4 Replies Latest reply on May 23, 2014 1:38 AM by Sean Flanigan

    PicketLink / Drools / DeltaSpike Security

    Florian Petersen Newbie

      Hello everybody,

      i try to understand the PicketLink/Drools sample application and cannot really work out how it works...

      I understand we may have an annotation


      @Retention(value = RetentionPolicy.RUNTIME)
      @Target({ ElementType.TYPE, ElementType.METHOD })
      public @interface TimeRestricted {


      and a method to be secured, annotated with it


      public void doTest() {


      and a method to handle the restriction


      public boolean testTimeRestricted(Identity identity) {
          return identity.hasPermission("TestAction", "invoke");


      The questions i have now are:


      -Where does the Identity parameter come from? The DeltaSpike documentation gives this signature:

      public boolean doSecuredCheck(InvocationContext invocationContext, BeanManager manager, ...) throws Exception

      -Where exactly is Drools coming into play?

      Does the hasPermission(...) call trigger a fireAllRules() on the Drools Session somehow?

      Or does it run completely behind the scenes and has nothing to do with the hasPermission(...) call?

      -If a fireAllRules() happens anywhere, i guess a org.picketlink.idm.drools.PermissionCheck instance is added to the Drools working memory before, right?

      -If that is the case, what happens then in the case of

      1. granted has been set => i guess the annotated method is called normally?!

      2. granted has not been set => i guess an exception is thrown?!

      -Are other objects added to the working memory implicitly? Or should i add them manually? If so, best practice?

      -The app should grant rights depending on the current time... I do not see this logic anywhere... Please explain where this happens.

      -When i try to deploy the app, i get the following exception:


      14:59:47,489 WARN  [org.drools.compiler.kie.builder.impl.ClasspathKieProject] (MSC service thread 1-2) Unable to load pom.properties tried recursing down from\wildfly-8.0.0.Final\standalone\deployments\picketlink-authorization-drools.war\WEB-INF\classes\META-INF\kmodule.xml


      14:59:47,490 ERROR [org.drools.compiler.kie.builder.impl.ClasspathKieProject] (MSC service thread 1-2) Unable to build index of kmodule.xml url=vfs:/D:/wildfly-8.0.0.Final/standalone/deployments/picketlink-authorization-drools.war/WEB-INF/classes/META-INF/kmodule.xml


      14:59:47,809 ERROR [org.drools.compiler.cdi.KieCDIExtension] (MSC service thread 1-2) Annotation @KSession(ksession1) found, but no KieSessioneModel exist.

      Either the required kproject.xml does not exist, was corrupted, or mising the KieBase entry

      14:59:48,235 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.deployment.unit."picketlink-authorization-drools.war".WeldStartService: org.jboss.msc.service.StartException in service jboss.deployment.unit."picketlink-authorization-drools.war".WeldStartService: Failed to start service


      Caused by: org.jboss.weld.exceptions.DeploymentException: WELD-001408: Unsatisfied dependencies for type KieSession with qualifiers @KSession


      I found PLINK-339 and DROOLS-299, so am i right saying the app actually cannot be run? The hints did not solve it for me... So what exactly should be put in the jar and put exactly where?


      Sorry for all this, but the example app left me with more questions than before somehow...

      Maybe someone could sketch a whole authorization lifecycle with Drools?


      Thanks a lot, best regards