7 Replies Latest reply on Oct 15, 2008 11:47 PM by shane.bryzak

    RuleBasedPermissionResolver with own PermissionStore

    michaeltr
    michaeltr Oct 14, 2008 5:44 PM

      Hi,


      I want to use a RuleBasedPermissionResolver for security checking (Seam 2.1 CR1) but with my own permission entities because the users are in usergroups and the usergroups has permissions to targets. The data are stored in a database.
      So I tried to write a MyPermissionStore class which implements the PermissionStore Interface but the PermissionManager does not find this component. 



      ...
@Name("org.jboss.seam.security.jpaPermissionStore")
@Install(precedence = Install.APPLICATION, value=false) 
@Scope(ScopeType.APPLICATION)
@BypassInterceptors
public class MyPermissionStore implements PermissionStore,
    Serializable
{
  ...



      From components.xml:


        <drools:rule-base name="securityRules">
      <drools:rule-files><value>/security.drl</value></drools:rule-files>
   </drools:rule-base>
   <security:rule-based-permission-resolver security-rules="#{securityRules}"/>
   <security:permission-manager permission-store="#{jpaPermissionStore}"/>



      From the Logfile


      WARN  [PermissionManager] no permission store available - please install a PermissionStore with the name 'org.jboss.seam.security.jpaPermissionStore' if permission management is required.



      and in the PermissionManager.create() the permissionStore variable is always null.


      What is missing?


      Michael

      • 2338 Views
      • Tags:
        • 1. Re: RuleBasedPermissionResolver with own PermissionStore
          shane.bryzak
          shane.bryzak Oct 15, 2008 12:25 AM (in response to michaeltr)

          Try this instead:


          components.xml:


          <security:permission-manager permission-store="#{myPermissionStore}"/>



          MyPermissionStore.java:


          @Name("myPermissionStore")
@Scope(ScopeType.APPLICATION)
@BypassInterceptors
public class MyPermissionStore implements PermissionStore,
    Serializable
{



          Also, what's the difference between a usergroup and a role?

            • Actions
          • 2. Re: RuleBasedPermissionResolver with own PermissionStore
            michaeltr
            michaeltr Oct 15, 2008 10:50 AM (in response to michaeltr)

            Thanks for your answer - that worked, the PermissionManager found my store.


            But perhaps I am on the wrong path ...
            What I want to do is to set the permissions dynamically from the database. My usergroups bundles permissions (can also changed dynamically - so I think I can't use roles) and a user is a member of one or more roles (also dynamically from database).
            After the user logs in successfully the authenticate methode has to determine the permissions of that user from the database and assign this via the PermsissionManager.grantPermission( permission ) method. But this failed with a exception:


            10:45:14,191 ERROR [SeamLoginModule] Error invoking login method
javax.el.ELException: org.jboss.seam.security.NotLoggedInException
     at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:333)
     at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:342)



            Must I use the RunAsOperation or the security events or anything else?


            Michael

              • Actions
            • 3. Re: RuleBasedPermissionResolver with own PermissionStore
              shane.bryzak
              shane.bryzak Oct 15, 2008 11:15 AM (in response to michaeltr)

              I still don't understand why you can't use role permissions.  Also, what is the point of granting permissions to a user if the permissions are already in the database?  Perhaps if you posted a code sample that demonstrates what you want to achieve I might be able to give you some more constructive suggestions.


              As for calling the PermissionManager methods, the currently authenticated user must have the appropriate security permission to invoke them, which if you intend to do this in the authenticate() method they won't have (so you'll need to use RunAsOperation as you stated).  Also, is there any reason you are using an authenticator component and not the identity management API to authenticate?  It makes more sense to use identity management as you're already using permission management.

                • Actions
              • 4. Re: RuleBasedPermissionResolver with own PermissionStore
                michaeltr
                michaeltr Oct 15, 2008 4:46 PM (in response to michaeltr)

                Some things get clearer others not ...


                The reason for using an authenticator component is that I started with the Eclipse wizard and extended the example
                but after a short look into the identity management API I think using this is a good suggestion.


                I found the following in the forum Security - Define dynamic Role in application which is a little bit old but very similar to what I am trying to do.


                From my Session Bean:


                ...
  @In
  private WorkingMemory pmscadaWorkingMemory;
  
...
      for ( int i = 0; i < userPermissions.size(); i++ )
      {
        permission = new org.jboss.seam.security.permission.Permission(userPermissions.get( i ).getTarget(),userPermissions.get( i ).getAction(),p );
        pmscadaWorkingMemory.insert( permission );
      }
...


                components.xml:


                ...
  <drools:managed-working-memory name="pmscadaWorkingMemory"
    auto-create="true" rule-base="#{securityRules}" />
...



                My Permission(User, Show ) is inserted into the WorkingMemory after the successful login (did it with the org.jboss.seam.security.loginSuccessful event) without Exception, but the output in my web page


                     <h:outputLabel rendered="#{s:hasPermission('User','show')}">Has Permission</h:outputLabel>


                is never rendered.

                  • Actions
                • 5. Re: RuleBasedPermissionResolver with own PermissionStore
                  shane.bryzak
                  shane.bryzak Oct 15, 2008 5:37 PM (in response to michaeltr)

                  Wow, that forum post is old.  I recommend that you pretty much forget everything it says, as it's mostly obsolete now.  All you really need to do is configure the PersistentPermissionResolver as per the docs (read section 15.6.10 very carefully) and you'll then be able to assign permissions to roles, no need to write any rules or insert any objects into the working memory, the permissions will just work.

                    • Actions
                  • 6. Re: RuleBasedPermissionResolver with own PermissionStore
                    michaeltr
                    michaeltr Oct 15, 2008 6:07 PM (in response to michaeltr)

                    Ok I understand that.


                    But I like the possibilities of Drools and Permissions which are assigned dynamically to a user. This has a very high flexibility for an application. Is there any way to do this?


                    Thanks for your help!

                      • Actions
                    • 7. Re: RuleBasedPermissionResolver with own PermissionStore
                      shane.bryzak
                      shane.bryzak Oct 15, 2008 11:47 PM (in response to michaeltr)

                      Persistent permissions are dynamic, as they're data-driven.  And you can always combine the use of persistent permissions with rule-based permissions (there's no rule saying you can't use both).

                        • Actions