12 Replies Latest reply on May 11, 2012 7:55 AM by rt_olsson

    in PersistentPermissionResolver.filterSetByAction

    alim88

      Hello community.

      I use seam 3 and faced with suc problem:


      I didn't define identityPermissionClass in my seam configuration beans.xml. So JpaPermissionStore.identityPermissionClass property is null and during it init() method JpaPermissionStore.enabled is defined as false (JpaPermissionStore.enabled = false). And when PersistentPermissionResolver.filterSetByAction is called permissions variable is assigned to null.

       

      The cause lies in this code in JpaPermissionStore:

       

      protected List<Permission> listPermissions(Object resource, Set<Object> targets, String action)
      {
            if (identityPermissionClass == null) return null;
            ......
      }
      
      

       

      So i get NullPointerException in PersistentPermissionResolver.filterSetByAction on this line:

       

      for (Permission permission : permissions) 
      {
      ...
      }
      

       

      Why this check is not used in PersistentPermissionResolver.filterSetByAction like it does in PersistentPermissionResolver.hasPermission?

       

      public void filterSetByAction(Set<Object> targets, String action)
         {
            if (permissionStore == null) return;
            
            if (!identity.isLoggedIn()) return;
      
            if (!permissionStore.isEnabled()) return; // to check if JpaPermissionStore is enabled
      


        • 1. Re: in PersistentPermissionResolver.filterSetByAction
          baraber

          I think you should read this : https://community.jboss.org/message/652004

           

          Unfortunately the permission stuff does not work in seam 3.  Except for Rule based permissions, these works well.

           

          ACL permissions where asked by many people but it doesn't seem to  be planned at all (hope I'm mistaking on this, though). 

           

          Is that because all the efforts are for the DeltaSpike project ? 

           

          I should probably ask in another thread

          1 of 1 people found this helpful
          • 2. Re: in PersistentPermissionResolver.filterSetByAction
            baraber

            Sorry for double posting, but indeed most of the efforts are on delta spike :

            https://community.jboss.org/message/730408#730408

            • 3. Re: in PersistentPermissionResolver.filterSetByAction
              alim88

              Thank you for link, Richard.

               

              But can I disable PersistentPermissionResolver.filterSetByAction from resolver chain? It fails with NullPointerException and my custom PermissionResolver implementation isn't called. This is the problem.

              • 4. Re: in PersistentPermissionResolver.filterSetByAction
                baraber

                I think not.  But you could provide a dummy identityPermissionClass :

                {code}

                package foo.bar;

                 

                import javax.persistence.GenerationType;

                import javax.persistence.Table;

                import java.io.Serializable;

                 

                import javax.persistence.Entity;

                import javax.persistence.GeneratedValue;

                import javax.persistence.Id;

                import javax.persistence.ManyToOne;

                import javax.validation.constraints.NotNull;

                 

                import org.jboss.seam.security.annotations.permission.PermissionProperty;

                 

                import static org.jboss.seam.security.annotations.permission.PermissionPropertyType.*;

                 

                /**

                * This entity stores ACL permissions

                *

                * @author Shane Bryzak

                */

                @Entity

                @Table(name="IdentityPermission")

                public class IdentityPermission implements Serializable {

                    private static final long serialVersionUID = -5366058398015495583L;

                 

                    private Long id;

                    private IdentityObject identityObject;

                    private IdentityObjectRelationshipType relationshipType;

                    private String relationshipName;

                    private String resource;

                    private String permission;

                 

                    /**

                     * Surrogate primary key value for the permission.

                     *

                     * @return

                     */

                    @Id

                    @GeneratedValue(strategy= GenerationType.IDENTITY)

                    public Long getId() {

                        return id;

                    }

                 

                    public void setId(Long id) {

                        this.id = id;

                    }

                 

                    /**

                     * Either the specific identity object for which this permission is granted,

                     * or in the case of a permission granted against a group, this property

                     * then represents the "to" side of the group relationship.  Required field.

                     *

                     * @return

                     */

                    @NotNull

                    @ManyToOne

                    @PermissionProperty(IDENTITY)

                    public IdentityObject getIdentityObject() {

                        return identityObject;

                    }

                 

                    public void setIdentityObject(IdentityObject identityObject) {

                        this.identityObject = identityObject;

                    }

                 

                    /**

                     * If this permission is granted to a group of identities, then this property may

                     * be used to indicate the relationship type of the group membership.  For example,

                     * a group or role relationship.  It is possible that the permission may also be

                     * granted to identities that have *any* sort of membership within a group, in

                     * which case this property would be null.

