Why does the following basic sample security.drl file not work? I know that it's getting used because if I change something in the file to be invalid, I get the appropriate error message upon application startup. But in this case the rules file parses/compiles fine.
rule firstrule when check : PermissionCheck(action == "render") Identity(loggedIn == false) then check.revoke(); end; rule secondrule when check : PermissionCheck(name == "/page.xhtml", action == "render") then check.grant(); end;
These are the only two rules in the file. What I'd like to do is (using security.drl and not pages.xml) disallow access to all pages for people who are not logged in - that's the first rule. The second rule says if someone accesses page.xhtml, then they're allowed to proceed without being logged in.
This doesn't work because anyone can access any page without being logged in. Am I allowed to use check.revoke() as I have? If so, what am I doing wrong here? (I realize this can be done in pages.xml, but it's not working there as well for me, and I'd like to learn more about how to properly use security.drl.)