[jboss-user] [JBoss Seam] - strange behaviour with security rules 2.0.1GA

Tue Feb 12 06:51:30 EST 2008

hi!
I have just started to work with the latest releases (SEAM 2.0.1.GA and JBOSS 4.2.2)
I am testing the security and something strange happens with my application.
Restrictions defined in my pages.xml with s:hasRole work ok, but in the .drl file they are not working properly.

This is my authenticate method:

  |     public boolean authenticate() {
  |         if (((identity.getUsername().equalsIgnoreCase("admin")) && (identity.getPassword().equalsIgnoreCase("hola")))) {
  |             identity.addRole("adminGral");
  |             return true;
  |         }
  |         else if (((identity.getUsername().equalsIgnoreCase("simpleuser")) && (identity.getPassword().equalsIgnoreCase("bonjour")))) {
  |             identity.addRole("user");
  |             return true;
  |         } 
  | }
  | 

This are restrictions defined in pages.xml:

  |     <page view-id="/FirmChoose.xhtml">
  |         <restrict>#{s:hasRole('adminGral')}</restrict>
  |     </page>
  |     
  |     <page view-id="/FirmList.xhtml">
  |         <restrict/>
  |     </page>        
  | 

and this is the rule defined in my security.drl

  | rule FirmList
  | when
  | c: PermissionCheck(name == "/FirmList.xhtml", action == "render")
  | Role(name == "adminGral")
  | then
  | c.grant();
  | end;
  | 

When I authenticate with simpleuser as it has user role I may not access to
the restricted pages (FirmList and FirmChoose) and the following exception appears:

12:27:41,671 ERROR [SeamPhaseListener] uncaught exception
org.jboss.seam.security.AuthorizationException: Authorization check failed for permission [/FirmList.xhtml,render]
      at org.jboss.seam.security.Identity.checkPermission(Identity.java:486)
        at org.jboss.seam.navigation.Page.checkPermission(Page.java:214)
        at org.jboss.seam.navigation.Page.preRender(Page.java:238)
        at org.jboss.seam.navigation.Pages.preRender(Pages.java:309)
        at org.jboss.seam.jsf.SeamPhaseListener.preRenderPage(SeamPhaseListener.java:549)
        at org.jboss.seam.jsf.SeamPhaseListener.beforeRenderResponse(SeamPhaseListener.java:460)
        at org.jboss.seam.jsf.SeamPhaseListener.beforeServletPhase(SeamPhaseListener.java:144)
        at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.java:114)
        at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:222)
        at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:144)
        at javax.faces.webapp.FacesServlet.service(FacesServlet.java:245)
....

That is ok. But on the other hand if I authenticate with admin, I am allowed to access to FirmChoose (        #{s:hasRole('adminGral')} works perfectly) but howewer I may not acces to FirmList (FirmList does not grant my access in spite of having adminGral role)
I wonder if I have missed to configure something or if I am doing something wrong. (hope it not to be a bug)
thanks in advance!

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4128702#4128702

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4128702