IdentityManager and RuleBasedPermissionResolver
uqbar Sep 2, 2010 12:43 PMSo there's been quite a bit written about this on the forums, but despite all of it, it still seems quite befuddling. At the core, I can't seem to be able to get past the permission check while using IdentityManager.
I am using a RuleBasedPermissionResolver with the standard rule-set (as described in Seam docs) defined in security.drl. The file is being deployed, found and parsed. The logged in user has the admin
role that the rule mandates. However, when it comes to calling identityManager.createUser(), I cannot seem to get past this:
Caused by: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[seam.user,create]
Versions: Seam 2.2.0.GA running on JBoss 5.1.GA (as standard as the Seam stack can get).
components.xml (relevant bit):
<drools:rule-base name="securityRules"> <drools:rule-files><value>/WEB-INF/security.drl</value></drools:rule-files> </drools:rule-base> <security:rule-based-permission-resolver security-rules="#{securityRules}"/> <security:identity authenticate-method="#{authenticator.authenticate}" remember-me="true"/> <security:identity-manager identity-store="#{jpaIdentityStore}" /> <security:jpa-identity-store user-class="com.learnvest.proto.lvyodlee.model.User" role-class="com.learnvest.proto.lvyodlee.model.Role"/>
security.drl:
package Permissions; import java.security.Principal; import org.jboss.seam.security.permission.PermissionCheck; import org.jboss.seam.security.Role; rule ManageUsers no-loop activation-group "permissions" when check: PermissionCheck(target == "seam.user", granted == false) Role(name == "admin") then check.grant(); end rule ManageRoles no-loop activation-group "permissions" when check: PermissionCheck(target == "seam.role", granted == false) Role(name == "admin") then check.grant(); end
User.java (relevant bit):
@Column(name = "username", nullable = false, length = 256) @NotNull @UserPrincipal @Length(max = 256) public String getUsername() { return this.username; } public void setUsername(String username) { this.username = username; } @Column(name = "password", nullable = false, length = 256) @NotNull @UserPassword( hash="md5" ) @Length(max = 256) public String getPassword() { return this.password; }
Role.java:
@Column(name = "name", nullable = false, length = 32) @NotNull @RoleName @Length(max = 32) public String getName() { return this.name; }
All this just to have Seam hash passwords for me on user creation. I've already given up on using IdentityManager (anything that takes more than 2 days to get working is simply not worth using), but if anyone has any ideas on this I would be curious to hear them - I am sure someone would benefit from the knowledge.
Thanks,
Uqbar.