14 Replies Latest reply on Oct 4, 2007 9:44 PM by Shane Bryzak

    security-config.xml equivalent in 2.0?

    Samuel Doyle Apprentice

      What is the equivalent of this in 2.0? I don't see one.

      S.D.

        • 1. Re: security-config.xml equivalent in 2.0?
          Pete Muir Master

          You configure seam security through pages.xml

          • 2. Re: security-config.xml equivalent in 2.0?
            Samuel Doyle Apprentice

             

            "pete.muir@jboss.org" wrote:
            You configure seam security through pages.xml


            How do you define the hierarchical relationship amongst roles through the pages.xml? I don't see anywhere that provides that which is what was provided in the security-config.xml?

            Thanks, S.D.

            • 4. Re: security-config.xml equivalent in 2.0?
              Shane Bryzak Master

              Seam hasn't had a security-config.xml file since version 1.1.1. If you wish to define a hierarchical relationship between roles, you can write security rules for this. In fact, the seamspace example does exactly this - here's an example:

              rule AdminIsAUser
               salience 10
               no-loop
              when
               Role(name == "admin")
               not Role(name == "user")
              then
               insert(new Role("user"));
              end




              • 5. Re: security-config.xml equivalent in 2.0?
                Samuel Doyle Apprentice

                Alright so I followed the procedures for installing drools and configuring the security.drl properly based on examples. I'm pretty sure I have it setup properly since it was complaining when I was experimenting with options in the security.drl. In anycase I have this restriction to render a tab.

                <rich:tab switchType="page" immediate="true" rendered="#{s:hasRole('super-user')}" label="Agency Admin" name="AgencyAdmin" action="AgencyAdmin">
                 <ui:include src="menu.xhtml">
                 <ui:param name="projectName" value="#{projectName}"/>
                 </ui:include>
                 </rich:tab>
                


                But yet this rule does not allow it to be rendered when I log in as ultra-user.

                rule UltraUserIsSuperUser
                 salience 10
                 no-loop
                when
                 Role(name == "ultra-user")
                 not Role(name == "super-user")
                then
                 insert(new Role("super-user"));
                end
                


                There are no exceptions or complaints from drools.

                "shane.bryzak@jboss.com" wrote:
                Seam hasn't had a security-config.xml file since version 1.1.1. If you wish to define a hierarchical relationship between roles, you can write security rules for this. In fact, the seamspace example does exactly this - here's an example:

                rule AdminIsAUser
                 salience 10
                 no-loop
                when
                 Role(name == "admin")
                 not Role(name == "user")
                then
                 insert(new Role("user"));
                end




                • 6. Re: security-config.xml equivalent in 2.0?
                  Shane Bryzak Master

                  Oops, you're absolutely right. In seamspace it works because the role check is performed within the context of a (rule-based) permission check. I've fixed this in CVS so that RuleBasedIdentity now checks the security context for the existence of the role (as well as checking the subject), however if you can't test with the latest CVS version you could alternatively replace your s:hasRole() expression with an s:hasPermission() expression that simply checks for the existence of the required role.

                  • 7. Re: security-config.xml equivalent in 2.0?
                    Samuel Doyle Apprentice

                    Great thanks for the information and the workaround. I was't aware that the hasPermission would also check the role as well. I'll give this a try.

                    S.D.

                    • 8. Re: security-config.xml equivalent in 2.0?
                      Samuel Doyle Apprentice

                      Hi Shane,

                      This didn't work either.

                      rich:tab switchType="page" immediate="true"
                      rendered="#{s:hasPermission('super-user', null, null)}" label="Agency
                      Admin" name="AgencyAdmin" action="AgencyAdmin">
                       <ui:include src="menu.xhtml">
                       <ui:param name="projectName" value="#{projectName}"/>
                       </ui:include>
                       </rich:tab>
                      


                      This tab is rendered as part of the landing page after the user has been authenticated.

                      S.D.

                      "shane.bryzak@jboss.com" wrote:
                      Oops, you're absolutely right. In seamspace it works because the role check is performed within the context of a (rule-based) permission check. I've fixed this in CVS so that RuleBasedIdentity now checks the security context for the existence of the role (as well as checking the subject), however if you can't test with the latest CVS version you could alternatively replace your s:hasRole() expression with an s:hasPermission() expression that simply checks for the existence of the required role.


                      • 9. Re: security-config.xml equivalent in 2.0?
                        Shane Bryzak Master

                        What does the source for your rule look like? It should be something like this:

                        rule IsUserSuperUser
                         no-loop
                         activation-group "permissions"
                        when
                         check: PermissionCheck(name == "rolecheck", action == "super-user", granted == false)
                         Role(name == 'super-user')
                        then
                         check.grant();
                        end


                        In this case the expression would be hasPermission('rolecheck', 'super-user', null).

                        • 10. Re: security-config.xml equivalent in 2.0?
                          Samuel Doyle Apprentice

                          Ah thanks, no I'm preety much a noob to drools.
                          Can you point me to some documentation with some solid examples.?
                          I was looking at a very detailed grammar document but I'm a bit stretched for time for delving into that at the moment.

                          I just checked out the code from cvs and was going to build that and give it a try to.

                          Thanks, S.D.

                          • 11. Re: security-config.xml equivalent in 2.0?
                            Samuel Doyle Apprentice

                            This works awesome though, thanks again!

                            S.D.

                            "shane.bryzak@jboss.com" wrote:
                            What does the source for your rule look like? It should be something like this:

                            rule IsUserSuperUser
                             no-loop
                             activation-group "permissions"
                            when
                             check: PermissionCheck(name == "rolecheck", action == "super-user", granted == false)
                             Role(name == 'super-user')
                            then
                             check.grant();
                            end


                            In this case the expression would be hasPermission('rolecheck', 'super-user', null).


                            • 12. Re: security-config.xml equivalent in 2.0?
                              Shane Bryzak Master

                              I recommend the drools reference documentation as a good starting point for obtaining a fundamental understanding of the default rules language, that's pretty much all I've read myself.

                              • 13. Re: security-config.xml equivalent in 2.0?
                                Samuel Doyle Apprentice

                                Thanks Shane,

                                I'll take a look whenever I get some spare cycles. I remember seeing a useful Eclipse plugin that helps in defining the rules. It's unfortunate there isn't one for NetBeans. =/

                                "shane.bryzak@jboss.com" wrote:
                                I recommend the drools reference documentation as a good starting point for obtaining a fundamental understanding of the default rules language, that's pretty much all I've read myself.


                                • 14. Re: security-config.xml equivalent in 2.0?
                                  Shane Bryzak Master

                                  The Drools team also has another product, BRMS, which you might find useful. It can be used to manage a rules repository, and the latest CR of Seam also has support for loading rules from one of these repositories (BRMS is built on Seam too :).