2 Replies Latest reply on Feb 13, 2008 10:28 AM by Jaime Martin

    strange behaviour with security rules 2.0.1GA

    Jaime Martin Apprentice

      hi!
      I have just started to work with the latest releases (SEAM 2.0.1.GA and JBOSS 4.2.2)
      I am testing the security and something strange happens with my application.
      Restrictions defined in my pages.xml with s:hasRole work ok, but in the .drl file they are not working properly.

      This is my authenticate method:

       public boolean authenticate() {
       if (((identity.getUsername().equalsIgnoreCase("admin")) && (identity.getPassword().equalsIgnoreCase("hola")))) {
       identity.addRole("adminGral");
       return true;
       }
       else if (((identity.getUsername().equalsIgnoreCase("simpleuser")) && (identity.getPassword().equalsIgnoreCase("bonjour")))) {
       identity.addRole("user");
       return true;
       }
      }
      


      This are restrictions defined in pages.xml:
       <page view-id="/FirmChoose.xhtml">
       <restrict>#{s:hasRole('adminGral')}</restrict>
       </page>
      
       <page view-id="/FirmList.xhtml">
       <restrict/>
       </page>
      


      and this is the rule defined in my security.drl
      rule FirmList
      when
      c: PermissionCheck(name == "/FirmList.xhtml", action == "render")
      Role(name == "adminGral")
      then
      c.grant();
      end;
      


      When I authenticate with simpleuser as it has user role I may not access to
      the restricted pages (FirmList and FirmChoose) and the following exception appears:


      12:27:41,671 ERROR [SeamPhaseListener] uncaught exception
      org.jboss.seam.security.AuthorizationException: Authorization check failed for permission [/FirmList.xhtml,render]
      at org.jboss.seam.security.Identity.checkPermission(Identity.java:486)
      at org.jboss.seam.navigation.Page.checkPermission(Page.java:214)
      at org.jboss.seam.navigation.Page.preRender(Page.java:238)
      at org.jboss.seam.navigation.Pages.preRender(Pages.java:309)
      at org.jboss.seam.jsf.SeamPhaseListener.preRenderPage(SeamPhaseListener.java:549)
      at org.jboss.seam.jsf.SeamPhaseListener.beforeRenderResponse(SeamPhaseListener.java:460)
      at org.jboss.seam.jsf.SeamPhaseListener.beforeServletPhase(SeamPhaseListener.java:144)
      at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.java:114)
      at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:222)
      at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:144)
      at javax.faces.webapp.FacesServlet.service(FacesServlet.java:245)
      ....


      That is ok. But on the other hand if I authenticate with admin, I am allowed to access to FirmChoose ( #{s:hasRole('adminGral')} works perfectly) but howewer I may not acces to FirmList (FirmList does not grant my access in spite of having adminGral role)
      I wonder if I have missed to configure something or if I am doing something wrong. (hope it not to be a bug)
      thanks in advance!

        • 1. Re: strange behaviour with security rules 2.0.1GA
          Shane Bryzak Master

          I just tested the default page security and can confirm that it does indeed work ok. I suggest you set a breakpoint in RuleBasedIdentity.hasPermission() to check that your permission check is actually being performed, and that your role is actually set in the working memory.

          • 2. Re: strange behaviour with security rules 2.0.1GA
            Jaime Martin Apprentice

            hi,
            I have solved my problem. I desfribe my solution in case it helps. The matter was that in other rule I had in my security.drl (and that I did not post to my message) I had a syntax error.
            With that error the rule I described before does not work, and once the syntax is correct, both rules work ok.
            The sintax error was the following:

             Role(name == "adminGral" or name == "adminFirm")
            


            And the proper way is this:
             Role(name == "adminGral")
             or
             Role(name == "adminFirm")
            

            regards,
            Jaime