Author: shane.bryzak(a)jboss.com
Date: 2010-07-14 06:46:56 -0400 (Wed, 14 Jul 2010)
New Revision: 13388
Modified:
modules/security/trunk/examples/idmconsole/src/main/java/org/jboss/seam/security/examples/idmconsole/model/IdentityPermission.java
modules/security/trunk/examples/idmconsole/src/main/webapp/WEB-INF/classes/seam-beans.xml
modules/security/trunk/examples/idmconsole/src/main/webapp/WEB-INF/security-rules.drl
Log:
fix rule configuration
Modified:
modules/security/trunk/examples/idmconsole/src/main/java/org/jboss/seam/security/examples/idmconsole/model/IdentityPermission.java
===================================================================
---
modules/security/trunk/examples/idmconsole/src/main/java/org/jboss/seam/security/examples/idmconsole/model/IdentityPermission.java 2010-07-13
19:04:08 UTC (rev 13387)
+++
modules/security/trunk/examples/idmconsole/src/main/java/org/jboss/seam/security/examples/idmconsole/model/IdentityPermission.java 2010-07-14
10:46:56 UTC (rev 13388)
@@ -30,7 +30,8 @@
private String permission;
/**
- * Surrogate primary key value of the permission.
+ * Surrogate primary key value for the permission.
+ *
* @return
*/
@Id @GeneratedValue
@@ -118,7 +119,7 @@
/**
* The permission(s) granted for the resource. May either be a comma-separated
- * list of permission names (such as create, delete, etc) or a bitmasked
+ * list of permission names (such as create, delete, etc) or a bit-masked
* integer value, in which each bit represents a different permission.
*
* @return
Modified:
modules/security/trunk/examples/idmconsole/src/main/webapp/WEB-INF/classes/seam-beans.xml
===================================================================
---
modules/security/trunk/examples/idmconsole/src/main/webapp/WEB-INF/classes/seam-beans.xml 2010-07-13
19:04:08 UTC (rev 13387)
+++
modules/security/trunk/examples/idmconsole/src/main/webapp/WEB-INF/classes/seam-beans.xml 2010-07-14
10:46:56 UTC (rev 13388)
@@ -17,7 +17,7 @@
<s:modifies/>
<security:SecurityRulesConfig/>
<drools:resources>
- <s:value>security-rules.drl</s:value>
+ <s:value>classpath;security-rules.drl;DRL</s:value>
</drools:resources>
</drools:RuleResources>
@@ -32,11 +32,24 @@
<security:RuleBasedPermissionResolver>
<s:overrides/>
+
+ <security:manager>
+ <s:Inject/>
+ </security:manager>
+
+ <security:identity>
+ <s:Inject/>
+ </security:identity>
+
+ <security:init>
+ <s:Inject/>
+ </security:init>
+
<security:securityRules>
<security:SecurityRulesConfig/>
<s:Inject/>
<s:Default/>
</security:securityRules>
- </security:RuleBasedPermissionResolver>
+ </security:RuleBasedPermissionResolver>
</beans>
Modified:
modules/security/trunk/examples/idmconsole/src/main/webapp/WEB-INF/security-rules.drl
===================================================================
---
modules/security/trunk/examples/idmconsole/src/main/webapp/WEB-INF/security-rules.drl 2010-07-13
19:04:08 UTC (rev 13387)
+++
modules/security/trunk/examples/idmconsole/src/main/webapp/WEB-INF/security-rules.drl 2010-07-14
10:46:56 UTC (rev 13388)
@@ -1,221 +1,29 @@
-package SeamSpacePermissions;
+package IDMConsolePermissions;
dialect 'mvel'
import java.security.Principal;
import org.jboss.seam.security.permission.PermissionCheck;
-import org.jboss.seam.security.permission.RoleCheck;
-import org.jboss.seam.security.Role;
-import org.jboss.seam.security.examples.seamspace.model.BlogComment;
-import org.jboss.seam.security.examples.seamspace.model.Member;
-import org.jboss.seam.security.examples.seamspace.model.MemberAccount;
-import org.jboss.seam.security.examples.seamspace.model.MemberBlog;
-import org.jboss.seam.security.examples.seamspace.model.MemberFriend;
-import org.jboss.seam.security.examples.seamspace.model.MemberImage;
-
-# These rules allow members to manage permissions on their own images
-
-rule ManageImagePermissions
- no-loop
- activation-group "permissions"
-when
- acct: MemberAccount()
- image: MemberImage(mbr : member -> (mbr.memberId.equals(acct.member.memberId)))
- check: PermissionCheck(target == image, action == "seam.read-permissions",
granted == false)
-then
- check.grant();
-end
-
-rule GrantImagePermissions
- no-loop
- activation-group "permissions"
-when
- acct: MemberAccount()
- image: MemberImage(mbr : member -> (mbr.memberId.equals(acct.member.memberId)))
- check: PermissionCheck(target == image, action == "seam.grant-permission",
granted == false)
-then
- check.grant();
-end
-
# Allow all users to read the available roles
rule ReadRoles
no-loop
activation-group "permissions"
when
- check: PermissionCheck(target == "seam.role", action == "read",
granted == false)
- Role(name == "user")
+ check: PermissionCheck(resource == "seam.role", permission ==
"read", granted == false)
+// Role(name == "user")
