-
1. Re: Authorization check failed for permission seam.role,read
shane.bryzak Aug 16, 2010 6:35 PM (in response to chris.simons)It shouldn't matter that you don't have an identity store configured, the permission check should still work. Are you sure the user is a member of the 'Administrator' role? Try setting a break point in RuleBasedPermissionResolver.hasPermission(), if you examine the stateful session (the securityContext variable) you should be able to see a Fact entry for each of the roles the user is a member of.
-
2. Re: Authorization check failed for permission seam.role,read
chris.simons Aug 16, 2010 9:43 PM (in response to chris.simons)Thanks for the reply, Shane.
I haven't set a break point within .hasPermission() yet, but I did apply some additional configuration settings to components.xml. I took a step back and tried some of the other identityManager methods, for example, getImpliedRoles('roleName').
I don't know if this proves my use case should work but it comes pretty close. When I print out a list of the impliedRoles for the given user, I do see the
Administrator
role.However, I still am unable to get past the AuthenticationException issue for identityManager.listRoles() and listUsers().
So, I must ask...is getImpliedRoles() the same as getting back a list of all roles granted to the user? Are they one and the same? Or do I need to grant each role via identity.grantRole()?
If you have time, I've pasted more of my components.xml. I have no overriden Permission yet, but I believe we might do that in the near future.
<security:identity-manager identity-store="#{jpaIdentityStore}" role-identity-store="#{jpaIdentityStore}"/> <security:rule-based-permission-resolver security-rules="#{securityRules}"/> <security:jpa-identity-store user-class="com.bah.englink.ejb.User" role-class="com.bah.englink.ejb.roles.AppRole"/> <drools:rule-base name="securityRules"> <drools:rule-files> <value>/security.drl</value> </drools:rule-files> </drools:rule-base>
Thanks!
-
3. Re: Authorization check failed for permission seam.role,read
shane.bryzak Aug 16, 2010 10:19 PM (in response to chris.simons)Your configuration looks fine to me. The roles that RuleBasedPermissionResolver uses to populate the securityContext are obtained from the Identity component. If you're using identity management, then all of the user's implied roles should be automatically populated in Identity when you authenticate (see SeamLoginModule).
The actual work to place the roles into securityContext gets done in RuleBasedPermissionResolver.synchronizeContext(), so you could set a breakpoint here to ensure that all roles (including the implied roles) are being set.
-
4. Re: Authorization check failed for permission seam.role,read
chris.simons Aug 17, 2010 1:31 PM (in response to chris.simons)Shane,
I think we resolved the issue and I'd like to share why I think the rule-based permission was not working earlier.
In components.xml, we are setting security:identity authenticate-method to a custom method. Therefore, think (perhaps) securityContext was not being automatically populated with each role.
Therefore, in our custom method, I manually called an identity.addRole("Administrator").
This seemed to do the trick.
Looking over the Seam Security documentation, we can find a wealth of information. Discerning which approach to take - given the various options - and which components to combine into our custom identity management scheme is a bit harder to ascertain.
For example, some of the documentation seems out-of-date and does not reflect Seam 2.0 - 2.1 migration guide tutorials on using RuleBasedPermissionResolver.
It would be really neat to see a,
Here are three common ways of using Seam Security
. The first tutorial would show just using JpaIdentityStore.The second would show using JpaIdentityStore and RuleBasedPermissionResolver.
And so on and so forth. Just my two cents. Maybe if we can figure out or own ucstom permission scheme as we want to we will write it up for you guys. :)