Hello again,

my last question for tonight has to deal with the seam security stuff.
I have different user roles, and every user should see only pages which are in his scope.

So, exemplarily for my department list I added the following entry to the pages.xml:

<page view-id="/Department*" login-required="true">
  <navigation>
    <rule if-outcome="home">
      <redirect view-id="/home.xhtml"/>
    </rule>
  </navigation>
</page>

This works wonderful for not logged in user, they have to login first.
But after login, it doesnt matter, which role I got, everyone can see everything.

So I tried to add a rule to the file security.drl:

package Permissions;
import java.security.Principal;
import org.jboss.seam.security.PermissionCheck;
import org.jboss.seam.security.Role;

rule RestrictDepartmentPages
  no-loop
  activation-group "permissions"
when
  check: PermissionCheck(name == "/Department*", granted == false)
  Role(name == "superadmin")
then
  check.grant();
end

But this doesnt help, everyone who is logged in can still see everything.

What I am doing wrong??

I am always accessing the page by typing in the URL:

http://localhost:8080/gdc/DepartmentList.seam

Any help is welcome, Pete

PS: I got another one, thats driving me mad:
The username on login is also the name of the department,
the account belongs to. Where should I put a restriction,
that only shows the entities of the currently logged in department?
I assume somewhere in the PersonList.java, but in which method?
Do I have to override one from a superclass?

Sorry for asking such dumb questions, but I didnt sleep for two days now ..