Seam security - issues with authorization
siva.sivjothie.gmail.com Nov 24, 2009 5:02 AMHi,
I am porting Seam 1.2 application to Seam 2.2 application and deploying it in JBOSS 5.0 The code base uses Seam security (drools based) for authentication and authorization and there is a security check for CRUD persistence at Entity Level. I am getting "org.jboss.seam.security.AuthorizationException: Authorization check failed" message when accessing functionality for all the roles. The authentication works, but authorization is not working as expected. It didnt allow anyone to access.
Appreciate your help on this.
Thanks in advance
Thanks,
Siva
The code looks like this:
Entity Class
@Restrict
@Entity
@Name("loan")
public class Loan{
.. .. // getters / setters method
}
I have added the Security Interceptor in the orm.xml file
`<persistence-unit-metadata>
<persistence-unit-defaults>
<entity-listeners>
<entity-listener class="org.jboss.seam.security.EntitySecurityListener"/>
</entity-listeners>
</persistence-unit-defaults>
</persistence-unit-metadata>
In component.xml I configured:
<drools:rule-base name="securityRules">
<drools:rule-files>
/security.drl
</drools:rule-files>
</drools:rule-base>
<security:identity authenticate-method="#{authenticator.authenticate}"
security-rules="#{securityRules}" />
Security. DRL -The rule defined in 1.2 Security.DRL file
package Permissions;
import org.jboss.seam.security.PermissionCheck;
import org.jboss.seam.security.Role;
...
rule "Loan Management"
no-loop
activation-group "permissions"
when
check: PermissionCheck( name == "loan", action == "insert") or PermissionCheck( name == "loan", action == "update") Role( name == "Administrator" )
then
check.grant();
end;
`
this gave errors while deployment. So I changed them as follows which deployed successfully, but not working as expected:
The current security.DRL looks like
`package Permissions;
dialect 'mvel'
import org.jboss.seam.security.permission.PermissionCheck;
import org.jboss.seam.security.Role;
rule "Loan Management"
no-loop
activation-group "permissions"
when
check: PermissionCheck( target== "loan", action == "insert") or PermissionCheck( target== "loan", action == "update") Role( name == "Administrator" )
then
check.grant();
end;
`
pls suggest if i am missing any configurations.
Thanks,
Siva
I am porting Seam 1.2 application to Seam 2.2 application and deploying it in JBOSS 5.0 The code base uses Seam security (drools based) for authentication and authorization and there is a security check for CRUD persistence at Entity Level. I am getting "org.jboss.seam.security.AuthorizationException: Authorization check failed" message when accessing functionality for all the roles. The authentication works, but authorization is not working as expected. It didnt allow anyone to access.
Appreciate your help on this.
Thanks in advance
Thanks,
Siva
The code looks like this:
Entity Class
@Restrict
@Entity
@Name("loan")
public class Loan{
.. .. // getters / setters method
}
I have added the Security Interceptor in the orm.xml file
`<persistence-unit-metadata>
<persistence-unit-defaults>
<entity-listeners>
<entity-listener class="org.jboss.seam.security.EntitySecurityListener"/>
</entity-listeners>
</persistence-unit-defaults>
</persistence-unit-metadata>
In component.xml I configured:
<drools:rule-base name="securityRules">
<drools:rule-files>
/security.drl
</drools:rule-files>
</drools:rule-base>
<security:identity authenticate-method="#{authenticator.authenticate}"
security-rules="#{securityRules}" />
Security. DRL -The rule defined in 1.2 Security.DRL file
package Permissions;
import org.jboss.seam.security.PermissionCheck;
import org.jboss.seam.security.Role;
...
rule "Loan Management"
no-loop
activation-group "permissions"
when
check: PermissionCheck( name == "loan", action == "insert") or PermissionCheck( name == "loan", action == "update") Role( name == "Administrator" )
then
check.grant();
end;
`
this gave errors while deployment. So I changed them as follows which deployed successfully, but not working as expected:
The current security.DRL looks like
`package Permissions;
dialect 'mvel'
import org.jboss.seam.security.permission.PermissionCheck;
import org.jboss.seam.security.Role;
rule "Loan Management"
no-loop
activation-group "permissions"
when
check: PermissionCheck( target== "loan", action == "insert") or PermissionCheck( target== "loan", action == "update") Role( name == "Administrator" )
then
check.grant();
end;
`
pls suggest if i am missing any configurations.
Thanks,
Siva