That did the trick, but now Im facing another problem.
When the user authenticates, his roles and its permissions are loaded, and a
new GrantedPermission object is asserted for each permission into the working
memory:
| public boolean authenticate() {
| ...
|
| for (SphGru sphGru : sphUsu.getSphGrus()) {
| Identity.instance().addRole(sphGru.getNome()); //add the user
role
| for (SphPer sphPer : sphGru.getSphPers()) { //assert the user
role permissions into the working memory
| String name =
sphPer.getSphEditor().getNomeComponente(); //get the component name
| WorkingMemory wm = ((RuleBasedIdentity)
Identity.instance()).getSecurityContext();
|
| if
(sphPer.getFlgPermiteIncluir().toString().equals("S"))
| wm.assertObject(new GrantedPermission("create",
name)); //user can call component's create action
|
| if
(sphPer.getFlgPermiteAlterar().toString().equals("S"))
| wm.assertObject(new GrantedPermission("update",
name)); //user can call component's update action
|
| if
(sphPer.getFlgPermiteExcluir().toString().equals("S"))
| wm.assertObject(new GrantedPermission("delete",
name)); //user can call component's delete action
| }
| }
|
| ...
| }
|
Component has "create", "update" and "delete" methods annotated with @Restrict:
| @Restrict
| public String create() {
| ...
| }
|
| @Restrict
| public String update() {
| ...
| }
|
| @Restrict
| public String delete() {
| ...
| }
|
This is the rule (/META-INF/security-dynamic-permission.drl):
| package DynamicPermission
|
| import org.jboss.seam.security.PermissionCheck;
| import com.sphere.consultoria.login.GrantedPermission;
|
| rule GrantDynamicPermission
| no-loop
| activation-group "permissions"
| salience -10
| when
| check: PermissionCheck(granted == false)
| GrantedPermission(n : name -> (n == check.getName()), a : action -> (a ==
check.getAction()))
| then
| System.out.println("Permission granted!!!");
| check.grant();
| end;
|
components.xml:
| ...
| <security:identity authenticate-method="#{authenticator.authenticate}"/>
|
| <drools:rule-base name="securityRules">
| <drools:rule-files>
| <value>/META-INF/security-dynamic-permission.drl</value>
| </drools:rule-files>
| </drools:rule-base>
| ...
|
And the GrantedPermission class:
| public class GrantedPermission implements Serializable {
|
| private String name;
| private String action;
|
| public GrantedPermission(String action, String name) {
| this.action = action;
| this.name = name;
| }
|
| public String getAction() {
| return action;
| }
|
| public void setAction(String action) {
| this.action = action;
| }
|
| public String getName() {
| return name;
| }
|
| public void setName(String name) {
| this.name = name;
| }
|
| @Override
| public int hashCode() {
| ...
| }
|
| @Override
| public boolean equals(Object obj) {
| ...
| }
| }
|
Still, I get an AuthorizationException when the rule is supposed to fire:
| 14:04:15,390 ERROR [ExceptionFilter] uncaught exception
| javax.servlet.ServletException: Error calling action method of component
with id _id17:_id54
| at javax.faces.webapp.FacesServlet.service(FacesServlet.java:152)
| at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
| at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
| at
org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:63)
| at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
| at
org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
| at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:57)
| at
org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
| at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:79)
| at
org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
| at org.jboss.seam.web.SeamFilter.doFilter(SeamFilter.java:84)
| at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
| at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
| at
org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:96)
| at
org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:220)
| at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
| at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
| at
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
| at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
| at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
| at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
| at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
| at
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
| at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
| at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
| at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
| at
org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
| at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
| at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
| at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
| at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
| at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
| at
org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
| at java.lang.Thread.run(Thread.java:595)
| 14:04:15,390 ERROR [ExceptionFilter] exception root cause
| javax.faces.FacesException: Error calling action method of component with
id _id17:_id54
| at
org.apache.myfaces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:74)
| at javax.faces.component.UICommand.broadcast(UICommand.java:106)
| at
org.ajax4jsf.framework.ajax.AjaxViewRoot.processEvents(AjaxViewRoot.java:180)
| at
org.ajax4jsf.framework.ajax.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:158)
| at
org.ajax4jsf.framework.ajax.AjaxViewRoot.processApplication(AjaxViewRoot.java:329)
| at
org.apache.myfaces.lifecycle.LifecycleImpl.invokeApplication(LifecycleImpl.java:343)
| at
org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:86)
| at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)
| at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
| at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
| at
org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:63)
| at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
| at
org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
| at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:57)
| at
org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
| at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:79)
| at
org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
| at org.jboss.seam.web.SeamFilter.doFilter(SeamFilter.java:84)
| at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
| at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
| at
org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:96)
| at
org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:220)
| at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
| at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
| at
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
| at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
| at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
| at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
| at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
| at
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
| at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
| at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
| at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
| at
org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
| at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
| at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
| at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
| at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
| at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
| at
org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
| at java.lang.Thread.run(Thread.java:595)
| Caused by: javax.faces.el.EvaluationException: /editSphAgenda.xhtml @83,159
action="#{sphagendaEditor.create}":
org.jboss.seam.security.AuthorizationException: Authorization check failed for
expression [#{s:hasPermission('sphagendaEditor','create', null)}]
| at
com.sun.facelets.el.LegacyMethodBinding.invoke(LegacyMethodBinding.java:73)
| at
org.apache.myfaces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:63)
| ... 40 more
| Caused by: org.jboss.seam.security.AuthorizationException: Authorization
check failed for expression [#{s:hasPermission('sphagendaEditor','create',
null)}]
| at org.jboss.seam.security.Identity.checkRestriction(Identity.java:160)
| at
org.jboss.seam.interceptors.SecurityInterceptor.aroundInvoke(SecurityInterceptor.java:35)
| at
org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:69)
| at
org.jboss.seam.interceptors.RemoveInterceptor.aroundInvoke(RemoveInterceptor.java:40)
| at
org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:69)
| at
org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:103)
| at
org.jboss.seam.intercept.ClientSideInterceptor.invoke(ClientSideInterceptor.java:50)
| at
org.javassist.tmp.java.lang.Object_$$_javassist_54.create(Object_$$_javassist_54.java)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
| at com.sun.el.parser.AstValue.invoke(AstValue.java:174)
| at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:286)
| at
com.sun.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:68)
| at
com.sun.facelets.el.LegacyMethodBinding.invoke(LegacyMethodBinding.java:69)
| ... 41 more
|
Expression [#{s:hasPermission('sphagendaEditor','create', null)}] should grant
the permission, since I've asserted into the working memory a GrantedPermission
with action "create" and name "sphagendaEditor".
Im sure the rule /META-INF/security-dynamic-permission.drl is being loaded,
because it was giving me that validation error before. So components.xml seems
to be properly configured.
It seems the rule is not fired at all.
Any tips?
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4043725#4043725
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4043725
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
