3 Replies Latest reply on Sep 7, 2010 10:01 PM by uqbar

    IdentityManager and RuleBasedPermissionResolver

    uqbar

      So there's been quite a bit written about this on the forums, but despite all of it, it still seems quite befuddling. At the core, I can't seem to be able to get past the permission check while using IdentityManager.


      I am using a RuleBasedPermissionResolver with the standard rule-set (as described in Seam docs) defined in security.drl. The file is being deployed, found and parsed. The logged in user has the admin role that the rule mandates. However, when it comes to calling identityManager.createUser(), I cannot seem to get past this:



      Caused by: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[seam.user,create]


      Versions: Seam 2.2.0.GA running on JBoss 5.1.GA (as standard as the Seam stack can get).


      components.xml (relevant bit):




         <drools:rule-base name="securityRules">
           <drools:rule-files><value>/WEB-INF/security.drl</value></drools:rule-files>
         </drools:rule-base>
      
         <security:rule-based-permission-resolver security-rules="#{securityRules}"/>
         <security:identity authenticate-method="#{authenticator.authenticate}" 
            remember-me="true"/>
          <security:identity-manager identity-store="#{jpaIdentityStore}" />
          <security:jpa-identity-store 
                user-class="com.learnvest.proto.lvyodlee.model.User"
                role-class="com.learnvest.proto.lvyodlee.model.Role"/>
      



      security.drl:




      package Permissions;
      
      import java.security.Principal;
      
      import org.jboss.seam.security.permission.PermissionCheck;
      import org.jboss.seam.security.Role;
      
      rule ManageUsers
        no-loop
        activation-group "permissions"
      when
        check: PermissionCheck(target == "seam.user", granted == false)
        Role(name == "admin")
      then
        check.grant();
      end
      
      rule ManageRoles
        no-loop
        activation-group "permissions"
      when
        check: PermissionCheck(target == "seam.role", granted == false)
        Role(name == "admin")
      then
        check.grant();
      end
      




      User.java (relevant bit):


           @Column(name = "username", nullable = false, length = 256)
           @NotNull
           @UserPrincipal
           @Length(max = 256)
           public String getUsername() {
                return this.username;
           }
      
           public void setUsername(String username) {
                this.username = username;
           }
      
           @Column(name = "password", nullable = false, length = 256)
           @NotNull
           @UserPassword( hash="md5" )
           @Length(max = 256)
           public String getPassword() {
                return this.password;
           }
      



      Role.java:




           @Column(name = "name", nullable = false, length = 32)
           @NotNull
           @RoleName
           @Length(max = 32)
           public String getName() {
                return this.name;
           }
      



      All this just to have Seam hash passwords for me on user creation. I've already given up on using IdentityManager (anything that takes more than 2 days to get working is simply not worth using), but if anyone has any ideas on this I would be curious to hear them - I am sure someone would benefit from the knowledge.


      Thanks,


      Uqbar.

        • 1. Re: IdentityManager and RuleBasedPermissionResolver
          shane.bryzak

          The only thing I can think of is that your user doesn't really have the admin role.  Does Identity.instance().hasRole("admin") return true?  You can try setting a breakpoint in RuleBasedPermissionResolver.synchronizeContext() as this is where the stateful session is populated with the user's roles.


          The seamspace example might be worth looking at too, all this stuff is all configured and working there.

          • 2. Re: IdentityManager and RuleBasedPermissionResolver
            cbensemann

            Sometimes, as Shane suggested, you don't have admin privileges. This is true when you are registering on a site for example. You have specified in your drl file that any user with an admin role can create users. To temporarily run an operation with a specific permission you can do the following:



            new RunAsOperation() {
                @Override
                public void execute() {
                    identityManager.createUser(credentials.getUsername(), credentials.getPassword(),
                            user.getFirstname(), user.getLastname());
                }
            }.addRole("admin").run();
            



            This will run everything in the execute method as though it was being run as a user with the admin role. This is often also useful for changing passwords etc depending on how you have configured your rules.


            Hope that helps


            Craig

            • 3. Re: IdentityManager and RuleBasedPermissionResolver
              uqbar

              Thanks. I have already tried out some of these and confirmed that the logged-in user has the admin role (Identity.instance().hasRole("admin") does return true), but I will try them again.


              Craig - I am seeding a user (with the right roles) in the system via SQL so I have a principal to login as - basically a back-door alternative to the RunAsOperation way,


              I'll try the breakpoint and see what turns up - thanks for your inputs.



              Best,


              Hrishi,