[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3064) AuthorizationException when Load Testing - RuleBasedIdentity.hasPermission() returns false when it should return true

Kenneth Christensen (JIRA) jira-events at lists.jboss.org
Fri Jun 6 02:59:20 EDT 2008 

    [ http://jira.jboss.com/jira/browse/JBSEAM-3064?page=comments#action_12415826 ] 
            
Kenneth Christensen commented on JBSEAM-3064:
---------------------------------------------

This was a really hard one......

I have a solution to this problem :-)

Solution:

1. Upgrade to Drools 4.0.7
        - drools-compiler-4.0.7 
        - drools-core-4.0.7
        - mvel-1.3.1-java1.4

2. synchronizeContext() call in hasPermission() must be included in the synchronized block - your fix in the Seam_2_0 branch works fine.

3. hasRole() must include a synchronized block, e.g.
   public boolean hasRole(String role)
   {      
      if (securityContext != null)
      {
         synchronized (securityContext) {
             Iterator<Role> iter = securityContext.iterateObjects(new ClassObjectFilter(Role.class));

             while (iter.hasNext())
             {
                Role r = iter.next();
                if (r.getName().equals(role)) return true;
             }
         }
      }
      
      return super.hasRole(role);
   }

I have Load Tested above solution for more than 5 hours and no exceptions are thrown with this solution.

Solution explanation:

1. AuthorizationExceptions are thrown if solution only consist of 2. & 3. - therefore we need Drools 4.0.7.
I had some problems upgrading to Drools 4.0.7 because of my security rules!

Drools 4.0.3 and 4.0.7 accepts:

rule UploadSystemDocuments
    no-loop
    activation-group "permissions"
when
    c: PermissionCheck(name == "UPLOAD_DOCUMENTS", action == (DocumentType.SYSTEM.extendedName()))

    Role(name == (RoleType.ADMINISTRATOR.name()))
then
    c.grant();
end;

But only Drools 4.0.3 accepts:

rule UploadUserDocuments
    no-loop
    activation-group "permissions"
when
    c: PermissionCheck(name == "UPLOAD_DOCUMENTS", action == (DocumentType.USER.extendedName()))

    Role(name == (RoleType.ADMINISTRATOR.name()))
    or
    Role(name == (RoleType.CUSTOMER.name()))
    or
    Role(name == (RoleType.SUPERCUSTOMER.name()))
then
    c.grant();
end;

Drools 4.0.7 don't like 'action == (DocumentType.USER.extendedName())' and multiple OR's - weird!

I had to change my security rules before Drools 4.0.7 would accept my rules.

2. AuthorizationExceptions are thrown if the synchronizeContext() call is not inside the synchronized block.

3. NullPointerExceptions are thrown if hasRole() don't include a synchronized block.
Would it be possible to include this fix in the Seam 2.0.3.XX release?

> AuthorizationException when Load Testing - RuleBasedIdentity.hasPermission() returns false when it should return true
> ---------------------------------------------------------------------------------------------------------------------
>
>                 Key: JBSEAM-3064
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-3064
>             Project: Seam
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.0.2.SP1, 2.0.2.GA, 2.0.1.GA
>         Environment: Mac OS X 10.5.3
> JDK 1.5.0_13-b05-237
> JBoss 4.2.2.GA
> JBoss Seam 2.0.1.GA
> Drools 4.0.3
>            Reporter: Kenneth Christensen
>         Assigned To: Shane Bryzak
>            Priority: Critical
>         Attachments: security.drl, testcase1-RuleBasedIdentity.zip, testcase2-RuleTest.zip, testcase3-RuleTest-v2.zip
>
>
> I'm getting random AuthorizationExceptions when I Load Testing (with Web Performance Suite 3.5)
> my application (JBoss AS 4.2.2.GA, Drools 4.0.3, JBoss Seam 2.0.1.GA, RichFaces 3.1.4.GA and JSF 1.2).
> And it looks like RuleBasedIdentity.hasPermission() is the problem, or more likely securityContext.fireAllRules()
> used by RuleBasedIdentity.hasPermission().
> I have run two testcases (see attached files), where all RuleBasedIdentity.hasPermission() should return true.
> But under heavy load (lots of threads and 90% - 100% CPU) RuleBasedIdentity.hasPermission() returns false because
> securityContext.fireAllRules() don't call PermissionCheck.grant().
> But now its getting really weird :-)
> If I override RuleBasedIdentity.hasPermission() with:
> @Name("org.jboss.seam.security.identity")
> @Scope(SESSION)
> @BypassInterceptors
> @Install(precedence=Install.APPLICATION, classDependencies="org.drools.WorkingMemory")
> @Startup
> public class RuleTest extends RuleBasedIdentity {
>     @Override
>     public boolean hasPermission(String name, String action, Object... arg) {
>         boolean result = super.hasPermission(name, action, arg);
>         if (!result) { // Are we sure, if result == false? One more time.
>             result = super.hasPermission(name, action, arg);
>         }
>         return result;
>     }
> }
> then about 95%-99% of the time RuleTest.hasPermission() will return the expected result, i.e. true.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list