0 Replies Latest reply on Sep 8, 2008 8:16 AM by jk;l jkl;

    Why is this security.drl not working as expected?

    jk;l jkl; Expert

      Why does the following basic sample security.drl file not work? I know that it's getting used because if I change something in the file to be invalid, I get the appropriate error message upon application startup. But in this case the rules file parses/compiles fine.



      rule firstrule
      when
        check : PermissionCheck(action == "render")
        Identity(loggedIn == false)
      then
        check.revoke();
      end;
      
      rule secondrule
      when
        check : PermissionCheck(name == "/page.xhtml", action == "render")
      then
        check.grant();
      end;




      These are the only two rules in the file. What I'd like to do is (using security.drl and not pages.xml) disallow access to all pages for people who are not logged in - that's the first rule. The second rule says if someone accesses page.xhtml, then they're allowed to proceed without being logged in.


      This doesn't work because anyone can access any page without being logged in. Am I allowed to use check.revoke() as I have? If so, what am I doing wrong here? (I realize this can be done in pages.xml, but it's not working there as well for me, and I'd like to learn more about how to properly use security.drl.)


      Thanks.