9 Replies Latest reply on Sep 29, 2011 8:25 AM by Freddy Moran

    Using PermissionManager to grant

    Khosro Asgharifard Sharabiani Newbie

      Hello,
      Our apps needs to create permission dynamically so that we use ACL permission based,and we do not use Drools.
      For giving grant to a user to access a entity we use PermissionManager class.
      But there is a problem using PermissionManager .
      For example i log in with admin username.And if i used this code
      In this code user parameter is a user other than admin user(Admin creates a new user)


      securityService.grantPermission(user.getPerson(),"homepage.management", user);
      



      This code means that,user granted to edit his own home page.


      But when i run this code ,i got this exception :


      org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[User@38,seam.grant-permission]
      
      


      If i insert this row to database manually


      target action                  recipient descriminator
      user:1  seam.grant-permission   admin      user
      



      i could run this code


      securityService.grantPermission(user.getPerson(),"homepage.management", user);
      



      But it means that for granting a permission to a user to access a entity instance i must always insert a row with action column seam.grant-permission and target column must be entity instance.
      This is not good,because, for example ,i insert a entity to database and in the same time i want to grant a user to access it,for granting user i must insert a new row and then grant user to access this entity,and i can not do them at the same time because i got this exception AuthorizationException.
      How to solve this problem?


      Khosro.

        • 1. Re: Using PermissionManager to grant
          Samuel Doyle Apprentice
          Why not use drools and setup some simple rule security.drl it was made for this sort of thing.

          e.g.

          rule "AllowManage"
          no-loop
          when
             user: User(isAdmin == true);
             perm: PermissionCheck(target == "homepage.management", action == "access", granted == false);
          then
             perm.grant();
          end


          Then you could use something like the following in your JSF or in your code within @Restrict
          "#{s:hasPermission('homepage.management', 'access', user}"

          You could even do the same check in your code like:
          if (Identity.hasPermission("homepage.management", "access", user)) { ... }
          • 2. Re: Using PermissionManager to grant
            Khosro Asgharifard Sharabiani Newbie

            Hi,
            Yes,you are right,we can do it by Drools.We have implemented it by Drools before.
            But now we want to use database for storing permissions and generate permissions dynamically.
            But i encounter this problem that i described.


            Khosro.


            • 3. Re: Using PermissionManager to grant
              Khosro Asgharifard Sharabiani Newbie

              Hi,


              It seems nobody faces such a problem that i have.
              Ok.
              I have another question(Maybe i must create a new post in forum)
              Is there any way to add dynamically permission to database in seam without having a problem that i have described above?Or is there any tutorial for it.


              Khosro.

              • 4. Re: Using PermissionManager to grant
                Shane Bryzak Master

                If I'm understanding your problem correctly, you can use a RunAsOperation to grant the permission as the admin user.

                • 5. Re: Using PermissionManager to grant
                  Khosro Asgharifard Sharabiani Newbie

                  Hello,


                  Thanks Shane,


                  Oh,i made a big mistake that i do not show SecurtiyService class.
                  SecurtiyService class :


                  public class SecurityService {
                  
                       public void grantPermission(Object target, String action, User user) {
                            Permission permission = new Permission(target, action, new SimplePrincipal(user.getUsername()));
                            
                            PermissionManager.instance().grantPermission(permission);
                       }
                       
                  }
                  






                  I have run this code but still i got exception




                   RunAsOperation asOperation=new RunAsOperation() {
                                 
                                 @Override
                                 public void execute() {
                                      // TODO Auto-generated method stub
                                      securityService.grantPermission(user.getPerson(),
                                                "homepage.management", user);
                                 }
                            };
                            asOperation.addRole("admin").run();
                  


                  exception is


                  Authorization check failed for permission[edu.aut.autcms.entity.User@43,seam.grant-permission]
                  



                  Khosro.

                  • 6. Re: Using PermissionManager to grant
                    Shane Bryzak Master

                    I just noticed in your first post that you set the discriminator for admin to 'user'.  It should be 'role'.

                    • 7. Re: Using PermissionManager to grant
                      Khosro Asgharifard Sharabiani Newbie

                      i Shane,



                      Maybe i am in a wrong way to describe my problem or maybe i can not undrestand how to use RunAsOperation class.


                      But in short :


                      I log in with username admin and password admin


                      then i want to insert this row in user table:


                      id username password
                      2   bob       bob
                      


                      and i successfully add it to user table.
                      and then i wan to insert this row in permission table.


                      target  action                  recipient descriminator
                      user:2  homepage.management     bob       user
                      
                      


                      In pages.xml i restrict home page with :


                      <page view-id="/people/mgmt/homepage.xhtml">
                        <restrict>#{s:hasPermission(userHome.user,'homepage.management')}</restrict> 
                      </page>
                      



                      For doing this ,i had to first insert this row in permission table:


                      target action                  recipient descriminator
                      user:2  seam.grant-permission   admin      user
                      


                      ,otherwise i got this exception



                      org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[edu.aut.autcms.entity.User@53,seam.grant-permission]
                      


                      And using RunAsOperation do not solve my problem.


                      Khosro.

                      • 8. Re: Using PermissionManager to grant
                        Khosro Asgharifard Sharabiani Newbie

                        Hello,


                        I have one basic question about security in Seam.
                        As Seam doc says(Permission checks for PermissionManager operations) ,if we want to grant a permission to a user(or role) on instance of a object(in Seam's term ,it is target),target must have seam.grant-permission
                        permission action.So first we must grant user(or role) on target and giving seam.grant-permission
                        permission action to target.
                        I use these codes:


                        MyController.java


                             RunAsOperation asOperation=new RunAsOperation() {
                                  
                                  @Override
                                  public void execute() {
                                        securityService.grantPermissionByRole(target,
                                                  "seam.grant-permission", roleDAO.findByName("admin"));
                        
                                  }
                             };
                             asOperation.addRole("admin").run();
                        



                        SecurityService.java


                            public void grantPermissionByRole(Object target, String action,Role role) {
                                  Permission permission = new Permission(target, action, new SimplePrincipal(role.getName()));
                                  PermissionManager.instance().grantPermission(permission);
                             }
                        



                        RoleDOA.java


                               public Role findByName(String name) {
                                  String query = "FROM Role where name = ?";
                                  return (Role) em.createQuery(query).setParameter(1, name).getSingleResult();
                             }
                        
                        



                        But i still got AuthorizationException in MyController class.
                        Exception is :


                        org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[edu.aut.autcms.entity.target@2b,seam.grant-permissio
                        n]
                        




                        I am really confusing about using security in Seam.


                        Khosro.







                        • 9. Re: Using PermissionManager to grant
                          Freddy Moran Newbie

                          Dear Khosro Asgharifard


                          I am a new user but your error is for this reason:


                          You hava not privileges for create new permissions.


                          Fix: add the following sentences in your import.sql:


                          insert into permission (id, target, action, recipient, discriminator) values (1, 'permission', 'seam.read-permissions','your role', 'role')
                          insert into permission (id, target, action, recipient, discriminator) values (2, 'permission', 'seam.grant-permission','your role', 'role')
                          insert into permission (id, target, action, recipient, discriminator) values (3, 'permission', 'seam.revoke-permission','your role', 'role')


                          Best Regards