-
1. Re: security-config.xml equivalent in 2.0?
pmuir Oct 2, 2007 10:01 AM (in response to samdoyle)You configure seam security through pages.xml
-
2. Re: security-config.xml equivalent in 2.0?
samdoyle Oct 2, 2007 1:37 PM (in response to samdoyle)"pete.muir@jboss.org" wrote:
You configure seam security through pages.xml
How do you define the hierarchical relationship amongst roles through the pages.xml? I don't see anywhere that provides that which is what was provided in the security-config.xml?
Thanks, S.D. -
3. Re: security-config.xml equivalent in 2.0?
samdoyle Oct 2, 2007 4:12 PM (in response to samdoyle)Anyone??
Thanks, S.D. -
4. Re: security-config.xml equivalent in 2.0?
shane.bryzak Oct 2, 2007 8:13 PM (in response to samdoyle)Seam hasn't had a security-config.xml file since version 1.1.1. If you wish to define a hierarchical relationship between roles, you can write security rules for this. In fact, the seamspace example does exactly this - here's an example:
rule AdminIsAUser salience 10 no-loop when Role(name == "admin") not Role(name == "user") then insert(new Role("user")); end
-
5. Re: security-config.xml equivalent in 2.0?
samdoyle Oct 2, 2007 9:49 PM (in response to samdoyle)Alright so I followed the procedures for installing drools and configuring the security.drl properly based on examples. I'm pretty sure I have it setup properly since it was complaining when I was experimenting with options in the security.drl. In anycase I have this restriction to render a tab.
<rich:tab switchType="page" immediate="true" rendered="#{s:hasRole('super-user')}" label="Agency Admin" name="AgencyAdmin" action="AgencyAdmin"> <ui:include src="menu.xhtml"> <ui:param name="projectName" value="#{projectName}"/> </ui:include> </rich:tab>
But yet this rule does not allow it to be rendered when I log in as ultra-user.rule UltraUserIsSuperUser salience 10 no-loop when Role(name == "ultra-user") not Role(name == "super-user") then insert(new Role("super-user")); end
There are no exceptions or complaints from drools."shane.bryzak@jboss.com" wrote:
Seam hasn't had a security-config.xml file since version 1.1.1. If you wish to define a hierarchical relationship between roles, you can write security rules for this. In fact, the seamspace example does exactly this - here's an example:rule AdminIsAUser salience 10 no-loop when Role(name == "admin") not Role(name == "user") then insert(new Role("user")); end
-
6. Re: security-config.xml equivalent in 2.0?
shane.bryzak Oct 2, 2007 11:23 PM (in response to samdoyle)Oops, you're absolutely right. In seamspace it works because the role check is performed within the context of a (rule-based) permission check. I've fixed this in CVS so that RuleBasedIdentity now checks the security context for the existence of the role (as well as checking the subject), however if you can't test with the latest CVS version you could alternatively replace your s:hasRole() expression with an s:hasPermission() expression that simply checks for the existence of the required role.
-
7. Re: security-config.xml equivalent in 2.0?
samdoyle Oct 3, 2007 4:16 PM (in response to samdoyle)Great thanks for the information and the workaround. I was't aware that the hasPermission would also check the role as well. I'll give this a try.
S.D. -
8. Re: security-config.xml equivalent in 2.0?
samdoyle Oct 3, 2007 4:49 PM (in response to samdoyle)Hi Shane,
This didn't work either.rich:tab switchType="page" immediate="true" rendered="#{s:hasPermission('super-user', null, null)}" label="Agency Admin" name="AgencyAdmin" action="AgencyAdmin"> <ui:include src="menu.xhtml"> <ui:param name="projectName" value="#{projectName}"/> </ui:include> </rich:tab>
This tab is rendered as part of the landing page after the user has been authenticated.
S.D."shane.bryzak@jboss.com" wrote:
Oops, you're absolutely right. In seamspace it works because the role check is performed within the context of a (rule-based) permission check. I've fixed this in CVS so that RuleBasedIdentity now checks the security context for the existence of the role (as well as checking the subject), however if you can't test with the latest CVS version you could alternatively replace your s:hasRole() expression with an s:hasPermission() expression that simply checks for the existence of the required role. -
9. Re: security-config.xml equivalent in 2.0?
shane.bryzak Oct 3, 2007 7:26 PM (in response to samdoyle)What does the source for your rule look like? It should be something like this:
rule IsUserSuperUser no-loop activation-group "permissions" when check: PermissionCheck(name == "rolecheck", action == "super-user", granted == false) Role(name == 'super-user') then check.grant(); end
In this case the expression would be hasPermission('rolecheck', 'super-user', null). -
10. Re: security-config.xml equivalent in 2.0?
samdoyle Oct 3, 2007 8:15 PM (in response to samdoyle)Ah thanks, no I'm preety much a noob to drools.
Can you point me to some documentation with some solid examples.?
I was looking at a very detailed grammar document but I'm a bit stretched for time for delving into that at the moment.
I just checked out the code from cvs and was going to build that and give it a try to.
Thanks, S.D. -
11. Re: security-config.xml equivalent in 2.0?
samdoyle Oct 3, 2007 8:41 PM (in response to samdoyle)This works awesome though, thanks again!
S.D."shane.bryzak@jboss.com" wrote:
What does the source for your rule look like? It should be something like this:rule IsUserSuperUser no-loop activation-group "permissions" when check: PermissionCheck(name == "rolecheck", action == "super-user", granted == false) Role(name == 'super-user') then check.grant(); end
In this case the expression would be hasPermission('rolecheck', 'super-user', null). -
12. Re: security-config.xml equivalent in 2.0?
shane.bryzak Oct 3, 2007 11:57 PM (in response to samdoyle)I recommend the drools reference documentation as a good starting point for obtaining a fundamental understanding of the default rules language, that's pretty much all I've read myself.
-
13. Re: security-config.xml equivalent in 2.0?
samdoyle Oct 4, 2007 3:39 PM (in response to samdoyle)Thanks Shane,
I'll take a look whenever I get some spare cycles. I remember seeing a useful Eclipse plugin that helps in defining the rules. It's unfortunate there isn't one for NetBeans. =/"shane.bryzak@jboss.com" wrote:
I recommend the drools reference documentation as a good starting point for obtaining a fundamental understanding of the default rules language, that's pretty much all I've read myself. -
14. Re: security-config.xml equivalent in 2.0?
shane.bryzak Oct 4, 2007 9:44 PM (in response to samdoyle)The Drools team also has another product, BRMS, which you might find useful. It can be used to manage a rules repository, and the latest CR of Seam also has support for loading rules from one of these repositories (BRMS is built on Seam too :).