"pete.muir@jboss.org" wrote:
You configure seam security through pages.xml

Anyone??

Thanks, S.D.

Alright so I followed the procedures for installing drools and configuring the security.drl properly based on examples. I'm pretty sure I have it setup properly since it was complaining when I was experimenting with options in the security.drl. In anycase I have this restriction to render a tab.

<rich:tab switchType="page" immediate="true" rendered="#{s:hasRole('super-user')}" label="Agency Admin" name="AgencyAdmin" action="AgencyAdmin">
 <ui:include src="menu.xhtml">
 <ui:param name="projectName" value="#{projectName}"/>
 </ui:include>
 </rich:tab>

rule UltraUserIsSuperUser
 salience 10
 no-loop
when
 Role(name == "ultra-user")
 not Role(name == "super-user")
then
 insert(new Role("super-user"));
end

"shane.bryzak@jboss.com" wrote:
Seam hasn't had a security-config.xml file since version 1.1.1. If you wish to define a hierarchical relationship between roles, you can write security rules for this. In fact, the seamspace example does exactly this - here's an example:

rule AdminIsAUser
 salience 10
 no-loop
when
 Role(name == "admin")
 not Role(name == "user")
then
 insert(new Role("user"));
end

Great thanks for the information and the workaround. I was't aware that the hasPermission would also check the role as well. I'll give this a try.

S.D.

Hi Shane,

This didn't work either.

rich:tab switchType="page" immediate="true"
rendered="#{s:hasPermission('super-user', null, null)}" label="Agency
Admin" name="AgencyAdmin" action="AgencyAdmin">
 <ui:include src="menu.xhtml">
 <ui:param name="projectName" value="#{projectName}"/>
 </ui:include>
 </rich:tab>

"shane.bryzak@jboss.com" wrote:
Oops, you're absolutely right. In seamspace it works because the role check is performed within the context of a (rule-based) permission check. I've fixed this in CVS so that RuleBasedIdentity now checks the security context for the existence of the role (as well as checking the subject), however if you can't test with the latest CVS version you could alternatively replace your s:hasRole() expression with an s:hasPermission() expression that simply checks for the existence of the required role.

Ah thanks, no I'm preety much a noob to drools.
Can you point me to some documentation with some solid examples.?
I was looking at a very detailed grammar document but I'm a bit stretched for time for delving into that at the moment.

I just checked out the code from cvs and was going to build that and give it a try to.

Thanks, S.D.

This works awesome though, thanks again!

S.D.

"shane.bryzak@jboss.com" wrote:
What does the source for your rule look like? It should be something like this:

rule IsUserSuperUser
 no-loop
 activation-group "permissions"
when
 check: PermissionCheck(name == "rolecheck", action == "super-user", granted == false)
 Role(name == 'super-user')
then
 check.grant();
end

In this case the expression would be hasPermission('rolecheck', 'super-user', null).

Thanks Shane,

I'll take a look whenever I get some spare cycles. I remember seeing a useful Eclipse plugin that helps in defining the rules. It's unfortunate there isn't one for NetBeans. =/

"shane.bryzak@jboss.com" wrote:
I recommend the drools reference documentation as a good starting point for obtaining a fundamental understanding of the default rules language, that's pretty much all I've read myself.