1 2 Previous Next 15 Replies Latest reply on Dec 7, 2009 4:27 PM by sigi77

    How to grant permissions without rules

    stenlylee
      I create a new project with jpaIdentityStore & jpaPermissionStore, and there isn't any records in the database.

      then how can I create a user and grant some permissions(like seam.user create etc.) to the new user?

      I read the seamspace example but I don't know how to do this with java code(without rules)

      thanks for any help
        • 1. Re: How to grant permissions without rules
          shane.bryzak

          Generally speaking, the first user you add to an application is usually done via a direct database insert.  For granting the identity management permissions, you can use the following rules which work for users with the admin role:


          rule ManageUsers
            no-loop
            activation-group "permissions"
          when
            check: PermissionCheck(name == "seam.user", granted == false)
            Role(name == "admin")
          then
            check.grant();
          end
          
          rule ManageRoles
            no-loop
            activation-group "permissions"
          when
            check: PermissionCheck(name == "seam.role", granted == false)
            Role(name == "admin")
          then
            check.grant();
          end



          • 2. Re: How to grant permissions without rules
            stenlylee

            I had tried these rules, and it works


            1.
            But if I want to insert records into my db, how to write the value?
            target: seam.user -------- like this?


            another question


            2.
            In my tables  I have some colmuns like


            @column @NotNull
            private Date roleAddTime;


            when I use identityManeger.createUser(username, password)
            how to set the required value?


            3.
            could I save the password by its literal value?
            not use md5 or sha?(It seems the default value is md5)


            sorry bout so many questions
            thanks a lot

            • 3. Re: How to grant permissions without rules
              shane.bryzak

              1.
              But if I want to insert records into my db, how to write the value?
              target: seam.user -------- like this?


              If you want to create the identity management permissions as persistent permissions instead of rule-based permissions, then the target would be seam.user, the recipient would be admin (or whichever role name) and the action would be create,read,update,delete.  E.g:



              INSERT INTO ROLE_PERMISSION (TARGET, RECIPIENT, ACTIONS)
              VALUES ('seam.user', 'admin', 'create,read,update,delete');






              another question

              2.
              In my tables  I have some colmuns like

              @column @NotNull
              private Date roleAddTime;

              when I use identityManeger.createUser(username, password)
              how to set the required value?


              Write an observer for the org.jboss.seam.security.management.prePersistUser event, which passes an instance of the user object to the event observer before it is persisted.




              3.
              could I save the password by its literal value?
              not use md5 or sha?(It seems the default value is md5)

              sorry bout so many questions
              thanks a lot


              Yes, simply set hash = "none" on the @UserPassword field.

              • 4. Re: How to grant permissions without rules
                tognado

                Write an observer for the org.jboss.seam.security.management.prePersistUser event, which passes an instance of the user object to the event observer before it is persisted.

                I created an email field on my User bean and i want to persist it when createUser() is fired. That email should be displayed when the user registry is view and persisted again when it's updated.


                I am trying to figure it out how to implement an org.jboss.seam.security.management.prePersistUser observer to obtain this effect, but i can't find any example. Can anyone help me ?


                I am reading the seam reference and i didn't find a specific topic about observer, as well.


                Thiago

                • 5. Re: How to grant permissions without rules
                  stenlylee

                  how to add an observer?


                  just put @Observer above any method of your Seam components


                  and the parameter is the event

                  • 6. Re: How to grant permissions without rules
                    tognado

                    just put @Observer above any method of your Seam components

                    and the parameter is the event

                    Hello, thanks for the quick answer, but that was the only thing i knew about it :-)
                    My problem is: How to persist (on mysql) those data fulfilled when the form is submitted and how to display these extra fields on the form fields when an user click in a clickable data list.


                    Thiago

                    • 7. Re: How to grant permissions without rules
                      thiruneela

                      Hi,


                      With respective to Shane Bryzak reply, where to configure this code (in which class). Thanks for any help.

