Securing params with drools
mgvarley Jul 24, 2009 7:27 PMHi all - I have spent the last 8 hours trying to solve a security issue in my Seam app and whilst I've made a lot of progress I'm not quite there. I want to prevent a logged in user from manipulating a URL to access something they shouldn't. I have read the Seam docs thoroughly (multiple times!) and have been searching the forums (including this one) and can't find a clear example of what I need to do - the seamspace example (I'm using v2.1.2) gives some clues but addresses so many different aspects of the security model that it is confusing to the uninitiated. Dan Allen's excellent Seam in Action got me part of the way but am not quite there.
My scenario is this: I have a User associated with a Customer entity, they log in (using the seam identityManager) and are redirected to a customer area where they are presented with their list of Bookings, they click on a Booking and are displayed the Booking using standard a seam-gen page backed by a BookingHome object extending EntityHome. Currently though, any authenticated customer can view any booking (even those which are not there's) by modifying the bookingId parameter in the URL.
I have the following entry in my components.xml:
<security:rule-based-permission-resolver security-rules="#{securityRules}" />
I have created the rule as follows (and included the imports for the referenced classes) in security.drl:
rule CustomerBooking no-loop activation-group "permissions" when $perm: PermissionCheck(name == "customer.booking", action == ("view"), granted == false) Role(name == "customer") Booking($bookingCustomer: customer) User(customer == $bookingCustomer) then $perm.grant(); end
Finally, I have added the following in my booking.page.xml file:
<restrict>#{s:hasPermission('customer.booking','view')}</restrict>
However, this is not working. I get the following error: Authorization check failed for expression [#{s:hasPermission('customer.booking','view')}] even though when the customer has the right to view the booking.
If I exclude the references to Booking it works fine, I have checked with the following rule:
rule CustomerBooking no-loop activation-group "permissions" when $perm: PermissionCheck(name == "customer.booking", action == ("view"), granted == false) Role(name == "customer") User(username == "myusername") then $perm.grant(); end
Any advice as to what I am doing wrong would be very much appreciated. Or an alternative strategy for securing the param ids in the URL.
Thanks in advance,
mark