Hi everyone !
I just started using seam and I'm getting kinda stuck while trying to use some of the security features. I just included the security rules described in the reference:
rule ManageUsers no-loop activation-group "permissions" when check: PermissionCheck(name == "seam.user", granted == false) Role(name == "admin") then check.grant(); end rule ManageRole no-loop activation-group "permissions" when check: PermissionCheck(name == "seam.role", granted == false) Role(name == "admin") then check.grant(); end rule ManagePermissions no-loop activation-group "permissions" when check: PermissionCheck(action == "seam.grant-permission", granted == false) Role(name == "admin") then check.grant(); end
It works fine but I found a problem for non-admins on some actions. While changing password a non-admin user cannot change his own since, obviously, he is not admin (he has user Role). So I get the expected exception :
Caused by javax.faces.FacesException with message: "#{changePasswordAction.changePassword}: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[seam.user,update]"
I don't know how to make a rule to let the PermissionCheck on password change allows the current logged user to fullfil the action. Should I use the PermissionStores with ACLs or is there a simple way to make it with Drools Rules? Sorry if these are somewhat stupid questions, like I said I'm just beginning,
Thanks in advance
You can use a RunAsOperation to perform a password change for the current user.