                      • 8. Re: How to grant permissions without rules
                        sigi77

                        I switched from from role based security to the jpaPermissionStore. To register new users I use a runAs command to add a role with the appropriate privileges to create new users. The problem I encounter is in the PersistentPermissionResolverClass when the method hasPermission(Object target, String action) is called. The problem is that getPrincipal().getName() returns null. Shane, do you have suggestion how I should solve this issue in order not break your idea behind  the PersistentPermissionResolver class?


                        Here is your code :)
                        Kind regards
                        Andy


                        public boolean hasPermission(Object target, String action)
                           {      
                              if (permissionStore == null) return false;
                              
                              Identity identity = Identity.instance();
                              
                              if (!identity.isLoggedIn()) return false;      
                              
                              List<Permission> permissions = permissionStore.listPermissions(target, action);
                              
                              String username = identity.getPrincipal().getName();
                              
                              for (Permission permission : permissions)
                              {
                                 if (permission.getRecipient() instanceof SimplePrincipal &&
                                       username.equals(permission.getRecipient().getName()))
                                 {
                                    return true;
                                 }
                                 
                                 if (permission.getRecipient() instanceof Role)
                                 {
                                    Role role = (Role) permission.getRecipient();
                                    
                                    if (role.isConditional())
                                    {
                                       RuleBasedPermissionResolver resolver = RuleBasedPermissionResolver.instance();
                                       if (resolver.checkConditionalRole(role.getName(), target, action)) return true;               
                                    }
                                    else if (identity.hasRole(role.getName()))
                                    {
                                       return true;
                                    }
                                 }
                              }      
                              
                              return false;
                           }
                        
                        



                        • 9. Re: How to grant permissions without rules
                          shane.bryzak

                          I don't quite understand what the issue is - are you saying that the current user isn't authenticated?

                          • 10. Re: How to grant permissions without rules
                            sigi77

                            Hey Shane, thanks for responding so quickly.
                            Yes, the user isn't authenticated at this point. He is signing up at this point. When I was using rule based permission it was ok to use the RunAsOperation() to add a role which had the appropriate right to use createUser() on the IdentiyManager. When I try to do that now with the jpaPermissionStore I get a NullPointerException because the username is null.

                            • 11. Re: How to grant permissions without rules
                              shane.bryzak

                              Ah yes, I see the problem now... that seems to be a bug.  I'll fix it in SVN, however in the meantime to workaround it you'll need to override the PersistentPermissionResolver component and define your own hasPermission() method with the following changed code:




                                    String username = identity.getPrincipal() != null ? identity.getPrincipal().getName() : null;
                                    
                                    for (Permission permission : permissions)
                                    {
                                       if (username != null && permission.getRecipient() instanceof SimplePrincipal &&
                                             username.equals(permission.getRecipient().getName()))
                                       {
                                          return true;
                                       }



                              The rest of the code in the hasPermission() method (besides this) should remain unchanged.

                              • 12. Re: How to grant permissions without rules
                                sigi77

                                Thanks again for that quick answer. That's what I wanted to do but not without your confirmation:).

                                • 13. Re: How to grant permissions without rules
                                  sigi77

                                  Using the jpaIdentityStore, is it possible to change usernames(logonnames)?
                                  I have the following use case.



                                  1. User logs in (with emailAddress)

                                  2. User changes his emailAddress

                                  3. User receives an email to the new emailaddress with a link to confirm that address

                                  4. When the link is clicked, the new emailaddress is saved directly in the eMail field in the DB.



                                  Unfortunately I can not log in with this new emailaddress. Do I do something illegal here? Is it even possible that logon names can be changed?
                                  Thanks again.


                                  • 14. Re: How to grant permissions without rules
                                    shane.bryzak

                                    You can't change it through the identity management API, but you should be able to change it by updating the entity directly.

                                    1 2 Previous Next