8 Replies Latest reply on Oct 30, 2009 1:24 AM by Wayne Hannam

    Problem with IdentityManager

    Alexander Müller Newbie

      Hi everyone,


      I'm using Seam 2.2.0 GA and Jboss 5.0.1 GA.


      Calling the following methods result in an exception:


      @End(beforeRedirect=true)
           public String changePassword() {
                if( passwordOne == null || passwordTwo == null || "".equals(passwordOne) || "".equals(passwordTwo) ) {
                     facesMessages.add("Passwort darf nicht leer sein");               
                     return null;
                }
                if( ! passwordOne.equals(passwordTwo) ) {
                     facesMessages.add("Die Passwörter müssen übereinstimmen");               
                     return null;     
                }
                identityManager.changePassword(userHome.getInstance().getUserName(), passwordOne);
                return getRedirect();
           }



      identityManager.changePassword(userHome.getInstance().getUserName(), passwordOne);



      The exception:


      Caused by: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[seam.user,update]
           at org.jboss.seam.security.Identity.checkPermission(Identity.java:590)
           at org.jboss.seam.security.management.IdentityManager.changePassword(IdentityManager.java:123)
           at com.muellerseidel.peachshops.core.session.PasswordChangeAction.changePassword(PasswordChangeAction.java:66)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
           at java.lang.reflect.Method.invoke(Unknown Source)
           at org.jboss.seam.util.Reflections.invoke(Reflections.java:22)
           at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:32)
           at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56)
           at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:28)
           at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
           at org.jboss.seam.core.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:77)
           at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
           at org.jboss.seam.core.ConversationInterceptor.aroundInvoke(ConversationInterceptor.java:56)
           at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
           at org.jboss.seam.bpm.BusinessProcessInterceptor.aroundInvoke(BusinessProcessInterceptor.java:51)
           at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
           at org.jboss.seam.core.ConversationalInterceptor.aroundInvoke(ConversationalInterceptor.java:43)
           at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
           at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:44)
           at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
           at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)
           at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:185)
           at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:103)
           at com.muellerseidel.peachshops.core.session.PasswordChangeAction_$$_javassist_seam_6.changePassword(PasswordChangeAction_$$_javassist_seam_6.java)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
           at java.lang.reflect.Method.invoke(Unknown Source)
           at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:335)
           at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:348)
           at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58)
           at org.jboss.el.parser.AstValue.invoke(AstValue.java:96)
           at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276)
           at com.sun.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:68)
           at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:88)
           ... 53 more



      Relevant part of my components.xml is:


      <drools:rule-base name="securityRules" rule-files="/security.drl"/>          
      
           <security:rule-based-permission-resolver
                security-rules="#{securityRules}" />
      
           <security:jpa-identity-store  user-class="com.muellerseidel.peachshops.core.entity.User" role-class="com.muellerseidel.peachshops.core.entity.Role"/>



      I've took the security.drl from the examples:


      package Permissions;
      
      import java.security.Principal;
      
      import org.jboss.seam.security.PermissionCheck;
      import org.jboss.seam.security.Role;
      
      rule ManageUsers
        no-loop
        activation-group "permissions"
      when
        check: PermissionCheck(name == "seam.user", granted == false)
        Role(name == "admin")
      then
        check.grant();
      end
      
      rule ManageRoles
        no-loop
        activation-group "permissions"
      when
        check: PermissionCheck(name == "seam.role", granted == false)
        Role(name == "admin")
      then
        check.grant();
      end



      According to the expression

      #{identity.hasRole('admin')}

      the user I'm working with should be in that role. Anyone has an idea how to fix this?

        • 1. Re: Problem with IdentityManager
          Marco Röösli Newbie

          It seems to me that you forgott to point to your drl file


          do you have something like this:



          <drools:rule-base name="securityRules">
                 <drools:rule-files>
                     <value>/META-INF/security-rules.drl</value>
                 </drools:rule-files>
              </drools:rule-base>






          If it's not required that seam checks the action update for seam.user you can use the store


          JpaIdentityStore identityStroe = (JpaIdentityStore) Component.getInstance("org.jboss.seam.security.identityStore", ScopeType.EVENT);
          identityStroe.changePassword(userHome.getInstance().getUserName(), passwordOne);
          



          you also can use the RunAsOperation



           new RunAsOperation() {
                                  public void execute() {
                                          
                                          result=identityManager.changePassword(userHome.getInstance().getUserName(), passwordOne);
                                  }
                          }.addRole("admin").run();




          With this method you can check if the role admin is the identity object


          public static List<String> getIdentityRoles(Identity identity) {
                List<String> roles = new ArrayList<String>();
                Subject subject = identity.getSubject();
          
                for (Group sg : subject.getPrincipals(Group.class)) {
                   if (Identity.ROLES_GROUP.equals(sg.getName())) {
                      Enumeration<Principal> e = (Enumeration<Principal>) sg.members();
                      while (e.hasMoreElements()) {
                         Principal member = (Principal) e.nextElement();
                         roles.add(member.getName());
                      }
                   }
                }
                return roles;
             }



          if your identity object contains the role admin something with ur drl config is wrong else you need to add the role admin


          Greetz Marco








          • 2. Re: Problem with IdentityManager
            Alexander Müller Newbie

            Thanks Marco for your reply.