                     *

                     * @return

                     */

                    @ManyToOne

                    @PermissionProperty(RELATIONSHIP_TYPE)

                    public IdentityObjectRelationshipType getRelationshipType() {

                        return relationshipType;

                    }

                 

                    public void setRelationshipType(IdentityObjectRelationshipType relationshipType) {

                        this.relationshipType = relationshipType;

                    }

                 

                    /**

                     * If this permission is granted to a group of identities, then this property

                     * may be used to indicate the name for named relationships, such as role

                     * memberships.

                     *

                     * @return

                     */

                    @PermissionProperty(RELATIONSHIP_NAME)

                    public String getRelationshipName() {

                        return relationshipName;

                    }

                 

                    public void setRelationshipName(String relationshipName) {

                        this.relationshipName = relationshipName;

                    }

                 

                    /**

                     * The unique identifier for the resource for which permission is granted

                     *

                     * @return

                     */

                    @PermissionProperty(RESOURCE)

                    public String getResource() {

                        return resource;

                    }

                 

                    public void setResource(String resource) {

                        this.resource = resource;

                    }

                 

                    /**

                     * The permission(s) granted for the resource.  May either be a comma-separated

                     * list of permission names (such as create, delete, etc) or a bit-masked

                     * integer value, in which each bit represents a different permission.

                     *

                     * @return

                     */

                    @PermissionProperty(PERMISSION)

                    public String getPermission() {

                        return permission;

                    }

                 

                    public void setPermission(String permission) {

                        this.permission = permission;

                    }

                }

                {code}

                 

                And configure it :

                 

                 

                {code:xml}

                <beans    xmlns="http://java.sun.com/xml/ns/javaee"

                          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                          xmlns:s="urn:java:ee"

                          xmlns:security="urn:java:org.jboss.seam.security"

                          xmlns:permission="urn:java:org.jboss.seam.security.permission"

                          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee  http://jboss.org/schema/cdi/beans_1_0.xsd">

                    <security:JpaPermissionStore>

                        <s:modifies/>

                        <security:identityPermissionClass>foo.bar.IdentityPermission</security:identityPermissionClass>

                    </security:JpaPermissionStore>

                </beans>

                {code}


                That should work around the error.  Let me know if you make it work

                • 5. Re: in PersistentPermissionResolver.filterSetByAction
                  alim88

                  Thanks a lot, Richard.

                   

                  But identityPermissionClass is not injected in JpaPermissionStore anyway

                  I have copied your IdentityPermission realization and configured seam. Now seam-beans.xml contents look this way:

                   

                  <?xml version="1.0" encoding="UTF-8"?>
                  <beans xmlns="http://java.sun.com/xml/ns/javaee"
                         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                         xmlns:s="urn:java:ee"
                         xmlns:security="urn:java:org.jboss.seam.security"
                         xmlns:permission="urn:java:org.jboss.seam.security.permission"
                         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/beans_1_0.xsd">
                  
                  
                      <security:JpaPermissionStore>
                          <s:replaces/>
                          <security:identityPermissionClass>com.foo.bar.security.IdentityPermission</security:identityPermissionClass>
                      </security:JpaPermissionStore>
                  
                  
                  </beans>
                  
                  

                   

                  seam-beans.xml is in src/main/resources/META-INF folder. I tried to use beans.xml with the same contents but it isn't work too. And it seems container doesn't attempt to load IdentityPermission class. There isn't any logs relatated to it, only "No identityPermissionClass set, JpaPermissionStore will be unavailable."


                  • 6. Re: in PersistentPermissionResolver.filterSetByAction
                    baraber

                    I just tested it on my side, and it works for me. 
                    I mean, as soon as I provide and configure the IdentityPermission as in my previous post, JpaPermissionStore.enabled becomes true. 
                    Commenting the configuration in seam-beans make JpaPermissionStore.enabled false.

