2 Replies Latest reply on Aug 18, 2010 8:51 AM by lstates.states_linnet.bah.com

    Extending org.jboss.seam.security.Role

    lstates.states_linnet.bah.com

      Shane I need your help please!


      Issue - Resolve how to manage the location of a role.


      I'm new to Identity Management and I have a situation in which I need to add an additional factor to the Role. A user can have different roles at different locations and right now just having the role name isn't sufficent. How do I store and make this information available for retrieval when doing hasPermission()?


      Background information: Seam 2.2.0, Drools 5, ideally I'd like to have rule based permissions but that's for another post!


      Thanks!

        • 1. Re: Extending org.jboss.seam.security.Role
          shane.bryzak

          Hmm, in Seam 3 this will actually be supported out of the box as we have proper support for groups.  In Seam 2, it's a bit trickier... if you want to be able to use rule-based permissions with location-based roles, the problem is that you can't override RuleBasedPermissionResolver.synchronizeContext() as it's a private method.  What you may need to do, is extend RuleBasedPermissionResolver and override the hasPermission() method.  You basically need to copy exactly what's there, however instead of calling synchronizeContext() you call your own method (e.g. mySynchronizeContext()


          In mySynchronizeContext(), instead of inserting org.jboss.seam.security.Role instances into the stateful session, you would insert your own Role instances which contain the location information.  After that, you should be able to write security rules that take the role's location into account, e.g:



          package MyPermissions;
          
          dialect 'mvel'
          
          import org.jboss.seam.security.permission.PermissionCheck;
          
          import com.mycompany.security.Role;
          
          # Only let admins from head office update account details
          
          rule UpdateAccountDetails
            no-loop
          when
            account: AccountDetails()
            Role(name == "admin", location = "head_office")
            check: PermissionCheck(target == account, action == "update", granted == false)
          then
            check.grant();
          end



          Hope that helps.

          • 2. Re: Extending org.jboss.seam.security.Role
            lstates.states_linnet.bah.com

            Thanks Shane, that does help!