[seam-commits] Seam SVN: r13367 - in modules/security/trunk/examples/idmconsole: src/main/webapp/WEB-INF and 1 other directories.
seam-commits at lists.jboss.org
seam-commits at lists.jboss.org
Tue Jul 13 07:27:21 EDT 2010
Author: shane.bryzak at jboss.com
Date: 2010-07-13 07:27:20 -0400 (Tue, 13 Jul 2010)
New Revision: 13367
Added:
modules/security/trunk/examples/idmconsole/src/main/webapp/WEB-INF/security-rules.drl
Modified:
modules/security/trunk/examples/idmconsole/pom.xml
modules/security/trunk/examples/idmconsole/src/main/webapp/WEB-INF/classes/seam-beans.xml
Log:
security rule configuration
Modified: modules/security/trunk/examples/idmconsole/pom.xml
===================================================================
--- modules/security/trunk/examples/idmconsole/pom.xml 2010-07-13 11:26:49 UTC (rev 13366)
+++ modules/security/trunk/examples/idmconsole/pom.xml 2010-07-13 11:27:20 UTC (rev 13367)
@@ -79,6 +79,13 @@
<dependency>
<groupId>org.jboss.seam.xml</groupId>
<artifactId>seam-xml-config</artifactId>
+ <version>3.0.0-SNAPSHOT</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.jboss.spec.javax.interceptor</groupId>
+ <artifactId>jboss-interceptors-api_1.1_spec</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<!-- CDI (JSR-299) -->
Modified: modules/security/trunk/examples/idmconsole/src/main/webapp/WEB-INF/classes/seam-beans.xml
===================================================================
--- modules/security/trunk/examples/idmconsole/src/main/webapp/WEB-INF/classes/seam-beans.xml 2010-07-13 11:26:49 UTC (rev 13366)
+++ modules/security/trunk/examples/idmconsole/src/main/webapp/WEB-INF/classes/seam-beans.xml 2010-07-13 11:27:20 UTC (rev 13367)
@@ -1,19 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!--
- The contents of this file is permitted to be empty.
- The schema definition is provided for your convenience.
--->
<beans xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:s="urn:java:seam:core"
- xmlns:perm="org.jboss.seam.security.permission"
+ xmlns:s="urn:java:ee"
+ xmlns:drools="urn:java:org.jboss.seam.drools:org.jboss.seam.drools.config"
+ xmlns:security="urn:java:org.jboss.seam.security.permission"
xsi:schemaLocation="
http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/beans_1_0.xsd">
- <perm:JpaPermissionStore>
- <s:specializes/>
-
- <perm:identityPermissionClass>org.jboss.seam.security.examples.idmconsole.model.IdentityPermission</perm:identityPermissionClass>
- </perm:JpaPermissionStore>
+ <security:JpaPermissionStore>
+ <s:overrides/>
+ <security:identityPermissionClass>org.jboss.seam.security.examples.idmconsole.model.IdentityPermission</security:identityPermissionClass>
+ </security:JpaPermissionStore>
+
+ <drools:RuleResources>
+ <s:modifies/>
+ <security:SecurityRulesConfig/>
+ <drools:resources>
+ <s:value>security-rules.drl</s:value>
+ </drools:resources>
+ </drools:RuleResources>
+
+ <drools:DroolsConfig>
+ <s:modifies/>
+ <security:SecurityRulesConfig/>
+ <drools:ruleResources>
+ <s:Inject/>
+ <security:SecurityRulesConfig/>
+ </drools:ruleResources>
+ </drools:DroolsConfig>
+
+ <security:RuleBasedPermissionResolver>
+ <s:overrides/>
+ <security:securityRules>
+ <security:SecurityRulesConfig/>
+ <s:Inject/>
+ <s:Default/>
+ </security:securityRules>
+ </security:RuleBasedPermissionResolver>
+
</beans>
Added: modules/security/trunk/examples/idmconsole/src/main/webapp/WEB-INF/security-rules.drl
===================================================================
--- modules/security/trunk/examples/idmconsole/src/main/webapp/WEB-INF/security-rules.drl (rev 0)
+++ modules/security/trunk/examples/idmconsole/src/main/webapp/WEB-INF/security-rules.drl 2010-07-13 11:27:20 UTC (rev 13367)
@@ -0,0 +1,247 @@
+package SeamSpacePermissions;
+
+dialect 'mvel'
+
+import java.security.Principal;
+
+import org.jboss.seam.security.permission.PermissionCheck;
+import org.jboss.seam.security.permission.RoleCheck;
+import org.jboss.seam.security.Role;
+
+import org.jboss.seam.security.examples.seamspace.model.BlogComment;
+import org.jboss.seam.security.examples.seamspace.model.Member;
+import org.jboss.seam.security.examples.seamspace.model.MemberAccount;
+import org.jboss.seam.security.examples.seamspace.model.MemberBlog;
+import org.jboss.seam.security.examples.seamspace.model.MemberFriend;
+import org.jboss.seam.security.examples.seamspace.model.MemberImage;
+
+# These rules allow members to manage permissions on their own images
+
+rule ManageImagePermissions
+ no-loop
+ activation-group "permissions"
+when
+ acct: MemberAccount()
+ image: MemberImage(mbr : member -> (mbr.memberId.equals(acct.member.memberId)))
+ check: PermissionCheck(target == image, action == "seam.read-permissions", granted == false)
+then
+ check.grant();
+end
+
+rule GrantImagePermissions
+ no-loop
+ activation-group "permissions"
+when
+ acct: MemberAccount()
+ image: MemberImage(mbr : member -> (mbr.memberId.equals(acct.member.memberId)))
+ check: PermissionCheck(target == image, action == "seam.grant-permission", granted == false)
