I'm trying to use rule-based security along with drools:rule-agent. My rule agent is configured as follows:
<drools:rule-agent name="securityRules" url="our_url" local-cache-dir="#{env.property('java.io.tmpdir')}" new-instance="false" poll="30" config-name="securityConfig" auto-create="true" />
We set new-instance to false so that the rulebase picks up the changes automatically. However we're still having issues with permissions not working correctly.
I did some peeking and in RuleBasedPermissionResolver, the creation of the statefulsession has false on the keepReference parameter.
if (getSecurityRules() != null) { setSecurityContext(getSecurityRules().newStatefulSession(false)); getSecurityContext().setGlobalResolver(new SeamGlobalResolver(getSecurityContext().getGlobalResolver())); }
According to drools documentation, when set to true, which is the default, the rulebase maintains a weak reference to the working memory. So I was thinking its ok to just leave it blank. We overrode the RuleBasedPermissionResolver to
@Override protected void initSecurityContext() { super.initSecurityContext(); if (getSecurityRules()!=null){ //set a stateful session that is referred to by the rulebase. //this is for agent-based deployment. setSecurityContext(getSecurityRules().newStatefulSession()); getSecurityContext().setGlobalResolver(new SeamGlobalResolver(getSecurityContext().getGlobalResolver())); } }
and it started working correctly.
Is there any reason that RuleBasedPermissionResolver had it to false? Will it make sense to make this configurable via
<security:rule-based-permission-resolver/>
as a feature of seam security?
Thanks for your input.