            <drools:rule-base name="securityRules">
                   <drools:rule-files>
                       <value>/META-INF/security-rules.drl</value>
                   </drools:rule-files>
                </drools:rule-base>



            The obove code is part of components.xml. I prefer to really use this permission stuff. It seems to me that seam doesn't know how to check for permissions. I've even made a typo into


            <value>/META-INF/nonexistingfile.drl</value>

            and seam doesn't complain.


            I've even tried your getIdentityRoles() Method and the current user is in role admin......


            This problem really gets time-consuming :(


            • 3. Re: Problem with IdentityManager
              Marco Röösli Newbie

              Sorry my mistake I overlooked:


              <drools:rule-base name="securityRules" rule-files="/security.drl"/>



              your config looks good except I can't see an identity-manager configured.
              in your config is a identity-store configured


              <security:jpa-identity-store  user-class="com.muellerseidel.peachshops.core.entity.User" role-class="com.muellerseidel.peachshops.core.entity.Role"/>



              you need a manager too and the manager must point to your store. Something like this:


              <security:identity-manager identity-store="#{jpaIdentityStore}" />
                   <security:jpa-identity-store  user-class="com.muellerseidel.peachshops.core.entity.User" role-class="com.muellerseidel.peachshops.core.entity.Role"/>
                   



              or is your .drl file in the right directory?
              if you setup drools like this


              <security:rule-based-permission-resolver
                              security-rules="#{securityRules}" />
              
                  <drools:rule-base name="securityRules">
                     <drools:rule-files>
                         <value>/META-INF/security-rules.drl</value>
                     </drools:rule-files>
                  </drools:rule-base>



              the file


              security-rules.drl



              should be here in your ear:



              yourProject.ear\yourProject.jar\META-INF



              Has you debuged in the class: RuleBasedPermissionResolver ?
              is the method create() called?


              You should also check that the RuleBasedPermissionResolver is in the ResolverChain:


              Debug in PermissionMapper class


              Line 60


              Map<String,String> chains = resolverChains.get(target);



              and look if chains contains a RuleBasedPermissionResolver



              Greetz Marco





              • 4. Re: Problem with IdentityManager
                Alexander Müller Newbie

                Hi Marco,


                I've solved the problem. The additional drools jar where missing. Drools couldn't start and the permission check failed.


                I think this is either a bug:


                - Seam doesn't complain when using drools without having the necessary jars in cp


                or


                this could be a problem with my jboss tools.


                Should we place a bug in jira or sth.?


                Best Regards,


                Alex

                • 5. Re: Problem with IdentityManager
                  Brian Hiles Newbie

                  What additional jar was missing?

                  • 6. Re: Problem with IdentityManager
                    Gus Gu Expert

                    I also have the problem after updating to Seam 2.2.0. Can you explain what additional jar was missing? Thanks.

                    • 7. Re: Problem with IdentityManager
                      Gus Gu Expert
                      After searching the Seam examples build.xml, it seems that the following jars are required for drools:

                           <!-- Dependencies for using Seam with Drools -->
                           <fileset id="drools.jar" dir="${lib.dir}">
                                <include name="antlr-runtime.jar" if="drools.lib" />
                                <include name="core.jar" if="drools.lib" />
                                <include name="janino.jar" if="drools.lib" />
                                <include name="mvel2.jar" if="drools.lib" />
                                <include name="drools-core.jar" if="drools.lib" />
                                <include name="drools-compiler.jar" if="drools.lib" />
                                <include name="drools-api.jar" if="drools.lib" />
                                <include name="drools-decisiontables.jar" if="drools.lib"/>
                                <include name="drools-templates.jar" if="drools.lib"/>
                                <include name="xstream.jar" if="drools.lib"/>
                                <include name="xpp3_min.jar" if="drools.lib"/>
                                <include name="jxl.jar" if="drools.lib"/>
                           </fileset>
                      • 8. Re: Problem with IdentityManager
                        Wayne Hannam Newbie
                        After reading this thread, what I found was necessary for my application (moving from seam-2.0 -> seam-2.2), was only the inclusion of the drools-api.jar in the ear.