0 Replies Latest reply on Jul 26, 2008 1:50 AM by rohanmars

    Drools Security Problem - Removing Role from working memory

    rohanmars

      Hi All


      I have a problem where the Role fact is being removed from the Drools working memory prior invoking on the seam component. Thus receiving authorization exceptions.


      I have most ejb entity and session beans secured with a @Restrict annotation. The signin bean, without the Restrict, has RunAsOperation blocks which set the Role so that entity calls pass correctly to validate the user and set their Roles. Up to this point all is working correctly. However, when the login function completes and the code makes the first app call onto a secured session bean I get authortization exceptions.


      Debugging the drools rules I found if I remove the Role condition the the call succeeds. Got me thinking that the Role must not be present in the working memory. Some basic debugging found the following call be made in the RudeBaseIdentity calss just before the failing seam call.


      if (!super.hasRole(r.getName())){
           FactHandle fh = getSecurityContext().getFactHandle(r);
           getSecurityContext().retract(fh);
      }
      



      Strange, if I do a test on hasRole on the identity the correct role is there. I did this test by calling an un-restricted method/bean.


      Finally, I thought maybe the problem is to do with the RunAsOperation block, I removed this and then all works correctly. Obviously, the signin process/beans being unsecured so its not a solution.


      Any ideas why the RunAsOperation would cause the removal of the Role object from the fact memory during later calls?


      Cheers


      Rohan