[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3064) AuthorizationException when Load Testing - RuleBasedIdentity.hasPermission() returns false when it should return true

[ http://jira.jboss.com/jira/browse/JBSEAM-3064?page=comments#action_12415826 ] Kenneth Christensen commented on JBSEAM-3064: --------------------------------------------- This was a really hard one...... I have a solution to this problem :-) Solution: 1. Upgrade to Drools 4.0.7 - drools-compiler-4.0.7 - drools-core-4.0.7 - mvel-1.3.1-java1.4 2. synchronizeContext() call in hasPermission() must be included in the synchronized block - your fix in the Seam_2_0 branch works fine. 3. hasRole() must include a synchronized block, e.g. public boolean hasRole(String role) { if (securityContext != null) { synchronized (securityContext) { Iterator<Role> iter = securityContext.iterateObjects(new ClassObjectFilter(Role.class)); while (iter.hasNext()) { Role r = iter.next(); if (r.getName().equals(role)) return true; } } } return super.hasRole(role); } I have Load Tested above solution for more than 5 hours and no exceptions are thrown with this solution. Solution explanation: 1. AuthorizationExceptions are thrown if solution only consist of 2. & 3. - therefore we need Drools 4.0.7. I had some problems upgrading to Drools 4.0.7 because of my security rules! Drools 4.0.3 and 4.0.7 accepts: rule UploadSystemDocuments no-loop activation-group "permissions" when c: PermissionCheck(name == "UPLOAD_DOCUMENTS", action == (DocumentType.SYSTEM.extendedName())) Role(name == (RoleType.ADMINISTRATOR.name())) then c.grant(); end; But only Drools 4.0.3 accepts: rule UploadUserDocuments no-loop activation-group "permissions" when c: PermissionCheck(name == "UPLOAD_DOCUMENTS", action == (DocumentType.USER.extendedName())) Role(name == (RoleType.ADMINISTRATOR.name())) or Role(name == (RoleType.CUSTOMER.name())) or Role(name == (RoleType.SUPERCUSTOMER.name())) then c.grant(); end; Drools 4.0.7 don't like 'action == (DocumentType.USER.extendedName())' and multiple OR's - weird! I had to change my security rules before Drools 4.0.7 would accept my rules. 2. AuthorizationExceptions are thrown if the synchronizeContext() call is not inside the synchronized block. 3. NullPointerExceptions are thrown if hasRole() don't include a synchronized block. Would it be possible to include this fix in the Seam 2.0.3.XX release? -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira