5 Replies Latest reply on May 17, 2011 1:59 PM by Erik Doetsch

    hasPermission changes and my use of active directory

    Erik Doetsch Newbie

      We are using active directory and have roles and permissions assigned such that in Seam 1.2.1 and 2.1.1 all permission rules were defined as follows:



      <s:decorate     rendered="#{s:hasPermission('contract','view', null)}">
       <s:link id="viewContract" value="#{messages.View}" action="#{contractAction.viewContract}"  />  
      </s:decorate>
      



      So if a person can view a contract, they can click a link to view the contract.


      The documentation seems to read such that this should be changed to:


      s:hasPermission(null,'view')
      



      which is not working and does not seem to make sense.



      From the documentation, the old 3rd parameter gives the developer the ability to send some piece of information to assist the hasPermission method in making its decision. I assume that since active directory is in use, no additional information is needed.


      Any suggestions on where to look for a resolution to this?

        • 1. Re: hasPermission changes and my use of active directory
          Erik Doetsch Newbie

          So it seems like I might be encountering some other problem.


          The jboss-seam-2.1.1.GA and jboss-seam-2.2.2.Final Identity.java has not changed.

          • 2. Re: hasPermission changes and my use of active directory
            Erik Doetsch Newbie

            I cannot seem to find the ability to edit the original post, sorry for this.


            The actual problem I am running into is the hasRole() is currently working but hasPermission() is NOT working.


            My 2nd comment means I understand that in fact my Seam 2.1.1 upgrade to 2.2.2 should not have seen behavior change during my current 2.1.1 to 2.2.2 upgrade but I can definitely see that hasPermission() is behaving differently.


            Again sorry for the confusion.

            • 3. Re: hasPermission changes and my use of active directory
              Erik Doetsch Newbie

              Looking at the code, I guess it is possible my permissionMapper is null. I searched for permissionmapper in the logs of the default jboss server and did not see any reference to it.



                 public boolean hasPermission(String name, String action, Object...arg)
                 {
                    if (!securityEnabled) return true;
                    if (systemOp != null && Boolean.TRUE.equals(systemOp.get())) return true;
                    if (permissionMapper == null) return false;
              
                    if (arg != null)
                    {
                       return permissionMapper.resolvePermission(arg[0], action);
                    }
                    else
                    {
                       return permissionMapper.resolvePermission(name, action);
                    }
                 }
              

              • 4. Re: hasPermission changes and my use of active directory
                Erik Doetsch Newbie

                I do have a security-rules.drl in:


                   <drools:rule-base name="securityRules">
                       <drools:rule-files>
                           <value>/META-INF/security-rules.drl</value>
                       </drools:rule-files>
                   </drools:rule-base>
                
                  <security:identity jaas-config-name="active-dir"/>
                



                with a rule like:


                rule CanContractReviewerViewContract
                when
                  c: PermissionCheck(name == "contract", action == "view")
                  Role(name == "ContractReviewer")
                then
                  c.grant();
                end;
                



                I publish my ear in profile.xml as:


                          <property name="applicationURIs">
                               <list elementClass="java.net.URI">
                                    <value>${jboss.server.home.url}deploy</value>
                                    <value>file:///${deploy.root}/ears</value>
                               </list>
                          </property>
                



                The structure under ears is:


                ears/rms.ear/META-INF/security-rules.drl
                



                which has not changed during my upgrade.

                • 5. Re: hasPermission changes and my use of active directory
                  Erik Doetsch Newbie

                  I finally figured this out:


                  The documentation states to use the following seam jars in my application:


                      drools-api.jar
                      drools-compiler.jar
                      drools-core.jar
                      drools-decisiontables.jar
                      drools-templates.jar
                      janino.jar
                      antlr-runtime.jar
                      mvel2.jar


                  I have put these jars in the appropriate place but somehow forgot to add drools-api.jar to application.xml (I had added the others)


                  I think what this caused was that the attempt to start drools never even happened so there was no error and log information as well. Just dead silence.