1 Reply Latest reply on Dec 11, 2008 12:51 AM by Shane Bryzak

    Using rules on password change

    Augusto Cesar Lima Newbie

      Hi everyone !
      I just started using seam and I'm getting kinda stuck while trying to use some of the security features. I just included the security rules described in the reference:



      rule ManageUsers
       no-loop
       activation-group "permissions"
      when  
        check: PermissionCheck(name == "seam.user", granted == false)
        Role(name == "admin")
      then
        check.grant();
      end
      
      rule ManageRole
       no-loop
       activation-group "permissions"
      when  
        check: PermissionCheck(name == "seam.role", granted == false)
        Role(name == "admin")
      then
        check.grant();
      end
      
      rule ManagePermissions
       no-loop
       activation-group "permissions"
      when  
        check: PermissionCheck(action == "seam.grant-permission", granted == false)
        Role(name == "admin")
      then
        check.grant();
      end



      It works fine but I found a problem for non-admins on some actions. While changing password a non-admin user cannot change his own since, obviously, he is not admin (he has user Role). So I get the expected exception :



      Caused by javax.faces.FacesException with message: "#{changePasswordAction.changePassword}: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[seam.user,update]"




      I don't know how to make a rule to let the PermissionCheck on password change allows the current logged user to fullfil the action. Should I use the PermissionStores with ACLs or is there a simple way to make it with Drools Rules? Sorry if these are somewhat stupid questions, like I said I'm just beginning,


      Thanks in advance