0 Replies Latest reply on Nov 23, 2009 12:59 AM by ravi kumar brahmajee k

    Seam Security - Authorization issue

    ravi kumar brahmajee k Newbie

      Hi,

      I am porting Seam 1.2 application to Seam 2.2 application and deploying it in JBOSS 5.0 The code base uses Seam security (drools based) for authentication and authorization and there is a security check for CRUD persistence at Entity Level. I am getting "org.jboss.seam.security.AuthorizationException: Authorization check failed" message when accessing functionality for all the roles. The authentication works, but authorization is not working as expected. It didnt allow anyone to access.

      Appreciate your help on this.

      Thanks in advance

      Thanks,
      Ravi

      The code looks like this:

      Entity Class

      @Restrict
      @Entity
      @Name("loan")
      public class Loan{
      .. .. // getters / setters method
      }

      I have added the Security Interceptor in the orm.xml file
      <persistence-unit-metadata>
      <persistence-unit-defaults>
      <entity-listeners>
      <entity-listener class="org.jboss.seam.security.EntitySecurityListener"/>
      </entity-listeners>
      </persistence-unit-defaults>
      </persistence-unit-metadata>

      In component.xml I configured:
      <drools:rule-base name="securityRules">
      <drools:rule-files>
      /security.drl
      </drools:rule-files>
      </drools:rule-base>

      <security:identity authenticate-method="#{authenticator.authenticate}"
      security-rules="#{securityRules}" />

      Security. DRL -The rule defined in 1.2 Security.DRL file
      package Permissions;

      import org.jboss.seam.security.PermissionCheck;
      import org.jboss.seam.security.Role;
      ...
      rule "Loan Management"
      no-loop
      activation-group "permissions"
      when
      check: PermissionCheck( name == "loan", action == "insert") or PermissionCheck( name == "loan", action == "update") Role( name == "Administrator" )
      then
      check.grant();
      end;

      this gave errors while deployment. So I changed them as follows which deployed successfully, but not working as expected:

      The current security.DRL looks like
      package Permissions;

      dialect 'mvel'

      import org.jboss.seam.security.permission.PermissionCheck;
      import org.jboss.seam.security.Role;

      rule "Loan Management"
      no-loop
      activation-group "permissions"
      when
      check: PermissionCheck( target== "loan", action == "insert") or PermissionCheck( target== "loan", action == "update") Role( name == "Administrator" )
      then
      check.grant();
      end;


      pls suggest if i am missing any configurations.

      Thanks,
      Ravi