8 Replies Latest reply on Oct 30, 2009 1:24 AM by ganton516

Problem with IdentityManager

gewuerzgurke Aug 13, 2009 11:56 AM

Hi everyone,

I'm using Seam 2.2.0 GA and Jboss 5.0.1 GA.

Calling the following methods result in an exception:

@End(beforeRedirect=true)
     public String changePassword() {
          if( passwordOne == null || passwordTwo == null || "".equals(passwordOne) || "".equals(passwordTwo) ) {
               facesMessages.add("Passwort darf nicht leer sein");               
               return null;
          }
          if( ! passwordOne.equals(passwordTwo) ) {
               facesMessages.add("Die Passwörter müssen übereinstimmen");               
               return null;     
          }
          identityManager.changePassword(userHome.getInstance().getUserName(), passwordOne);
          return getRedirect();
     }

identityManager.changePassword(userHome.getInstance().getUserName(), passwordOne);

The exception:

Caused by: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[seam.user,update]
     at org.jboss.seam.security.Identity.checkPermission(Identity.java:590)
     at org.jboss.seam.security.management.IdentityManager.changePassword(IdentityManager.java:123)
     at com.muellerseidel.peachshops.core.session.PasswordChangeAction.changePassword(PasswordChangeAction.java:66)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
     at java.lang.reflect.Method.invoke(Unknown Source)
     at org.jboss.seam.util.Reflections.invoke(Reflections.java:22)
     at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:32)
     at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56)
     at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:28)
     at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
     at org.jboss.seam.core.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:77)
     at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
     at org.jboss.seam.core.ConversationInterceptor.aroundInvoke(ConversationInterceptor.java:56)
     at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
     at org.jboss.seam.bpm.BusinessProcessInterceptor.aroundInvoke(BusinessProcessInterceptor.java:51)
     at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
     at org.jboss.seam.core.ConversationalInterceptor.aroundInvoke(ConversationalInterceptor.java:43)
     at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
     at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:44)
     at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
     at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)
     at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:185)
     at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:103)
     at com.muellerseidel.peachshops.core.session.PasswordChangeAction_$$_javassist_seam_6.changePassword(PasswordChangeAction_$$_javassist_seam_6.java)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
     at java.lang.reflect.Method.invoke(Unknown Source)
     at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:335)
     at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:348)
     at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58)
     at org.jboss.el.parser.AstValue.invoke(AstValue.java:96)
     at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276)
     at com.sun.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:68)
     at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:88)
     ... 53 more

Relevant part of my components.xml is:

<drools:rule-base name="securityRules" rule-files="/security.drl"/>          

     <security:rule-based-permission-resolver
          security-rules="#{securityRules}" />

     <security:jpa-identity-store  user-class="com.muellerseidel.peachshops.core.entity.User" role-class="com.muellerseidel.peachshops.core.entity.Role"/>

I've took the security.drl from the examples:

package Permissions;

import java.security.Principal;

import org.jboss.seam.security.PermissionCheck;
import org.jboss.seam.security.Role;

rule ManageUsers
  no-loop
  activation-group "permissions"
when
  check: PermissionCheck(name == "seam.user", granted == false)
  Role(name == "admin")
then
  check.grant();
end

rule ManageRoles
  no-loop
  activation-group "permissions"
when
  check: PermissionCheck(name == "seam.role", granted == false)
  Role(name == "admin")
then
  check.grant();
end

According to the expression

#{identity.hasRole('admin')}

the user I'm working with should be in that role. Anyone has an idea how to fix this?

1. Re: Problem with IdentityManager

mroeoesli Aug 13, 2009 1:45 PM (in response to gewuerzgurke)

It seems to me that you forgott to point to your drl file

do you have something like this:

<drools:rule-base name="securityRules">
       <drools:rule-files>
           <value>/META-INF/security-rules.drl</value>
       </drools:rule-files>
    </drools:rule-base>

If it's not required that seam checks the action update for seam.user you can use the store

JpaIdentityStore identityStroe = (JpaIdentityStore) Component.getInstance("org.jboss.seam.security.identityStore", ScopeType.EVENT);
identityStroe.changePassword(userHome.getInstance().getUserName(), passwordOne);

you also can use the RunAsOperation

 new RunAsOperation() {
                        public void execute() {
                                
                                result=identityManager.changePassword(userHome.getInstance().getUserName(), passwordOne);
                        }
                }.addRole("admin").run();

With this method you can check if the role admin is the identity object

public static List<String> getIdentityRoles(Identity identity) {
      List<String> roles = new ArrayList<String>();
      Subject subject = identity.getSubject();

      for (Group sg : subject.getPrincipals(Group.class)) {
         if (Identity.ROLES_GROUP.equals(sg.getName())) {
            Enumeration<Principal> e = (Enumeration<Principal>) sg.members();
            while (e.hasMoreElements()) {
               Principal member = (Principal) e.nextElement();
               roles.add(member.getName());
            }
         }
      }
      return roles;
   }

if your identity object contains the role admin something with ur drl config is wrong else you need to add the role admin

Greetz Marco

2. Re: Problem with IdentityManager

gewuerzgurke Aug 13, 2009 2:41 PM (in response to gewuerzgurke)
Thanks Marco for your reply.

