5 Replies Latest reply on May 17, 2011 1:59 PM by edoetsch

    hasPermission changes and my use of active directory

    edoetsch
    edoetsch May 16, 2011 1:19 PM

      We are using active directory and have roles and permissions assigned such that in Seam 1.2.1 and 2.1.1 all permission rules were defined as follows:



      <s:decorate     rendered="#{s:hasPermission('contract','view', null)}">
 <s:link id="viewContract" value="#{messages.View}" action="#{contractAction.viewContract}"  />  
</s:decorate>



      So if a person can view a contract, they can click a link to view the contract.


      The documentation seems to read such that this should be changed to:


      s:hasPermission(null,'view')



      which is not working and does not seem to make sense.



      From the documentation, the old 3rd parameter gives the developer the ability to send some piece of information to assist the hasPermission method in making its decision. I assume that since active directory is in use, no additional information is needed.


      Any suggestions on where to look for a resolution to this?

      • 165 Views
      • Tags:
        • 1. Re: hasPermission changes and my use of active directory
          edoetsch
          edoetsch May 16, 2011 1:52 PM (in response to edoetsch)

          So it seems like I might be encountering some other problem.


          The jboss-seam-2.1.1.GA and jboss-seam-2.2.2.Final Identity.java has not changed.

            • Actions
          • 2. Re: hasPermission changes and my use of active directory
            edoetsch
            edoetsch May 16, 2011 1:57 PM (in response to edoetsch)

            I cannot seem to find the ability to edit the original post, sorry for this.


            The actual problem I am running into is the hasRole() is currently working but hasPermission() is NOT working.


            My 2nd comment means I understand that in fact my Seam 2.1.1 upgrade to 2.2.2 should not have seen behavior change during my current 2.1.1 to 2.2.2 upgrade but I can definitely see that hasPermission() is behaving differently.


            Again sorry for the confusion.

              • Actions
            • 3. Re: hasPermission changes and my use of active directory
              edoetsch
              edoetsch May 16, 2011 2:27 PM (in response to edoetsch)

              Looking at the code, I guess it is possible my permissionMapper is null. I searched for permissionmapper in the logs of the default jboss server and did not see any reference to it.



                 public boolean hasPermission(String name, String action, Object...arg)
   {
      if (!securityEnabled) return true;
      if (systemOp != null && Boolean.TRUE.equals(systemOp.get())) return true;
      if (permissionMapper == null) return false;

      if (arg != null)
      {
         return permissionMapper.resolvePermission(arg[0], action);
      }
      else
      {
         return permissionMapper.resolvePermission(name, action);
      }
   }

                • Actions
              • 4. Re: hasPermission changes and my use of active directory
                edoetsch
                edoetsch May 16, 2011 4:24 PM (in response to edoetsch)

                I do have a security-rules.drl in:


                   <drools:rule-base name="securityRules">
       <drools:rule-files>
           <value>/META-INF/security-rules.drl</value>
       </drools:rule-files>
   </drools:rule-base>

  <security:identity jaas-config-name="active-dir"/>



                with a rule like:


                rule CanContractReviewerViewContract
when
  c: PermissionCheck(name == "contract", action == "view")
  Role(name == "ContractReviewer")
then
  c.grant();
end;



                I publish my ear in profile.xml as:


                          <property name="applicationURIs">
               <list elementClass="java.net.URI">
                    <value>${jboss.server.home.url}deploy</value>
                    <value>file:///${deploy.root}/ears</value>
               </list>
          </property>



                The structure under ears is:


                ears/rms.ear/META-INF/security-rules.drl



                which has not changed during my upgrade.

                  • Actions
                • 5. Re: hasPermission changes and my use of active directory
                  edoetsch
                  edoetsch May 17, 2011 1:59 PM (in response to edoetsch)

                  I finally figured this out:


                  The documentation states to use the following seam jars in my application:


                      drools-api.jar
                      drools-compiler.jar
                      drools-core.jar
                      drools-decisiontables.jar
                      drools-templates.jar
                      janino.jar
                      antlr-runtime.jar
                      mvel2.jar


                  I have put these jars in the appropriate place but somehow forgot to add drools-api.jar to application.xml (I had added the others)


                  I think what this caused was that the attempt to start drools never even happened so there was no error and log information as well. Just dead silence.

                    • Actions