7 Replies Latest reply on Oct 15, 2008 11:47 PM by Shane Bryzak

    RuleBasedPermissionResolver with own PermissionStore

    Michael Trompertz Newbie

      Hi,


      I want to use a RuleBasedPermissionResolver for security checking (Seam 2.1 CR1) but with my own permission entities because the users are in usergroups and the usergroups has permissions to targets. The data are stored in a database.
      So I tried to write a MyPermissionStore class which implements the PermissionStore Interface but the PermissionManager does not find this component.



      ...
      @Name("org.jboss.seam.security.jpaPermissionStore")
      @Install(precedence = Install.APPLICATION, value=false) 
      @Scope(ScopeType.APPLICATION)
      @BypassInterceptors
      public class MyPermissionStore implements PermissionStore,
          Serializable
      {
        ...
      



      From components.xml:


        <drools:rule-base name="securityRules">
            <drools:rule-files><value>/security.drl</value></drools:rule-files>
         </drools:rule-base>
         <security:rule-based-permission-resolver security-rules="#{securityRules}"/>
         <security:permission-manager permission-store="#{jpaPermissionStore}"/>
      



      From the Logfile


      WARN  [PermissionManager] no permission store available - please install a PermissionStore with the name 'org.jboss.seam.security.jpaPermissionStore' if permission management is required.
      



      and in the PermissionManager.create() the permissionStore variable is always null.


      What is missing?


      Michael

        • 1. Re: RuleBasedPermissionResolver with own PermissionStore
          Shane Bryzak Master

          Try this instead:


          components.xml:


          <security:permission-manager permission-store="#{myPermissionStore}"/>



          MyPermissionStore.java:


          @Name("myPermissionStore")
          @Scope(ScopeType.APPLICATION)
          @BypassInterceptors
          public class MyPermissionStore implements PermissionStore,
              Serializable
          {



          Also, what's the difference between a usergroup and a role?

          • 2. Re: RuleBasedPermissionResolver with own PermissionStore
            Michael Trompertz Newbie

            Thanks for your answer - that worked, the PermissionManager found my store.


            But perhaps I am on the wrong path ...
            What I want to do is to set the permissions dynamically from the database. My usergroups bundles permissions (can also changed dynamically - so I think I can't use roles) and a user is a member of one or more roles (also dynamically from database).
            After the user logs in successfully the authenticate methode has to determine the permissions of that user from the database and assign this via the PermsissionManager.grantPermission( permission ) method. But this failed with a exception:


            10:45:14,191 ERROR [SeamLoginModule] Error invoking login method
            javax.el.ELException: org.jboss.seam.security.NotLoggedInException
                 at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:333)
                 at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:342)
            



            Must I use the RunAsOperation or the security events or anything else?


            Michael

            • 3. Re: RuleBasedPermissionResolver with own PermissionStore
              Shane Bryzak Master

              I still don't understand why you can't use role permissions.  Also, what is the point of granting permissions to a user if the permissions are already in the database?  Perhaps if you posted a code sample that demonstrates what you want to achieve I might be able to give you some more constructive suggestions.


              As for calling the PermissionManager methods, the currently authenticated user must have the appropriate security permission to invoke them, which if you intend to do this in the authenticate() method they won't have (so you'll need to use RunAsOperation as you stated).  Also, is there any reason you are using an authenticator component and not the identity management API to authenticate?  It makes more sense to use identity management as you're already using permission management.

              • 4. Re: RuleBasedPermissionResolver with own PermissionStore
                Michael Trompertz Newbie

                Some things get clearer others not ...


                The reason for using an authenticator component is that I started with the Eclipse wizard and extended the example
                but after a short look into the identity management API I think using this is a good suggestion.


                I found the following in the forum Security - Define dynamic Role in application which is a little bit old but very similar to what I am trying to do.


                From my Session Bean:


                ...
                  @In
                  private WorkingMemory pmscadaWorkingMemory;
                  
                ...
                      for ( int i = 0; i < userPermissions.size(); i++ )
                      {
                        permission = new org.jboss.seam.security.permission.Permission(userPermissions.get( i ).getTarget(),userPermissions.get( i ).getAction(),p );
                        pmscadaWorkingMemory.insert( permission );
                      }
                ...
                


                components.xml:


                ...
                  <drools:managed-working-memory name="pmscadaWorkingMemory"
                    auto-create="true" rule-base="#{securityRules}" />
                ...
                



                My Permission(User, Show ) is inserted into the WorkingMemory after the successful login (did it with the org.jboss.seam.security.loginSuccessful event) without Exception, but the output in my web page


                     <h:outputLabel rendered="#{s:hasPermission('User','show')}">Has Permission</h:outputLabel>
                


                is never rendered.

                • 5. Re: RuleBasedPermissionResolver with own PermissionStore
                  Shane Bryzak Master

                  Wow, that forum post is old.  I recommend that you pretty much forget everything it says, as it's mostly obsolete now.  All you really need to do is configure the PersistentPermissionResolver as per the docs (read section 15.6.10 very carefully) and you'll then be able to assign permissions to roles, no need to write any rules or insert any objects into the working memory, the permissions will just work.

                  • 6. Re: RuleBasedPermissionResolver with own PermissionStore
                    Michael Trompertz Newbie

                    Ok I understand that.


                    But I like the possibilities of Drools and Permissions which are assigned dynamically to a user. This has a very high flexibility for an application. Is there any way to do this?


                    Thanks for your help!

                    • 7. Re: RuleBasedPermissionResolver with own PermissionStore
                      Shane Bryzak Master

                      Persistent permissions are dynamic, as they're data-driven.  And you can always combine the use of persistent permissions with rule-based permissions (there's no rule saying you can't use both).