14 Replies Latest reply on Mar 1, 2012 4:05 PM by gerry.matte

    Configuring JpaPermissionStore

    riboriori

      Hi all
      i've succesfully configured (within seam-beans-xml file) JpaIdentityStore; now i'm trying to configure JpaPermissionStore.
      I report a code snippet below:





      <beans      xmlns="http://java.sun.com/xml/ns/javaee"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xmlns:s="urn:java:ee"
                xmlns:security="urn:java:org.jboss.seam.security"          
                xmlns:permission="urn:java:org.jboss.seam.security.permission"
                xmlns:plidm="urn:java:org.jboss.seam.security.management.picketlink" 
                xsi:schemaLocation="http://java.sun.com/xml/ns/javaee  http://jboss.org/schema/cdi/beans_1_0.xsd">
      
           <permission:JpaPermissionStore >
                <s:replaces/>
                <permission:identityPermissionClass>com.mycompany.domain.entity.security.IdentityPermission</permission:identityPermissionClass>
           </permission:JpaPermissionStore>
      
      </beans>



      in a controller i test following code:




      @Inject PermissionManager permissionManager;
      
      public vod testEnabledPermissionManager()
      {
      System.out.println(permissionManager.getPermissionStore().isEnabled());
      }



      Where permissionStore interface is an instance of JpaPermissionStore.
      The output on console says false.
      What can i do in order to configure correctly JpaPermissionStore?


      Regards.

        • 1. Re: Configuring JpaPermissionStore
          riboriori

          Anyone naver used permission management with seam 3? can anyone help me?

          • 2. Re: Configuring JpaPermissionStore
            poulpe

            Hi,


            My guess is that persitent permission (ACLs) are not usable right now. I saw that information on part what's next? of My Link


            I think the only way to deal with permission is to use drools and the security.drl by creating permission rules waiting for ACLs.
            The idmconsole example use the security.drl file to create rules for role.


            Regards

            • 3. Re: Configuring JpaPermissionStore
              riboriori

              I think its so; in fact i think that JpPermissionStore isn't never initialized.
              In its method initProperties there there are various checks for correct configuration of identityPermissionClass
              and its various properties annotated with @PermissionProperty (IDENTITY, RELATIONSHIPTYPE, RELATIONSHIPNAME and RESOURCE). If all checks passes then that variable (isEnabled) is forced to true.
              But if i insert a breakpoint into initProperties method BEFORE starting jboss, that method never called.
              I'm waiting for a 3.01 version...
              When it is scheduled? u know?
              (Sorry for my bad english).
              Best regards

              • 4. Re: Configuring JpaPermissionStore
                riboriori

                I've read that post, but it is refers to 3.0.0.Alpha1 while i'm using 3.0.0 Final.....

                • 5. Re: Configuring JpaPermissionStore
                  shane.bryzak

                  JpaPermissionStore didn't make it into the Seam 3.0 release, with the refactoring to use PicketLink as the core security API we still need to rewrite ACL permissions.  It's planned to be released as part of Seam 3.1, the first beta of which is due in August.

                  • 6. Re: Configuring JpaPermissionStore
                    riboriori

                    Tank you Shane, i'll wait for August.
                    Regards

                    • 7. Re: Configuring JpaPermissionStore
                      baraber

                      I tried to play with JpaPermissionStore a bit and I have a question.


                      Why is the init method not called by CDI ? 
                      It is annotated with @Inject and therefore should be called. 
                      Same problem for all injected fields.  By example, the BeanManager should normally be injected but is always null.  Maybe I just miss some basic CDI understanding for injection in application scoped bean ? 


                      Can someone explain it ?

                      • 8. Re: Configuring JpaPermissionStore
                        baraber

                        Oh, forget that last one.  To have the JpaIdentityStore enabled, you must configure it like this :


                        <security:JpaPermissionStore>
                                <s:modifies/>
                                <security:identityPermissionClass>foo.bar.IdentityPermission</security:identityPermissionClass>
                        </security:JpaPermissionStore>
                        



                        My mistake was to use

                        <s:repaces/>

                        instead of
                        <s:modifies/>

                        .

                        • 9. Re: Configuring JpaPermissionStore
                          mariogiurlanda

                          Hello,


                          I'm trying to configure JpaPermissionStore as you said




                          <security:JpaPermissionStore>
                                  <s:modified/>
                                  <security:identityPermissionClass>foo.bar.IdentityPermission</security:identityPermissionClass>
                          </security:JpaPermissionStore>






                          seam-config log says:


                          [org.jboss.seam.config.xml.bootstrap.XmlConfigExtension]

                          Adding XML Defined Bean: org.jboss.seam.security.permission.JpaPermissionStore


                          so I guess the framework is picking up the bean but then when I try to use the instance  all fields are not initialized even the identityPermissionClass.


                          Any help? Did you get any further?


                          Thanks,


                          Mario

                          • 10. Re: Configuring JpaPermissionStore
                            lightguard

                            Mario, please try replaces instead of modifies as Richard stated just before your post.

                            • 11. Re: Configuring JpaPermissionStore
                              mariogiurlanda

                              I was able to enable the JpaPermissionStore but I cannot retrieve any permission from the database because I never pass the following conditional statement in JpaPermissionStore


                              if (resource != null && (action == null || (actionSet != null && actionSet.contains(action))))



                              My action is not null but the actionSet is null as well.


                              Could someone explain better this bit so I can try to provide a patch for it?


                              Thanks,


                              Mario


                              • 12. Re: Configuring JpaPermissionStore
                                shane.bryzak

                                Guys, as I stated previously JpaPermissionStore is not complete in Seam 3.  It requires some significant refactoring to bring it inline with Seam's new Picketlink-based new security model, and I also have a number of enhancements that need to be implemented.  Unfortunately since this work looks like it will take a couple of weeks of solid work it will most likely not make it into the upcoming 3.1 release, however since it seems to be attracting more attention I will do my best to make it a higher priority for the subsequent release.

                                • 13. Re: Configuring JpaPermissionStore
                                  riboriori

                                  Hi Shane, any news about permissions?
                                  It is present on seam-3.1.0.Beta3?
                                  Regards

                                  • 14. Re: Configuring JpaPermissionStore
                                    gerry.matte

                                    Hi Shane.

                                    I've been trying to implement the idmconsole example.

                                    Everything works fine as long as I use role 'admin' and group 'Head Office' for userid's that I create.

                                     

                                    I tried to use webadmin rather than admin by modifying security.drl.  The application throws an illegalArgumentException "Illegal Group Reference".

                                     

                                    So I restored the security.drl and added a new group 'all' and made my test userid a member of both 'Head Office' and of 'all'.  I still get the exception.

                                     

                                    It looks to me like the seam security module isn't really usable - or something seems to be hard coded in the picketlink configuration ?

                                     

                                    Is the JpaPermissionStore complete now ?