[jboss-user] [JBoss Seam] - Re: Security - Define dynamic Role in application
markfoerstein
do-not-reply at jboss.com
Mon May 7 13:36:02 EDT 2007
That did the trick, but now Im facing another problem.
When the user authenticates, his roles and its permissions are loaded, and a new GrantedPermission object is asserted for each permission into the working memory:
| public boolean authenticate() {
| ...
|
| for (SphGru sphGru : sphUsu.getSphGrus()) {
| Identity.instance().addRole(sphGru.getNome()); //add the user role
| for (SphPer sphPer : sphGru.getSphPers()) { //assert the user role permissions into the working memory
| String name = sphPer.getSphEditor().getNomeComponente(); //get the component name
| WorkingMemory wm = ((RuleBasedIdentity) Identity.instance()).getSecurityContext();
|
| if (sphPer.getFlgPermiteIncluir().toString().equals("S"))
| wm.assertObject(new GrantedPermission("create", name)); //user can call component's create action
|
| if (sphPer.getFlgPermiteAlterar().toString().equals("S"))
| wm.assertObject(new GrantedPermission("update", name)); //user can call component's update action
|
| if (sphPer.getFlgPermiteExcluir().toString().equals("S"))
| wm.assertObject(new GrantedPermission("delete", name)); //user can call component's delete action
| }
| }
|
| ...
| }
|
Component has "create", "update" and "delete" methods annotated with @Restrict:
| @Restrict
| public String create() {
| ...
| }
|
| @Restrict
| public String update() {
| ...
| }
|
| @Restrict
| public String delete() {
| ...
| }
|
This is the rule (/META-INF/security-dynamic-permission.drl):
| package DynamicPermission
|
| import org.jboss.seam.security.PermissionCheck;
| import com.sphere.consultoria.login.GrantedPermission;
|
| rule GrantDynamicPermission
| no-loop
| activation-group "permissions"
| salience -10
| when
| check: PermissionCheck(granted == false)
| GrantedPermission(n : name -> (n == check.getName()), a : action -> (a == check.getAction()))
| then
| System.out.println("Permission granted!!!");
| check.grant();
| end;
|
components.xml:
| ...
| <security:identity authenticate-method="#{authenticator.authenticate}"/>
|
| <drools:rule-base name="securityRules">
| <drools:rule-files>
| <value>/META-INF/security-dynamic-permission.drl</value>
| </drools:rule-files>
| </drools:rule-base>
| ...
|
And the GrantedPermission class:
| public class GrantedPermission implements Serializable {
|
| private String name;
| private String action;
|
| public GrantedPermission(String action, String name) {
| this.action = action;
| this.name = name;
| }
|
| public String getAction() {
| return action;
| }
|
| public void setAction(String action) {
| this.action = action;
| }
|
| public String getName() {
| return name;
| }
|
| public void setName(String name) {
| this.name = name;
| }
|
| @Override
| public int hashCode() {
| ...
| }
|
| @Override
| public boolean equals(Object obj) {
| ...
| }
| }
|
Still, I get an AuthorizationException when the rule is supposed to fire:
| 14:04:15,390 ERROR [ExceptionFilter] uncaught exception
| javax.servlet.ServletException: Error calling action method of component with id _id17:_id54
| at javax.faces.webapp.FacesServlet.service(FacesServlet.java:152)
| at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
| at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
| at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:63)
| at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
| at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
| at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:57)
| at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
| at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:79)
| at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
| at org.jboss.seam.web.SeamFilter.doFilter(SeamFilter.java:84)
| at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
| at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
| at org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:96)
| at org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:220)
| at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
| at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
| at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
| at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
| at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
| at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
| at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
| at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
| at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
| at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
| at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
| at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
| at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
| at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
| at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
| at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
| at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
| at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
| at java.lang.Thread.run(Thread.java:595)
| 14:04:15,390 ERROR [ExceptionFilter] exception root cause
| javax.faces.FacesException: Error calling action method of component with id _id17:_id54
| at org.apache.myfaces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:74)
| at javax.faces.component.UICommand.broadcast(UICommand.java:106)
| at org.ajax4jsf.framework.ajax.AjaxViewRoot.processEvents(AjaxViewRoot.java:180)
| at org.ajax4jsf.framework.ajax.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:158)
| at org.ajax4jsf.framework.ajax.AjaxViewRoot.processApplication(AjaxViewRoot.java:329)
| at org.apache.myfaces.lifecycle.LifecycleImpl.invokeApplication(LifecycleImpl.java:343)
| at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:86)
| at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)
| at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
| at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
| at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:63)
| at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
| at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
| at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:57)
| at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
| at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:79)
| at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
| at org.jboss.seam.web.SeamFilter.doFilter(SeamFilter.java:84)
| at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
| at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
| at org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:96)
| at org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:220)
| at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
| at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
| at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
| at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
| at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
| at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
| at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
| at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
| at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
| at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
| at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
| at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
| at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
| at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
| at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
| at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
| at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
| at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
| at java.lang.Thread.run(Thread.java:595)
| Caused by: javax.faces.el.EvaluationException: /editSphAgenda.xhtml @83,159 action="#{sphagendaEditor.create}": org.jboss.seam.security.AuthorizationException: Authorization check failed for expression [#{s:hasPermission('sphagendaEditor','create', null)}]
| at com.sun.facelets.el.LegacyMethodBinding.invoke(LegacyMethodBinding.java:73)
| at org.apache.myfaces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:63)
| ... 40 more
| Caused by: org.jboss.seam.security.AuthorizationException: Authorization check failed for expression [#{s:hasPermission('sphagendaEditor','create', null)}]
| at org.jboss.seam.security.Identity.checkRestriction(Identity.java:160)
| at org.jboss.seam.interceptors.SecurityInterceptor.aroundInvoke(SecurityInterceptor.java:35)
| at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:69)
| at org.jboss.seam.interceptors.RemoveInterceptor.aroundInvoke(RemoveInterceptor.java:40)
| at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:69)
| at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:103)
| at org.jboss.seam.intercept.ClientSideInterceptor.invoke(ClientSideInterceptor.java:50)
| at org.javassist.tmp.java.lang.Object_$$_javassist_54.create(Object_$$_javassist_54.java)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
| at com.sun.el.parser.AstValue.invoke(AstValue.java:174)
| at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:286)
| at com.sun.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:68)
| at com.sun.facelets.el.LegacyMethodBinding.invoke(LegacyMethodBinding.java:69)
| ... 41 more
|
Expression [#{s:hasPermission('sphagendaEditor','create', null)}] should grant the permission, since I've asserted into the working memory a GrantedPermission with action "create" and name "sphagendaEditor".
Im sure the rule /META-INF/security-dynamic-permission.drl is being loaded, because it was giving me that validation error before. So components.xml seems to be properly configured.
It seems the rule is not fired at all.
Any tips?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4043725#4043725
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4043725
More information about the jboss-user
mailing list