4 Replies Latest reply on May 23, 2014 1:38 AM by sflanigan

DeltaSpike Security

flopsi Mar 19, 2014 11:12 AM

Hello everybody,

i try to understand the PicketLink/Drools sample application and cannot really work out how it works...

I understand we may have an annotation

@Retention(value = RetentionPolicy.RUNTIME)
@Target({ ElementType.TYPE, ElementType.METHOD })
@Documented
@SecurityBindingType
public @interface TimeRestricted {
}

and a method to be secured, annotated with it

@TimeRestricted
public void doTest() {
    ...
}

and a method to handle the restriction

@Secures
@TimeRestricted
public boolean testTimeRestricted(Identity identity) {
    return identity.hasPermission("TestAction", "invoke");
}

The questions i have now are:

-Where does the Identity parameter come from? The DeltaSpike documentation gives this signature:

public boolean doSecuredCheck(InvocationContext invocationContext, BeanManager manager, ...) throws Exception

-Where exactly is Drools coming into play?

Does the hasPermission(...) call trigger a fireAllRules() on the Drools Session somehow?

Or does it run completely behind the scenes and has nothing to do with the hasPermission(...) call?

-If a fireAllRules() happens anywhere, i guess a org.picketlink.idm.drools.PermissionCheck instance is added to the Drools working memory before, right?

-If that is the case, what happens then in the case of

1. granted has been set => i guess the annotated method is called normally?!

2. granted has not been set => i guess an exception is thrown?!

-Are other objects added to the working memory implicitly? Or should i add them manually? If so, best practice?

-The app should grant rights depending on the current time... I do not see this logic anywhere... Please explain where this happens.

-When i try to deploy the app, i get the following exception:

14:59:47,489 WARN [org.drools.compiler.kie.builder.impl.ClasspathKieProject] (MSC service thread 1-2) Unable to load pom.properties tried recursing down from\wildfly-8.0.0.Final\standalone\deployments\picketlink-authorization-drools.war\WEB-INF\classes\META-INF\kmodule.xml

null

14:59:47,490 ERROR [org.drools.compiler.kie.builder.impl.ClasspathKieProject] (MSC service thread 1-2) Unable to build index of kmodule.xml url=vfs:/D:/wildfly-8.0.0.Final/standalone/deployments/picketlink-authorization-drools.war/WEB-INF/classes/META-INF/kmodule.xml

null

14:59:47,809 ERROR [org.drools.compiler.cdi.KieCDIExtension] (MSC service thread 1-2) Annotation @KSession(ksession1) found, but no KieSessioneModel exist.

Either the required kproject.xml does not exist, was corrupted, or mising the KieBase entry

14:59:48,235 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.deployment.unit."picketlink-authorization-drools.war".WeldStartService: org.jboss.msc.service.StartException in service jboss.deployment.unit."picketlink-authorization-drools.war".WeldStartService: Failed to start service

...

Caused by: org.jboss.weld.exceptions.DeploymentException: WELD-001408: Unsatisfied dependencies for type KieSession with qualifiers @KSession

I found PLINK-339 and DROOLS-299, so am i right saying the app actually cannot be run? The hints did not solve it for me... So what exactly should be put in the jar and put exactly where?

Sorry for all this, but the example app left me with more questions than before somehow...

Maybe someone could sketch a whole authorization lifecycle with Drools?

Thanks a lot, best regards

Flo

1. Re: PicketLink / Drools / DeltaSpike Security

anil.saldhana Mar 19, 2014 7:32 PM (in response to flopsi)

Try with PicketLink version 2.6.0.CR1 in pom.xml
Actions
2. Re: PicketLink / Drools / DeltaSpike Security

shane.bryzak Mar 19, 2014 8:00 PM (in response to flopsi)

Hi Florian,

Currently support for Drools-based permissions is only experimental. We are waiting for the Drools team to respond to DROOLS-299 and until this happens the feature (and the associated quickstart) will remain in development. That being said however, I'll try to answer some of your other questions.

-Where does the Identity parameter come from? The DeltaSpike documentation gives this signature:

The Identity parameter is treated as an injection point, and so the standard Identity bean will be injected here.

-Where exactly is Drools coming into play?

The actual firing of the rule happens in DroolsPermissionVoter - source code here:

picketlink/modules/idm/drools/src/main/java/org/picketlink/idm/drools/DroolsPermissionVoter.java at master · picketlink/…

The DroolsPermissionVoter is invoked by the Permissions API when you call the hasPermission() method (so that's where the connection is). It is created by the PermissionVoterProducer, which is where we have currently hit a roadblock and are waiting for a response to DROOLS-299:

picketlink/modules/idm/drools/src/main/java/org/picketlink/idm/drools/PermissionVoterProducer.java at master · picketlin…

If you would like to take a look at this we would be grateful for any contribution made to help get this feature working. I believe that rule-based permissions used to be quite popular in Seam and it would be nice if we could provide equivalent functionality in PicketLink.
Actions
3. Re: PicketLink / Drools / DeltaSpike Security

anil.saldhana Mar 19, 2014 8:30 PM (in response to shane.bryzak)

Shane Bryzak wrote:

Hi Florian,

Currently support for Drools-based permissions is only experimental. We are waiting for the Drools team to respond to DROOLS-299 and until this happens the feature (and the associated quickstart) will remain in development. That being said however, I'll try to answer some of your other questions.

-Where does the Identity parameter come from? The DeltaSpike documentation gives this signature:

The Identity parameter is treated as an injection point, and so the standard Identity bean will be injected here.

-Where exactly is Drools coming into play?

The actual firing of the rule happens in DroolsPermissionVoter - source code here:

picketlink/modules/idm/drools/src/main/java/org/picketlink/idm/drools/DroolsPermissionVoter.java at master · picketlink/…

The DroolsPermissionVoter is invoked by the Permissions API when you call the hasPermission() method (so that's where the connection is). It is created by the PermissionVoterProducer, which is where we have currently hit a roadblock and are waiting for a response to DROOLS-299:

picketlink/modules/idm/drools/src/main/java/org/picketlink/idm/drools/PermissionVoterProducer.java at master · picketlin…

If you would like to take a look at this we would be grateful for any contribution made to help get this feature working. I believe that rule-based permissions used to be quite popular in Seam and it would be nice if we could provide equivalent functionality in PicketLink.

Shane - I see that you commented out the hack with ServletContext in
https://github.com/picketlink/picketlink/blob/master/modules/idm/drools/src/main/java/org/picketlink/idm/drools/PermissionVoterProducer.java

I wonder if this fallback is necessary if users are on a JavaEE server other than JBossAS/WildFly. At least with the servlet context, you get a portable way to get to the security rules.
Actions
4. Re: PicketLink / Drools / DeltaSpike Security

sflanigan May 23, 2014 1:38 AM (in response to shane.bryzak)

Is it possible to make the picketlink-authorization-drools quickstart work by putting security-rules.drl into a separate jar? I'm looking to migrate a Seam 2 application to CDI, and this quickstart (even with an extra jar) looks like a good migration path for security.drl.
Actions

Go to original post