2 Replies Latest reply on Mar 4, 2008 8:49 AM by pete007

    How do I deny access on my forms based on the concerned entity and userrole


      Hello again,

      my last question for tonight has to deal with the seam security stuff.
      I have different user roles, and every user should see only pages which are in his scope.

      So, exemplarily for my department list I added the following entry to the pages.xml:

      <page view-id="/Department*" login-required="true">
          <rule if-outcome="home">
            <redirect view-id="/home.xhtml"/>

      This works wonderful for not logged in user, they have to login first.
      But after login, it doesnt matter, which role I got, everyone can see everything.

      So I tried to add a rule to the file security.drl:

      package Permissions;
      import java.security.Principal;
      import org.jboss.seam.security.PermissionCheck;
      import org.jboss.seam.security.Role;
      rule RestrictDepartmentPages
        activation-group "permissions"
        check: PermissionCheck(name == "/Department*", granted == false)
        Role(name == "superadmin")

      But this doesnt help, everyone who is logged in can still see everything.

      What I am doing wrong??

      I am always accessing the page by typing in the URL:


      Any help is welcome, Pete

      PS: I got another one, thats driving me mad:
      The username on login is also the name of the department,
      the account belongs to. Where should I put a restriction,
      that only shows the entities of the currently logged in department?
      I assume somewhere in the PersonList.java, but in which method?
      Do I have to override one from a superclass?

      Sorry for asking such dumb questions, but I didnt sleep for two days now ..