-
1. Re: How to grant permissions without rules
shane.bryzak Oct 13, 2008 2:50 AM (in response to stenlylee)Generally speaking, the first user you add to an application is usually done via a direct database insert. For granting the identity management permissions, you can use the following rules which work for users with the
admin
role:rule ManageUsers no-loop activation-group "permissions" when check: PermissionCheck(name == "seam.user", granted == false) Role(name == "admin") then check.grant(); end rule ManageRoles no-loop activation-group "permissions" when check: PermissionCheck(name == "seam.role", granted == false) Role(name == "admin") then check.grant(); end
-
2. Re: How to grant permissions without rules
stenlylee Oct 13, 2008 3:06 AM (in response to stenlylee)I had tried these rules, and it works
1.
But if I want to insert records into my db, how to write the value?
target: seam.user -------- like this?another question
2.
In my tables I have some colmuns like@column @NotNull
private Date roleAddTime;when I use identityManeger.createUser(username, password)
how to set the required value?3.
could I save the password by its literal value?
not use md5 or sha?(It seems the default value is md5)sorry bout so many questions
thanks a lot -
3. Re: How to grant permissions without rules
shane.bryzak Oct 13, 2008 3:25 AM (in response to stenlylee)
1.
But if I want to insert records into my db, how to write the value?
target: seam.user -------- like this?If you want to create the identity management permissions as persistent permissions instead of rule-based permissions, then the target would be
seam.user
, the recipient would beadmin
(or whichever role name) and the action would becreate,read,update,delete
. E.g:INSERT INTO ROLE_PERMISSION (TARGET, RECIPIENT, ACTIONS) VALUES ('seam.user', 'admin', 'create,read,update,delete');
another question
2.
In my tables I have some colmuns like
@column @NotNull
private Date roleAddTime;
when I use identityManeger.createUser(username, password)
how to set the required value?Write an observer for the org.jboss.seam.security.management.prePersistUser event, which passes an instance of the user object to the event observer before it is persisted.
3.
could I save the password by its literal value?
not use md5 or sha?(It seems the default value is md5)
sorry bout so many questions
thanks a lotYes, simply set hash = "none" on the @UserPassword field.
-
4. Re: How to grant permissions without rules
tognado Feb 10, 2009 5:20 PM (in response to stenlylee)
Write an observer for the org.jboss.seam.security.management.prePersistUser event, which passes an instance of the user object to the event observer before it is persisted.I created an email field on my User bean and i want to persist it when createUser() is fired. That email should be displayed when the user registry is view and persisted again when it's updated.
I am trying to figure it out how to implement an org.jboss.seam.security.management.prePersistUser observer to obtain this effect, but i can't find any example. Can anyone help me ?
I am reading the seam reference and i didn't find a specific topic about observer, as well.
Thiago
-
5. Re: How to grant permissions without rules
stenlylee Feb 10, 2009 6:53 PM (in response to stenlylee)how to add an observer?
just put @Observer above any method of your Seam components
and the parameter is the event
-
6. Re: How to grant permissions without rules
tognado Feb 11, 2009 11:40 AM (in response to stenlylee)
just put @Observer above any method of your Seam components
and the parameter is the eventHello, thanks for the quick answer, but that was the only thing i knew about it :-)
My problem is: How to persist (on mysql) those data fulfilled when the form is submitted and how to display these extra fields on the form fields when an user click in a clickable data list.Thiago
-
7. Re: How to grant permissions without rules
thiruneela Feb 12, 2009 12:09 PM (in response to stenlylee)Hi,
With respective to Shane Bryzak reply, where to configure this code (in which class). Thanks for any help.
-
8. Re: How to grant permissions without rules
sigi77 Dec 4, 2009 10:05 AM (in response to stenlylee)I switched from from role based security to the jpaPermissionStore. To register new users I use a runAs command to add a role with the appropriate privileges to create new users. The problem I encounter is in the PersistentPermissionResolverClass when the method hasPermission(Object target, String action) is called. The problem is that getPrincipal().getName() returns null. Shane, do you have suggestion how I should solve this issue in order not break your idea behind the PersistentPermissionResolver class?
Here is your code :)
Kind regards
Andy
public boolean hasPermission(Object target, String action) { if (permissionStore == null) return false; Identity identity = Identity.instance(); if (!identity.isLoggedIn()) return false; List<Permission> permissions = permissionStore.listPermissions(target, action); String username = identity.getPrincipal().getName(); for (Permission permission : permissions) { if (permission.getRecipient() instanceof SimplePrincipal && username.equals(permission.getRecipient().getName())) { return true; } if (permission.getRecipient() instanceof Role) { Role role = (Role) permission.getRecipient(); if (role.isConditional()) { RuleBasedPermissionResolver resolver = RuleBasedPermissionResolver.instance(); if (resolver.checkConditionalRole(role.getName(), target, action)) return true; } else if (identity.hasRole(role.getName())) { return true; } } } return false; }
-
9. Re: How to grant permissions without rules
shane.bryzak Dec 4, 2009 1:06 PM (in response to stenlylee)I don't quite understand what the issue is - are you saying that the current user isn't authenticated?
-
10. Re: How to grant permissions without rules
sigi77 Dec 7, 2009 8:55 AM (in response to stenlylee)Hey Shane, thanks for responding so quickly.
Yes, theuser
isn't authenticated at this point. He is signing up at this point. When I was using rule based permission it was ok to use the RunAsOperation() to add a role which had the appropriate right to use createUser() on the IdentiyManager. When I try to do that now with the jpaPermissionStore I get a NullPointerException because the username is null. -
11. Re: How to grant permissions without rules
shane.bryzak Dec 7, 2009 11:58 AM (in response to stenlylee)Ah yes, I see the problem now... that seems to be a bug. I'll fix it in SVN, however in the meantime to workaround it you'll need to override the PersistentPermissionResolver component and define your own hasPermission() method with the following changed code:
String username = identity.getPrincipal() != null ? identity.getPrincipal().getName() : null; for (Permission permission : permissions) { if (username != null && permission.getRecipient() instanceof SimplePrincipal && username.equals(permission.getRecipient().getName())) { return true; }
The rest of the code in the hasPermission() method (besides this) should remain unchanged.
-
12. Re: How to grant permissions without rules
sigi77 Dec 7, 2009 3:11 PM (in response to stenlylee)Thanks again for that quick answer. That's what I wanted to do but not without your confirmation:).
-
13. Re: How to grant permissions without rules
sigi77 Dec 7, 2009 3:36 PM (in response to stenlylee)Using the jpaIdentityStore, is it possible to change usernames(logonnames)?
I have the following use case.- User logs in (with emailAddress)
- User changes his emailAddress
- User receives an email to the new emailaddress with a link to confirm that address
- When the link is clicked, the new emailaddress is saved directly in the eMail field in the DB.
Unfortunately I can not log in with this new emailaddress. Do I do something illegal here? Is it even possible that logon names can be changed?
Thanks again. -
14. Re: How to grant permissions without rules
shane.bryzak Dec 7, 2009 3:46 PM (in response to stenlylee)You can't change it through the identity management API, but you should be able to change it by updating the entity directly.