                     

                    By the way, I'm using seam 3.1.0.Final with glassfish 3.1.2

                    • 7. Re: in PersistentPermissionResolver.filterSetByAction
                      rt_olsson

                      I'm also struggling with enabling the JpaPermissionStore. No matter how I put things into beans.xml or seam-beans.xml it just doesn't work. I have spent hours debugging Seam Security, Seam Solder and Weld but to no avail. From what I can see the configuration files aren't even read, or at least not the portion that should configure the Seam beans. The deployment structure: EAR containing a WAR (with beans) which in turn contains a JAR (with beans). The classes related to JpaPermissionStore is located in the JAR file. I try to deploy this to an JBoss AS 7.1 server.

                      • 8. Re: in PersistentPermissionResolver.filterSetByAction
                        lightguard

                        Try the annotations, they're easier to use anyway.

                        • 9. Re: in PersistentPermissionResolver.filterSetByAction
                          alim88

                          Hi guys,
                          I want to thank Richard, his answers hepled me a lot. And now it works for me. 

                           

                          Roland, I faced with the same problem - Seam didn't see my beans.xml.

                           

                          So I had added Seam Config XML dependency in my pom.xml an it worked!

                           

                           

                                <dependency>
                                   <groupId>org.jboss.seam.config</groupId>
                                   <artifactId>seam-config-xml</artifactId>
                                   <scope>runtime</scope>
                                </dependency>
                          
                          

                           

                          And when your application are starting Seam Config XML provider installs beans from beans.xml

                           

                          BTW, Beans.xml is placed in .../main/resources/META-INF/beans.xml

                           

                          Hope it hepls.

                          • 10. Re: in PersistentPermissionResolver.filterSetByAction
                            rt_olsson

                            Which annotation? I already use the IdentityEntity annotation for the other identity entity classes. This annotation, however, lacks support for an identity permission entity type.

                            Jason Porter wrote:

                             

                            Try the annotations, they're easier to use anyway.

                            • 11. Re: in PersistentPermissionResolver.filterSetByAction
                              rt_olsson

                              If I add the seam-config-xml module as a dependency it doesn't deploy at all. It doesn't allow my to use this module in parallel with the solder-impl module. From what I understand the functionality of the seam-config-xml module has now completely moved into Solder?

                              Alim Abdulkhairov wrote:

                               

                              Hi guys,
                              I want to thank Richard, his answers hepled me a lot. And now it works for me. 

                               

                              Roland, I faced with the same problem - Seam didn't see my beans.xml.

                               

                              So I had added Seam Config XML dependency in my pom.xml an it worked!

                               

                               

                                    <dependency>         <groupId>org.jboss.seam.config</groupId>         <artifactId>seam-config-xml</artifactId>         <scope>runtime</scope>      </dependency>
                              

                               

                              And when your application are starting Seam Config XML provider installs beans from beans.xml

                               

                              BTW, Beans.xml is placed in .../main/resources/META-INF/beans.xml

                               

                              Hope it hepls.

                              • 12. Re: in PersistentPermissionResolver.filterSetByAction
                                rt_olsson

                                Debugging the process of retreiving the bean configuration files I end up in the org.jboss.solder.servlet.resource.WebResourceLocator and its getWebResourceUrl(path) method. This gets called with e g "WEB-INF/beans.xml". But something seems to go wrong in here. The ServiceLoader.load method doesn't find any WebResourceLocationProvider service and returns an iterator to an empty collection. This results in the method returning a null resource URL.

                                 

                                Have I missed anything configuration wise or maybe is this a bug in Seam Solder? I deploy my application to a JBoss AS 7.1 Final server.

                                 

                                  package org.jboss.solder.servlet.resource;

                                  ...

                                  public class WebResourceLocator {

                                    ...

                                    public URL getWebResourceUrl(final String path) {

                                        // build sorted list of provider implementations

                                        List<WebResourceLocationProvider> providers = new ArrayList<WebResourceLocationProvider>();

                                        Iterator<WebResourceLocationProvider> iterator = ServiceLoader.load(WebResourceLocationProvider.class).iterator();


                                        while (iterator.hasNext()) {

                                            providers.add(iterator.next());

                                        }

                                        Collections.sort(providers, new Sortable.Comparator());

                                 

                                        // prefer the context classloader

                                        ClassLoader classLoader = WebResourceLocator.class.getClassLoader();

                                 

                                        // process each provider one by one

                                        for (WebResourceLocationProvider provider : providers) {

                                 

                                            // execute the SPI implementation

                                            final URL resourceLocation = provider.getWebResource(path, classLoader);

                                 

                                            if (resourceLocation != null) {

                                                return resourceLocation;

                                            }

                                        }

                                        return null;