then
check.grant();
end
-# This rule allows a member to delete their own images
-
-rule DeleteImage
- no-loop
- activation-group "permissions"
-when
- acct: MemberAccount()
- image: MemberImage(mbr : member -> (mbr.memberId.equals(acct.member.memberId)))
- check: PermissionCheck(target == image, action == "delete", granted ==
false)
-then
- check.grant();
-end
-
-# This rule allows members to revoke permissions on their images to other users/roles
-
-rule RevokeImagePermissions
- no-loop
- activation-group "permissions"
-when
- acct: MemberAccount()
- image: MemberImage(mbr : member -> (mbr.memberId.equals(acct.member.memberId)))
- check: PermissionCheck(target == image, action == "seam.revoke-permission",
granted == false)
-then
- check.grant();
-end
-
-rule ViewProfileImage
- no-loop
- activation-group "permissions"
-when
- image: MemberImage()
- check: PermissionCheck(target == image, action == "view", granted == false)
- eval( image.getMember().getPicture() == image )
-then
- check.grant();
-end
-
-rule FriendViewImage
- no-loop
- activation-group "permissions"
-when
- acct: MemberAccount()
- image: MemberImage(mbr : member -> (mbr.isFriend(acct.member)))
- PermissionCheck(target == image, action == "view")
- role: RoleCheck(name == "friends")
-then
- role.grant();
-end
-
-rule GuestViewImage
- no-loop
- activation-group "permissions"
-when
- image: MemberImage()
- PermissionCheck(target == image, action == "view")
- role: RoleCheck(name == "guest")
-then
- role.grant();
-end
-
-rule ViewMyImages
- no-loop
- activation-group "permissions"
-when
- acct: MemberAccount()
- image: MemberImage(mbr : member -> (mbr.memberId.equals(acct.member.memberId)))
- check: PermissionCheck(target == image, action == "view")
-then
- check.grant();
-end
-
-rule RestrictCommentPage
- no-loop
- activation-group "permissions"
-when
- check: PermissionCheck(target == "/comment.xhtml", granted == false)
- Role(name == "user")
-then
- check.grant();
-end
-
-rule CanCreateBlogComment
- no-loop
- activation-group "permissions"
-when
- blog: MemberBlog()
- check: PermissionCheck(target == blog, action == "create", granted == false)
- Role(name == "user")
-then
- check.grant();
-end
-
-rule CreateBlogComment
- no-loop
- activation-group "permissions"
-when
- check: PermissionCheck(target == "blogComment", action == "insert",
granted == false)
- Role(name == "user")
-then
- check.grant();
-end
-
-# This rule grants permission for users to create their own blog entries
-rule CreateBlog
- no-loop
- activation-group "permissions"
-when
- mbr: Member()
- acct: MemberAccount(member.memberId == mbr.memberId)
- check: PermissionCheck(target.memberId == mbr.memberId, action ==
"createBlog", granted == false)
-then
- check.grant();
-end
-
-# This rule grants permission for users to upload pictures to their profile
-rule UploadImage
- no-loop
- activation-group "permissions"
-when
- mbr: Member()
- acct: MemberAccount(member.memberId == mbr.memberId)
- check: PermissionCheck(target.memberId == mbr.memberId, action ==
"uploadImage", granted == false)
-then
- check.grant();
-end
-
-rule InsertMemberBlog
- no-loop
- activation-group "permissions"
-when
- acct: MemberAccount()
- blog: MemberBlog(member == acct.member)
- check: PermissionCheck(target == blog, action == "insert", granted == false)
-then
- check.grant();
-end
-
-rule CreateFriendComment
- no-loop
- activation-group "permissions"
-when
- acct: MemberAccount()
- member: Member() //friends contains acct.member)
- check: PermissionCheck(target == member, action == "createFriendComment",
granted == false)
-then
- check.grant();
-end
-
-rule CreateFriendRequest
- no-loop
- activation-group "permissions"
-when
- acct: MemberAccount()
- member: Member() //friends not contains acct.member)
- check: PermissionCheck(target == member, action == "createFriendRequest",
granted == false)
-then
- check.grant();
-end
-
rule CreateAccount
no-loop
activation-group "permissions"
when
- check: PermissionCheck(target == "seam.account", action ==
"create", granted == false)
- Role(name == "admin")
+ check: PermissionCheck(resource == "seam.account", permission ==
"create", granted == false)
+// Role(name == "admin")
then
check.grant();
end
@@ -230,8 +38,7 @@
no-loop
activation-group "permissions"
when
- check: PermissionCheck(target == "seam.user", granted == false)
- Role(name == "admin")
+ check: PermissionCheck(resource == "seam.identity", granted == false)
then
check.grant();
end
@@ -240,8 +47,8 @@
no-loop
activation-group "permissions"
when
- check: PermissionCheck(target == "seam.role", granted == false)
- Role(name == "admin")
+ check: PermissionCheck(resource == "seam.role", granted == false)
+// Role(name == "admin")
then
check.grant();
end