+then
+ check.grant();
+end
+
+# Allow all users to read the available roles
+
+rule ReadRoles
+ no-loop
+ activation-group "permissions"
+when
+ check: PermissionCheck(target == "seam.role", action == "read", granted == false)
+ Role(name == "user")
+then
+ check.grant();
+end
+
+# This rule allows a member to delete their own images
+
+rule DeleteImage
+ no-loop
+ activation-group "permissions"
+when
+ acct: MemberAccount()
+ image: MemberImage(mbr : member -> (mbr.memberId.equals(acct.member.memberId)))
+ check: PermissionCheck(target == image, action == "delete", granted == false)
+then
+ check.grant();
+end
+
+# This rule allows members to revoke permissions on their images to other users/roles
+
+rule RevokeImagePermissions
+ no-loop
+ activation-group "permissions"
+when
+ acct: MemberAccount()
+ image: MemberImage(mbr : member -> (mbr.memberId.equals(acct.member.memberId)))
+ check: PermissionCheck(target == image, action == "seam.revoke-permission", granted == false)
+then
+ check.grant();
+end
+
+rule ViewProfileImage
+ no-loop
+ activation-group "permissions"
+when
+ image: MemberImage()
+ check: PermissionCheck(target == image, action == "view", granted == false)
+ eval( image.getMember().getPicture() == image )
+then
+ check.grant();
+end
+
+rule FriendViewImage
+ no-loop
+ activation-group "permissions"
+when
+ acct: MemberAccount()
+ image: MemberImage(mbr : member -> (mbr.isFriend(acct.member)))
+ PermissionCheck(target == image, action == "view")
+ role: RoleCheck(name == "friends")
+then
+ role.grant();
+end
+
+rule GuestViewImage
+ no-loop
+ activation-group "permissions"
+when
+ image: MemberImage()
+ PermissionCheck(target == image, action == "view")
+ role: RoleCheck(name == "guest")
+then
+ role.grant();
+end
+
+rule ViewMyImages
+ no-loop
+ activation-group "permissions"
+when
+ acct: MemberAccount()
+ image: MemberImage(mbr : member -> (mbr.memberId.equals(acct.member.memberId)))
+ check: PermissionCheck(target == image, action == "view")
+then
+ check.grant();
+end
+
+rule RestrictCommentPage
+ no-loop
+ activation-group "permissions"
+when
+ check: PermissionCheck(target == "/comment.xhtml", granted == false)
+ Role(name == "user")
+then
+ check.grant();
+end
+
+rule CanCreateBlogComment
+ no-loop
+ activation-group "permissions"
+when
+ blog: MemberBlog()
+ check: PermissionCheck(target == blog, action == "create", granted == false)
+ Role(name == "user")
+then
+ check.grant();
+end
+
+rule CreateBlogComment
+ no-loop
+ activation-group "permissions"
+when
+ check: PermissionCheck(target == "blogComment", action == "insert", granted == false)
+ Role(name == "user")
+then
+ check.grant();
+end
+
+# This rule grants permission for users to create their own blog entries
+rule CreateBlog
+ no-loop
+ activation-group "permissions"
+when
+ mbr: Member()
+ acct: MemberAccount(member.memberId == mbr.memberId)
+ check: PermissionCheck(target.memberId == mbr.memberId, action == "createBlog", granted == false)
+then
+ check.grant();
+end
+
+# This rule grants permission for users to upload pictures to their profile
+rule UploadImage
+ no-loop
+ activation-group "permissions"
+when
+ mbr: Member()
+ acct: MemberAccount(member.memberId == mbr.memberId)
+ check: PermissionCheck(target.memberId == mbr.memberId, action == "uploadImage", granted == false)
+then
+ check.grant();
+end
+
+rule InsertMemberBlog
+ no-loop
+ activation-group "permissions"
+when
+ acct: MemberAccount()
+ blog: MemberBlog(member == acct.member)
+ check: PermissionCheck(target == blog, action == "insert", granted == false)
+then
+ check.grant();
+end
+
+rule CreateFriendComment
+ no-loop
+ activation-group "permissions"
+when
+ acct: MemberAccount()
+ member: Member() //friends contains acct.member)
+ check: PermissionCheck(target == member, action == "createFriendComment", granted == false)
+then
+ check.grant();
+end
+
+rule CreateFriendRequest
+ no-loop
+ activation-group "permissions"
+when
+ acct: MemberAccount()
+ member: Member() //friends not contains acct.member)
+ check: PermissionCheck(target == member, action == "createFriendRequest", granted == false)
+then
+ check.grant();
+end
+
+rule CreateAccount
+ no-loop
+ activation-group "permissions"
+when
+ check: PermissionCheck(target == "seam.account", action == "create", granted == false)
+ Role(name == "admin")
+then
+ check.grant();
+end
+
+/*****************************************************************************************
+
+ The Following Rules are for Identity Management
+
+******************************************************************************************/
+
+rule ManageUsers
+ no-loop
+ activation-group "permissions"
+when
+ check: PermissionCheck(target == "seam.user", granted == false)
+ Role(name == "admin")
+then
+ check.grant();
+end
+
+rule ManageRoles
+ no-loop
+ activation-group "permissions"
+when
+ check: PermissionCheck(target == "seam.role", granted == false)
+ Role(name == "admin")
+then
+ check.grant();
+end
More information about the seam-commits
mailing list