2 Replies Latest reply on Nov 2, 2010 7:08 PM by Leonardo Gorbliuk

    Seam 2.2.0 + drools for permissions check not working.

    Leonardo Gorbliuk Newbie
      Hi Guys,

      I'm pretty new using Seam, and I have a problem trying to extend the permission checker for rules for the visibility of a page. I've started using very complex expressions, and then tried to simplify them to see what might be causing the problem (with no success). This is how the implied files look:

      components.xml
      --------------
      ...
      <drools:rule-base name="securityRules">
        <drools:rule-files>
         <value>/security.drl</value>
        </drools:rule-files>
      </drools:rule-base>

      <drools:managed-working-memory name="securityRulesWorkingMemory" auto-create="true" rule-base="#{securityRules}"/>
      <security:rule-based-permission-resolver security-rules="#{securityRules}"/>
      ...


      ExperienceEdit.page.xml
      -----------------------
      ...
      <restrict>#{s:hasPermission('experience', 'edit', experienceHome)}</restrict>
      ...

      security.drl
      ------------
      ...

      package Permissions;

      import java.security.Principal;

      import org.jboss.seam.security.permission.PermissionCheck;
      import org.jboss.seam.security.Role;
      import com.web2people.travelers.action.ExperienceHome;

      rule ExperienceEditByCreator
         no-loop
         activation-group "permissions"
      when
         $perm: PermissionCheck(name == "experience", action == "edit")
         ExperienceHome( afirmativeValue > 4 )
      then
         $perm.grant();
      end

      ...


      ExperienceHome.java
      -------------------

              public Integer afirmativeValue = 9;
             
              public Integer getAfirmativeValue(){
                      return afirmativeValue;
              }
             
              public void setAfirmativeValue(Integer afirmativeValue){
                      this.afirmativeValue = afirmativeValue;
              }



      ------------------------------------------------------

      The result when I try to access the page is:

      18:38:34,110 ERROR [Exceptions] handled and logged exception
      org.jboss.seam.security.AuthorizationException: Authorization check failed for expression [#{s:hasPermission('experience', 'edit', experienceHome)}]
              at org.jboss.seam.security.Identity.checkRestriction(Identity.java:222)
              at org.jboss.seam.navigation.Page.checkPermission(Page.java:263)
              at org.jboss.seam.navigation.Page.preRender(Page.java:283)
              at org.jboss.seam.navigation.Pages.preRender(Pages.java:350)

      The rule is the simplest I could try, and I'm sure the method "getAfirmativeValue" is beeing called since it stops on a breakpoint when I'm debugging it, and by debugging I've also been able to proove that the fact is really on the Working Memory.

      If I remove the line:

         ExperienceHome( afirmativeValue > 4 )

      It works properly.

      I've tried everything (even upgrading the drools libraries) and it is still not working. Maybe the integration was not designed to work apart from Roles, but it feels really strange.

      Do you have any idea of why this might be happening?

      Thanks in advance.
        • 1. Re: Seam 2.2.0 + drools for permissions check not working.
          Shane Bryzak Master

          Try changing your permission check to this:



          <restrict>#{s:hasPermission(experienceHome, 'edit')}</restrict>




          And the rule body to this:




          rule ExperienceEditByCreator
             no-loop
             activation-group "permissions"
          when
             $perm: PermissionCheck(target == eh, action == "edit")
             eh: ExperienceHome( afirmativeValue > 4 )
          then
             $perm.grant();
          end




          Please let me know if it still doesn't work.

          • 2. Re: Seam 2.2.0 + drools for permissions check not working.
            Leonardo Gorbliuk Newbie

            Hi Shane, thanks for your response.


            Using the code exactly has you wrote, it threw an Exception:




            Caused by: org.drools.rule.InvalidRulePackage: Unable to return Declaration for identifier 'eh' : [Rule name='ExperienceEditByCreator']
            Unable to create restriction '[VariableRestriction: == eh ]' for field 'target' in the rule 'ExperienceEditByCreator' : [Rule name='ExperienceEditByCreator']





            However, by changing the order of the declarations:




            eh: ExperienceHome( afirmativeValue > 4 ) 
            $perm: PermissionCheck(target == eh, action == "edit")




              


            worked just great!


            It feels strange having the rule engine always analyzing the first expression, but I did not notice anything wrong while navigating on another pages, so I guess it should be ok.


            Thanks again for your help!