I'm trying to use rule-based security along with drools:rule-agent. My rule agent is configured as follows:

<drools:rule-agent name="securityRules"
          url="our_url"
          local-cache-dir="#{env.property('java.io.tmpdir')}"
          new-instance="false"
          poll="30"
          config-name="securityConfig"
          auto-create="true" />

We set new-instance to false so that the rulebase picks up the changes automatically. However we're still having issues with permissions not working correctly.

I did some peeking and in RuleBasedPermissionResolver, the creation of the statefulsession has false on the keepReference parameter.

if (getSecurityRules() != null)
      {
         setSecurityContext(getSecurityRules().newStatefulSession(false));
         getSecurityContext().setGlobalResolver(new SeamGlobalResolver(getSecurityContext().getGlobalResolver()));
      }

According to drools documentation, when set to true, which is the default, the rulebase maintains a weak reference to the working memory. So I was thinking its ok to just leave it blank. We overrode the RuleBasedPermissionResolver to

@Override
     protected void initSecurityContext() {
          super.initSecurityContext();
          if (getSecurityRules()!=null){
               //set a stateful session that is referred to by the rulebase.
               //this is for agent-based deployment.
               setSecurityContext(getSecurityRules().newStatefulSession());
             getSecurityContext().setGlobalResolver(new SeamGlobalResolver(getSecurityContext().getGlobalResolver()));
          }
     }

and it started working correctly.

Is there any reason that RuleBasedPermissionResolver had it to false? Will it make sense to make this configurable via

<security:rule-based-permission-resolver/>

as a feature of seam security?

Thanks for your input.