14 Replies Latest reply on Oct 4, 2007 9:44 PM by Shane Bryzak

    security-config.xml equivalent in 2.0?

    Samuel Doyle Apprentice

      What is the equivalent of this in 2.0? I don't see one.

      S.D.

        • 1. Re: security-config.xml equivalent in 2.0?
          Pete Muir Master

          You configure seam security through pages.xml

          • 2. Re: security-config.xml equivalent in 2.0?
            Samuel Doyle Apprentice

             

            "pete.muir@jboss.org" wrote:
            You configure seam security through pages.xml


            How do you define the hierarchical relationship amongst roles through the pages.xml? I don't see anywhere that provides that which is what was provided in the security-config.xml?

            Thanks, S.D.

            • 3. Re: security-config.xml equivalent in 2.0?
              Samuel Doyle Apprentice

              Anyone??

              Thanks, S.D.

              • 4. Re: security-config.xml equivalent in 2.0?
                Shane Bryzak Master

                Seam hasn't had a security-config.xml file since version 1.1.1. If you wish to define a hierarchical relationship between roles, you can write security rules for this. In fact, the seamspace example does exactly this - here's an example:

                rule AdminIsAUser
                 salience 10
                 no-loop
                when
                 Role(name == "admin")
                 not Role(name == "user")
                then
                 insert(new Role("user"));
                end




                • 5. Re: security-config.xml equivalent in 2.0?
                  Samuel Doyle Apprentice

                  Alright so I followed the procedures for installing drools and configuring the security.drl properly based on examples. I'm pretty sure I have it setup properly since it was complaining when I was experimenting with options in the security.drl. In anycase I have this restriction to render a tab.

                  <rich:tab switchType="page" immediate="true" rendered="#{s:hasRole('super-user')}" label="Agency Admin" name="AgencyAdmin" action="AgencyAdmin">
                   <ui:include src="menu.xhtml">
                   <ui:param name="projectName" value="#{projectName}"/>
                   </ui:include>
                   </rich:tab>
                  


                  But yet this rule does not allow it to be rendered when I log in as ultra-user.

                  rule UltraUserIsSuperUser
                   salience 10
                   no-loop
                  when
                   Role(name == "ultra-user")
                   not Role(name == "super-user")
                  then
                   insert(new Role("super-user"));
                  end
                  


                  There are no exceptions or complaints from drools.

                  "shane.bryzak@jboss.com" wrote:
                  Seam hasn't had a security-config.xml file since version 1.1.1. If you wish to define a hierarchical relationship between roles, you can write security rules for this. In fact, the seamspace example does exactly this - here's an example:

                  rule AdminIsAUser
                   salience 10
                   no-loop
                  when
                   Role(name == "admin")
                   not Role(name == "user")
                  then
                   insert(new Role("user"));
                  end




                  • 6. Re: security-config.xml equivalent in 2.0?
                    Shane Bryzak Master

                    Oops, you're absolutely right. In seamspace it works because the role check is performed within the context of a (rule-based) permission check. I've fixed this in CVS so that RuleBasedIdentity now checks the security context for the existence of the role (as well as checking the subject), however if you can't test with the latest CVS version you could alternatively replace your s:hasRole() expression with an s:hasPermission() expression that simply checks for the existence of the required role.

                    • 7. Re: security-config.xml equivalent in 2.0?
                      Samuel Doyle Apprentice

                      Great thanks for the information and the workaround. I was't aware that the hasPermission would also check the role as well. I'll give this a try.

                      S.D.

                      • 8. Re: security-config.xml equivalent in 2.0?
                        Samuel Doyle Apprentice

                        Hi Shane,

                        This didn't work either.

                        rich:tab switchType="page" immediate="true"
                        rendered="#{s:hasPermission('super-user', null, null)}" label="Agency
                        Admin" name="AgencyAdmin" action="AgencyAdmin">
                         <ui:include src="menu.xhtml">
                         <ui:param name="projectName" value="#{projectName}"/>
                         </ui:include>
                         </rich:tab>
                        


                        This tab is rendered as part of the landing page after the user has been authenticated.

                        S.D.

                        "shane.bryzak@jboss.com" wrote:
                        Oops, you're absolutely right. In seamspace it works because the role check is performed within the context of a (rule-based) permission check. I've fixed this in CVS so that RuleBasedIdentity now checks the security context for the existence of the role (as well as checking the subject), however if you can't test with the latest CVS version you could alternatively replace your s:hasRole() expression with an s:hasPermission() expression that simply checks for the existence of the required role.


                        • 9. Re: security-config.xml equivalent in 2.0?
                          Shane Bryzak Master

                          What does the source for your rule look like? It should be something like this:

                          rule IsUserSuperUser
                           no-loop
                           activation-group "permissions"
                          when
                           check: PermissionCheck(name == "rolecheck", action == "super-user", granted == false)
                           Role(name == 'super-user')
                          then
                           check.grant();
                          end


                          In this case the expression would be hasPermission('rolecheck', 'super-user', null).

                          • 10. Re: security-config.xml equivalent in 2.0?
                            Samuel Doyle Apprentice

                            Ah thanks, no I'm preety much a noob to drools.
                            Can you point me to some documentation with some solid examples.?
                            I was looking at a very detailed grammar document but I'm a bit stretched for time for delving into that at the moment.

                            I just checked out the code from cvs and was going to build that and give it a try to.

                            Thanks, S.D.

                            • 11. Re: security-config.xml equivalent in 2.0?
                              Samuel Doyle Apprentice

                              This works awesome though, thanks again!

                              S.D.

                              "shane.bryzak@jboss.com" wrote:
                              What does the source for your rule look like? It should be something like this:

                              rule IsUserSuperUser
                               no-loop
                               activation-group "permissions"
                              when
                               check: PermissionCheck(name == "rolecheck", action == "super-user", granted == false)
                               Role(name == 'super-user')
                              then
                               check.grant();
                              end


                              In this case the expression would be hasPermission('rolecheck', 'super-user', null).


                              • 12. Re: security-config.xml equivalent in 2.0?
                                Shane Bryzak Master

                                I recommend the drools reference documentation as a good starting point for obtaining a fundamental understanding of the default rules language, that's pretty much all I've read myself.

                                • 13. Re: security-config.xml equivalent in 2.0?
                                  Samuel Doyle Apprentice

                                  Thanks Shane,

                                  I'll take a look whenever I get some spare cycles. I remember seeing a useful Eclipse plugin that helps in defining the rules. It's unfortunate there isn't one for NetBeans. =/

                                  "shane.bryzak@jboss.com" wrote:
                                  I recommend the drools reference documentation as a good starting point for obtaining a fundamental understanding of the default rules language, that's pretty much all I've read myself.


                                  • 14. Re: security-config.xml equivalent in 2.0?
                                    Shane Bryzak Master

                                    The Drools team also has another product, BRMS, which you might find useful. It can be used to manage a rules repository, and the latest CR of Seam also has support for loading rules from one of these repositories (BRMS is built on Seam too :).