2 Replies Latest reply on Mar 4, 2008 8:49 AM by pete007

    How do I deny access on my forms based on the concerned entity and userrole

    Newbie

      Hello again,


      my last question for tonight has to deal with the seam security stuff.
      I have different user roles, and every user should see only pages which are in his scope.


      So, exemplarily for my department list I added the following entry to the pages.xml:


      <page view-id="/Department*" login-required="true">
        <navigation>
          <rule if-outcome="home">
            <redirect view-id="/home.xhtml"/>
          </rule>
        </navigation>
      </page>



      This works wonderful for not logged in user, they have to login first.
      But after login, it doesnt matter, which role I got, everyone can see everything.


      So I tried to add a rule to the file security.drl:


      package Permissions;
      import java.security.Principal;
      import org.jboss.seam.security.PermissionCheck;
      import org.jboss.seam.security.Role;
      
      rule RestrictDepartmentPages
        no-loop
        activation-group "permissions"
      when
        check: PermissionCheck(name == "/Department*", granted == false)
        Role(name == "superadmin")
      then
        check.grant();
      end



      But this doesnt help, everyone who is logged in can still see everything.


      What I am doing wrong??


      I am always accessing the page by typing in the URL:


      http://localhost:8080/gdc/DepartmentList.seam



      Any help is welcome, Pete



      PS: I got another one, thats driving me mad:
      The username on login is also the name of the department,
      the account belongs to. Where should I put a restriction,
      that only shows the entities of the currently logged in department?
      I assume somewhere in the PersonList.java, but in which method?
      Do I have to override one from a superclass?


      Sorry for asking such dumb questions, but I didnt sleep for two days now ..