-
1. Re: RuleBasedPermissionResolver with own PermissionStore
shane.bryzak Oct 15, 2008 12:25 AM (in response to michaeltr)Try this instead:
components.xml:
<security:permission-manager permission-store="#{myPermissionStore}"/>
MyPermissionStore.java:
@Name("myPermissionStore") @Scope(ScopeType.APPLICATION) @BypassInterceptors public class MyPermissionStore implements PermissionStore, Serializable {
Also, what's the difference between a usergroup and a role?
-
2. Re: RuleBasedPermissionResolver with own PermissionStore
michaeltr Oct 15, 2008 10:50 AM (in response to michaeltr)Thanks for your answer - that worked, the PermissionManager found my store.
But perhaps I am on the wrong path ...
What I want to do is to set the permissions dynamically from the database. My usergroups bundles permissions (can also changed dynamically - so I think I can't use roles) and a user is a member of one or more roles (also dynamically from database).
After the user logs in successfully the authenticate methode has to determine the permissions of that user from the database and assign this via the PermsissionManager.grantPermission( permission ) method. But this failed with a exception:10:45:14,191 ERROR [SeamLoginModule] Error invoking login method javax.el.ELException: org.jboss.seam.security.NotLoggedInException at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:333) at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:342)
Must I use the
RunAsOperation
or the security events or anything else?Michael
-
3. Re: RuleBasedPermissionResolver with own PermissionStore
shane.bryzak Oct 15, 2008 11:15 AM (in response to michaeltr)I still don't understand why you can't use role permissions. Also, what is the point of granting permissions to a user if the permissions are already in the database? Perhaps if you posted a code sample that demonstrates what you want to achieve I might be able to give you some more constructive suggestions.
As for calling the PermissionManager methods, the currently authenticated user must have the appropriate security permission to invoke them, which if you intend to do this in the authenticate() method they won't have (so you'll need to use RunAsOperation as you stated). Also, is there any reason you are using an authenticator component and not the identity management API to authenticate? It makes more sense to use identity management as you're already using permission management.
-
4. Re: RuleBasedPermissionResolver with own PermissionStore
michaeltr Oct 15, 2008 4:46 PM (in response to michaeltr)Some things get clearer others not ...
The reason for using an authenticator component is that I started with the Eclipse wizard and extended the example
but after a short look into the identity management API I think using this is a good suggestion.I found the following in the forum Security - Define dynamic Role in application which is a little bit old but very similar to what I am trying to do.
From my Session Bean:
... @In private WorkingMemory pmscadaWorkingMemory; ... for ( int i = 0; i < userPermissions.size(); i++ ) { permission = new org.jboss.seam.security.permission.Permission(userPermissions.get( i ).getTarget(),userPermissions.get( i ).getAction(),p ); pmscadaWorkingMemory.insert( permission ); } ...
components.xml:
... <drools:managed-working-memory name="pmscadaWorkingMemory" auto-create="true" rule-base="#{securityRules}" /> ...
My Permission(
User
,Show
) is inserted into the WorkingMemory after the successful login (did it with theorg.jboss.seam.security.loginSuccessful
event) without Exception, but the output in my web page<h:outputLabel rendered="#{s:hasPermission('User','show')}">Has Permission</h:outputLabel>
is never rendered.
-
5. Re: RuleBasedPermissionResolver with own PermissionStore
shane.bryzak Oct 15, 2008 5:37 PM (in response to michaeltr)Wow, that forum post is old. I recommend that you pretty much forget everything it says, as it's mostly obsolete now. All you really need to do is configure the PersistentPermissionResolver as per the docs (read section 15.6.10 very carefully) and you'll then be able to assign permissions to roles, no need to write any rules or insert any objects into the working memory, the permissions will just work.
-
6. Re: RuleBasedPermissionResolver with own PermissionStore
michaeltr Oct 15, 2008 6:07 PM (in response to michaeltr)Ok I understand that.
But I like the possibilities of Drools and Permissions which are assigned dynamically to a user. This has a very high flexibility for an application. Is there any way to do this?
Thanks for your help!
-
7. Re: RuleBasedPermissionResolver with own PermissionStore
shane.bryzak Oct 15, 2008 11:47 PM (in response to michaeltr)Persistent permissions are dynamic, as they're data-driven. And you can always combine the use of persistent permissions with rule-based permissions (there's no rule saying you can't use both).