<drools:rule-base name="securityRules"> <drools:rule-files> <value>/META-INF/security-rules.drl</value> </drools:rule-files> </drools:rule-base>

The obove code is part of components.xml. I prefer to really use this permission stuff. It seems to me that seam doesn't know how to check for permissions. I've even made a typo into

<value>/META-INF/nonexistingfile.drl</value>

and seam doesn't complain.

I've even tried your getIdentityRoles() Method and the current user is in role admin......

This problem really gets time-consuming :(
Actions

3. Re: Problem with IdentityManager

mroeoesli Aug 14, 2009 1:02 PM (in response to gewuerzgurke)

Sorry my mistake I overlooked:

<drools:rule-base name="securityRules" rule-files="/security.drl"/>

your config looks good except I can't see an identity-manager configured.
in your config is a identity-store configured

<security:jpa-identity-store  user-class="com.muellerseidel.peachshops.core.entity.User" role-class="com.muellerseidel.peachshops.core.entity.Role"/>

you need a manager too and the manager must point to your store. Something like this:

<security:identity-manager identity-store="#{jpaIdentityStore}" />
     <security:jpa-identity-store  user-class="com.muellerseidel.peachshops.core.entity.User" role-class="com.muellerseidel.peachshops.core.entity.Role"/>

or is your .drl file in the right directory?
if you setup drools like this

<security:rule-based-permission-resolver
                security-rules="#{securityRules}" />

    <drools:rule-base name="securityRules">
       <drools:rule-files>
           <value>/META-INF/security-rules.drl</value>
       </drools:rule-files>
    </drools:rule-base>

the file

security-rules.drl

should be here in your ear:

yourProject.ear\yourProject.jar\META-INF

Has you debuged in the class: RuleBasedPermissionResolver ?
is the method create() called?

You should also check that the RuleBasedPermissionResolver is in the ResolverChain:

Debug in PermissionMapper class

Line 60

Map<String,String> chains = resolverChains.get(target);

and look if chains contains a RuleBasedPermissionResolver

Greetz Marco

4. Re: Problem with IdentityManager

gewuerzgurke Aug 14, 2009 1:16 PM (in response to gewuerzgurke)

Hi Marco,

I've solved the problem. The additional drools jar where missing. Drools couldn't start and the permission check failed.

I think this is either a bug:

- Seam doesn't complain when using drools without having the necessary jars in cp

or

this could be a problem with my jboss tools.

Should we place a bug in jira or sth.?

Best Regards,

Alex
Actions
5. Re: Problem with IdentityManager

bhiles Aug 18, 2009 5:07 AM (in response to gewuerzgurke)

What additional jar was missing?
Actions
6. Re: Problem with IdentityManager

gus888 Sep 3, 2009 10:00 PM (in response to gewuerzgurke)

I also have the problem after updating to Seam 2.2.0. Can you explain what additional jar was missing? Thanks.
Actions
7. Re: Problem with IdentityManager

gus888 Sep 3, 2009 10:05 PM (in response to gewuerzgurke)

After searching the Seam examples build.xml, it seems that the following jars are required for drools:

     
     <fileset id="drools.jar" dir="${lib.dir}">
          <include name="antlr-runtime.jar" if="drools.lib" />
          <include name="core.jar" if="drools.lib" />
          <include name="janino.jar" if="drools.lib" />
          <include name="mvel2.jar" if="drools.lib" />
          <include name="drools-core.jar" if="drools.lib" />
          <include name="drools-compiler.jar" if="drools.lib" />
          <include name="drools-api.jar" if="drools.lib" />
          <include name="drools-decisiontables.jar" if="drools.lib"/>
          <include name="drools-templates.jar" if="drools.lib"/>
          <include name="xstream.jar" if="drools.lib"/>
          <include name="xpp3_min.jar" if="drools.lib"/>
          <include name="jxl.jar" if="drools.lib"/>
     </fileset>
Actions
8. Re: Problem with IdentityManager

ganton516 Oct 30, 2009 1:24 AM (in response to gewuerzgurke)

After reading this thread, what I found was necessary for my application (moving from seam-2.0 -> seam-2.2), was only the inclusion of the drools-api.jar in the ear.
Actions

Go to original post