Rule syntax in security.drl, SEAM 2.2.0_EAP5 (w JBDevS)
sage.sam Feb 10, 2010 10:30 PMI'm still relatively new to Seam, and have been working on learning how to write rules in the security.drl file to protect certain operations.
I've looked at the basic examples, and I can get the most basic cases to work. i.e. verify the user is logged in and is in the proper role.
My problem comes in when I try to write a more sophisticated check. It seems like everything I try with respect to inspecting object attributes causes the rule compilation to fail with a cryptic error:
Caused by: org.jboss.seam.InstantiationException: Could not instantiate Seam component: securityRules
at org.jboss.seam.Component.newInstance(Component.java:2144)
...
Caused by: java.lang.NullPointerException
at org.drools.common.AbstractRuleBase.addPackages(AbstractRuleBase.java:434)
at org.drools.reteoo.ReteooRuleBase.addPackage(ReteooRuleBase.java:388)
at org.jboss.seam.drools.RuleBase.compileRuleBase(RuleBase.java:115)
...
Here's my scenario: I have a number of internal roles which I do not want to allow users to delete. So, on my role home, I have overridden the remove method to add a restrict tag:
@Override @Restrict("#{s:hasPermission(imRoleHome.instance, 'remove')}") public String remove() { return super.remove(); }
My rule is as follows:
rule CanDeleteExtraRoles dialect "mvel" no-loop true when exists Principal() $testRole : MyRole( ) $check: PermissionCheck(target == $testRole, action == "remove", granted == false) Role(name == "my_admin") then $check.grant(); end
So far, so good. When I deploy the application, everything operates as expected. The user must be in the proper admin role in order to delete a role at all.
Now, I want to enhance this rule further so that roles with a certain prefix can never be deleted, i.e.
my_role1, my_role2, my_role3
How do I check the roleName attribute on my role class? I know mvel allows regexp, but even before I get to that point I try some simple checks. For example, I add the line
$testRole.roleName != "my_admin"
above the role check, and it won't compile the rules. What is the right process to define local variables and then do comparisons/checks against them, or against fields on those objects?
Is there an example app that I just haven't found yet? Any help is appreciated.