Why does the following basic sample security.drl file not work? I know that it's getting used because if I change something in the file to be invalid, I get the appropriate error message upon application startup. But in this case the rules file parses/compiles fine.

rule firstrule
when
  check : PermissionCheck(action == "render")
  Identity(loggedIn == false)
then
  check.revoke();
end;

rule secondrule
when
  check : PermissionCheck(name == "/page.xhtml", action == "render")
then
  check.grant();
end;

These are the only two rules in the file. What I'd like to do is (using security.drl and not pages.xml) disallow access to all pages for people who are not logged in - that's the first rule. The second rule says if someone accesses page.xhtml, then they're allowed to proceed without being logged in.

This doesn't work because anyone can access any page without being logged in. Am I allowed to use check.revoke() as I have? If so, what am I doing wrong here? (I realize this can be done in pages.xml, but it's not working there as well for me, and I'd like to learn more about how to properly use security.drl.)

Thanks.