4 Replies Latest reply on Aug 17, 2010 1:31 PM by Chris Simons

    Authorization check failed for permission seam.role,read

    Chris Simons Expert

      We're attempting to add rule-based permission checking to our application using Drools/Seam integration.


      I read that the IdentityManager API requires special access in order to use; therefore, following the documentation, I added the following two rules to our security file.



      package AppPermissions;
      
      import java.security.Principal;
      
      import org.jboss.seam.security.permission.PermissionCheck;
      import org.jboss.seam.security.permission.RoleCheck;
      import org.jboss.seam.security.Role;
      
      rule ManageUsers
        no-loop
        activation-group "permissions"
      when
        check: PermissionCheck(name == "seam.user", granted == false)
        Role(name == "Administrator")
      then
        check.grant();
      end
      
      rule ManageRoles
        no-loop
        activation-group "permissions"
      when
        check: PermissionCheck(name == "seam.role", granted == false)
        Role(name == "Administrator")
      then
        check.grant();
      end





      However, even after granting the User with the Administrator role, I'm still receiving an authorization exception.




      javax.el.ELException: /admin/users/roleAdmin.xhtml @19,27 value="#{identityManager.listRoles()}": org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[seam.role,read]





      The idea was to pull back a list of the roles that IdentityManager knows about.


      The rules file is loaded and components.xml is configured (see below).



         <drools:rule-base name="securityRules">
             <drools:rule-files>
                 <value>/security.drl</value>
             </drools:rule-files>
         </drools:rule-base>



      Upon closer inspection of my logs, I do see this:




      admin 16:47:19,500 WARN  [IdentityManager] no identity store available - please configure an identityStore if identity management is required.



      So maybe I have to define this before the rule-based permission resolver can go to work?




        • 1. Re: Authorization check failed for permission seam.role,read
          Shane Bryzak Master

          It shouldn't matter that you don't have an identity store configured, the permission check should still work.  Are you sure the user is a member of the 'Administrator' role?  Try setting a break point in RuleBasedPermissionResolver.hasPermission(), if you examine the stateful session (the securityContext variable) you should be able to see a Fact entry for each of the roles the user is a member of.

          • 2. Re: Authorization check failed for permission seam.role,read
            Chris Simons Expert

            Thanks for the reply, Shane.


            I haven't set a break point within .hasPermission() yet, but I did apply some additional configuration settings to components.xml.  I took a step back and tried some of the other identityManager methods, for example, getImpliedRoles('roleName').


            I don't know if this proves my use case should work but it comes pretty close.  When I print out a list of the impliedRoles for the given user, I do see the Administrator role.


            However, I still am unable to get past the AuthenticationException issue for identityManager.listRoles() and listUsers().


            So, I must ask...is getImpliedRoles() the same as getting back a list of all roles granted to the user?  Are they one and the same?  Or do I need to grant each role via identity.grantRole()?


            If you have time, I've pasted more of my components.xml.  I have no overriden Permission yet, but I believe we might do that in the near future.



            <security:identity-manager identity-store="#{jpaIdentityStore}" role-identity-store="#{jpaIdentityStore}"/>
                <security:rule-based-permission-resolver security-rules="#{securityRules}"/>
                <security:jpa-identity-store user-class="com.bah.englink.ejb.User"
                                             role-class="com.bah.englink.ejb.roles.AppRole"/>
                
               <drools:rule-base name="securityRules">
                   <drools:rule-files>
                       <value>/security.drl</value>
                   </drools:rule-files>
               </drools:rule-base>
            




            Thanks!

            • 3. Re: Authorization check failed for permission seam.role,read
              Shane Bryzak Master

              Your configuration looks fine to me.  The roles that RuleBasedPermissionResolver uses to populate the securityContext are obtained from the Identity component.  If you're using identity management, then all of the user's implied roles should be automatically populated in Identity when you authenticate (see SeamLoginModule).


              The actual work to place the roles into securityContext gets done in RuleBasedPermissionResolver.synchronizeContext(), so you could set a breakpoint here to ensure that all roles (including the implied roles) are being set.

              • 4. Re: Authorization check failed for permission seam.role,read
                Chris Simons Expert

                Shane,


                I think we resolved the issue and I'd like to share why I think the rule-based permission was not working earlier.


                In components.xml, we are setting security:identity authenticate-method to a custom method.  Therefore, think (perhaps) securityContext was not being automatically populated with each role.


                Therefore, in our custom method, I manually called an identity.addRole("Administrator").


                This seemed to do the trick.


                Looking over the Seam Security documentation, we can find a wealth of information.  Discerning which approach to take - given the various options - and which components to combine into our custom identity management scheme is a bit harder to ascertain.


                For example, some of the documentation seems out-of-date and does not reflect Seam 2.0 - 2.1 migration guide tutorials on using RuleBasedPermissionResolver.


                It would be really neat to see a, Here are three common ways of using Seam Security.  The first tutorial would show just using JpaIdentityStore.


                The second would show using JpaIdentityStore and RuleBasedPermissionResolver.


                And so on and so forth.  Just my two cents.  Maybe if we can figure out or own ucstom permission scheme as we want to we will write it up for you guys. :)