2 Replies Latest reply on Feb 13, 2008 10:28 AM by jamesjmp

strange behaviour with security rules 2.0.1GA

jamesjmp Feb 12, 2008 6:51 AM

hi!
I have just started to work with the latest releases (SEAM 2.0.1.GA and JBOSS 4.2.2)
I am testing the security and something strange happens with my application.
Restrictions defined in my pages.xml with s:hasRole work ok, but in the .drl file they are not working properly.

This is my authenticate method:

 public boolean authenticate() {
 if (((identity.getUsername().equalsIgnoreCase("admin")) && (identity.getPassword().equalsIgnoreCase("hola")))) {
 identity.addRole("adminGral");
 return true;
 }
 else if (((identity.getUsername().equalsIgnoreCase("simpleuser")) && (identity.getPassword().equalsIgnoreCase("bonjour")))) {
 identity.addRole("user");
 return true;
 }
}

This are restrictions defined in pages.xml:

 <page view-id="/FirmChoose.xhtml">
 <restrict>#{s:hasRole('adminGral')}</restrict>
 </page>

 <page view-id="/FirmList.xhtml">
 <restrict/>
 </page>

and this is the rule defined in my security.drl

rule FirmList
when
c: PermissionCheck(name == "/FirmList.xhtml", action == "render")
Role(name == "adminGral")
then
c.grant();
end;

When I authenticate with simpleuser as it has user role I may not access to
the restricted pages (FirmList and FirmChoose) and the following exception appears:

12:27:41,671 ERROR [SeamPhaseListener] uncaught exception
org.jboss.seam.security.AuthorizationException: Authorization check failed for permission [/FirmList.xhtml,render]
at org.jboss.seam.security.Identity.checkPermission(Identity.java:486)
at org.jboss.seam.navigation.Page.checkPermission(Page.java:214)
at org.jboss.seam.navigation.Page.preRender(Page.java:238)
at org.jboss.seam.navigation.Pages.preRender(Pages.java:309)
at org.jboss.seam.jsf.SeamPhaseListener.preRenderPage(SeamPhaseListener.java:549)
at org.jboss.seam.jsf.SeamPhaseListener.beforeRenderResponse(SeamPhaseListener.java:460)
at org.jboss.seam.jsf.SeamPhaseListener.beforeServletPhase(SeamPhaseListener.java:144)
at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.java:114)
at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:222)
at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:144)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:245)
....

That is ok. But on the other hand if I authenticate with admin, I am allowed to access to FirmChoose ( #{s:hasRole('adminGral')} works perfectly) but howewer I may not acces to FirmList (FirmList does not grant my access in spite of having adminGral role)
I wonder if I have missed to configure something or if I am doing something wrong. (hope it not to be a bug)
thanks in advance!

1. Re: strange behaviour with security rules 2.0.1GA

shane.bryzak Feb 12, 2008 8:08 AM (in response to jamesjmp)

I just tested the default page security and can confirm that it does indeed work ok. I suggest you set a breakpoint in RuleBasedIdentity.hasPermission() to check that your permission check is actually being performed, and that your role is actually set in the working memory.
Actions
2. Re: strange behaviour with security rules 2.0.1GA

jamesjmp Feb 13, 2008 10:28 AM (in response to jamesjmp)
hi,
I have solved my problem. I desfribe my solution in case it helps. The matter was that in other rule I had in my security.drl (and that I did not post to my message) I had a syntax error.
With that error the rule I described before does not work, and once the syntax is correct, both rules work ok.
The sintax error was the following:
Role(name == "adminGral" or name == "adminFirm")

And the proper way is this:
Role(name == "adminGral") or Role(name == "adminFirm")

regards,
Jaime
Actions

Go to original post