strange behaviour with security rules 2.0.1GA
jamesjmp Feb 12, 2008 6:51 AMhi!
I have just started to work with the latest releases (SEAM 2.0.1.GA and JBOSS 4.2.2)
I am testing the security and something strange happens with my application.
Restrictions defined in my pages.xml with s:hasRole work ok, but in the .drl file they are not working properly.
This is my authenticate method:
public boolean authenticate() { if (((identity.getUsername().equalsIgnoreCase("admin")) && (identity.getPassword().equalsIgnoreCase("hola")))) { identity.addRole("adminGral"); return true; } else if (((identity.getUsername().equalsIgnoreCase("simpleuser")) && (identity.getPassword().equalsIgnoreCase("bonjour")))) { identity.addRole("user"); return true; } }
This are restrictions defined in pages.xml:
<page view-id="/FirmChoose.xhtml"> <restrict>#{s:hasRole('adminGral')}</restrict> </page> <page view-id="/FirmList.xhtml"> <restrict/> </page>
and this is the rule defined in my security.drl
rule FirmList when c: PermissionCheck(name == "/FirmList.xhtml", action == "render") Role(name == "adminGral") then c.grant(); end;
When I authenticate with simpleuser as it has user role I may not access to
the restricted pages (FirmList and FirmChoose) and the following exception appears:
12:27:41,671 ERROR [SeamPhaseListener] uncaught exception
org.jboss.seam.security.AuthorizationException: Authorization check failed for permission [/FirmList.xhtml,render]
at org.jboss.seam.security.Identity.checkPermission(Identity.java:486)
at org.jboss.seam.navigation.Page.checkPermission(Page.java:214)
at org.jboss.seam.navigation.Page.preRender(Page.java:238)
at org.jboss.seam.navigation.Pages.preRender(Pages.java:309)
at org.jboss.seam.jsf.SeamPhaseListener.preRenderPage(SeamPhaseListener.java:549)
at org.jboss.seam.jsf.SeamPhaseListener.beforeRenderResponse(SeamPhaseListener.java:460)
at org.jboss.seam.jsf.SeamPhaseListener.beforeServletPhase(SeamPhaseListener.java:144)
at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.java:114)
at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:222)
at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:144)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:245)
....
That is ok. But on the other hand if I authenticate with admin, I am allowed to access to FirmChoose ( #{s:hasRole('adminGral')} works perfectly) but howewer I may not acces to FirmList (FirmList does not grant my access in spite of having adminGral role)
I wonder if I have missed to configure something or if I am doing something wrong. (hope it not to be a bug)
thanks in advance!