConstraint.java:228)
           at org.drools.common.SingleBetaConstraints.isAllowedCachedRight(SingleBetaConstraints.java:110)
           at org.drools.reteoo.JoinNode.assertObject(JoinNode.java:154)
           at org.drools.reteoo.SingleObjectSinkAdapter.propagateAssertObject(SingleObjectSinkAdapter.java:20)
           at org.drools.reteoo.ObjectTypeNode.assertObject(ObjectTypeNode.java:183)
           at org.drools.reteoo.Rete.assertObject(Rete.java:121)
           at org.drools.reteoo.ReteooRuleBase.assertObject(ReteooRuleBase.java:201)
           at org.drools.reteoo.ReteooWorkingMemory.doAssertObject(ReteooWorkingMemory.java:70)
           at org.drools.common.AbstractWorkingMemory.assertObject(AbstractWorkingMemory.java:724)
           at org.drools.common.AbstractWorkingMemory.assertObject(AbstractWorkingMemory.java:548)
           at org.jboss.seam.security.RuleBasedIdentity.hasPermission(RuleBasedIdentity.java:139)
           at org.jboss.seam.security.SecurityFunctions.hasPermission(SecurityFunctions.java:19)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:585)
           at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:325)
           at org.jboss.el.parser.AstFunction.getValue(AstFunction.java:84)
           at org.jboss.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:186)
           at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71)
           ... 50 more
          Caused by: java.lang.ClassCastException: org.jboss.seam.security.PermissionCheckShadowProxy
           at org.drools.base.java.security.Principal$getName.getValue(Unknown Source)
           at org.drools.base.ClassFieldExtractor.getValue(ClassFieldExtractor.java:86)
           at org.drools.rule.Declaration.getValue(Declaration.java:156)
           at Permissions.Rule_canUserEditProfile_0ReturnValue0Invoker.evaluate(Rule_canUserEditProfile_0ReturnValue0Invoker.java:14)
           at org.drools.rule.PredicateConstraint.isAllowedCachedRight(PredicateConstraint.java:222)
           ... 69 more
          



          i am getting crazy.
          is there another way to express an "or" expression?!


          • 2. Re: Security Problem
            eethyo

            if i leave the Principal(pName:name) away and put a
            hardcoded pName in my equals it works fine.
            so there must be a conflict between the pName:name and the
            Role(name=='anyrole').

            so and now i dont know what i am doing wrong.
            do i miss some ( ) or something?

            package Permissions;
            
            import java.security.Principal;
            
            import org.jboss.seam.security.PermissionCheck;
            import org.jboss.seam.security.Role;
            import com.mydomain.session.User;
            
            rule canUserEditProfile
            when
            c: PermissionCheck(name == 'userProfil', action=='editUserProfil');
            (User(username : username -> (username.equals("hardcodedUser")))
            or
            Role(name =='Admin' ))
            then
            c.grant();
            end;