12 Replies Latest reply: May 11, 2012 7:55 AM by Roland Olsson RSS

in PersistentPermissionResolver.filterSetByAction

Alim Abdulkhairov Newbie

Hello community.

I use seam 3 and faced with suc problem:


I didn't define identityPermissionClass in my seam configuration beans.xml. So JpaPermissionStore.identityPermissionClass property is null and during it init() method JpaPermissionStore.enabled is defined as false (JpaPermissionStore.enabled = false). And when PersistentPermissionResolver.filterSetByAction is called permissions variable is assigned to null.

 

The cause lies in this code in JpaPermissionStore:

 

protected List<Permission> listPermissions(Object resource, Set<Object> targets, String action)
{
      if (identityPermissionClass == null) return null;
      ......
}

 

So i get NullPointerException in PersistentPermissionResolver.filterSetByAction on this line:

 

for (Permission permission : permissions) 
{
...
}

 

Why this check is not used in PersistentPermissionResolver.filterSetByAction like it does in PersistentPermissionResolver.hasPermission?

 

public void filterSetByAction(Set<Object> targets, String action)
   {
      if (permissionStore == null) return;
      
      if (!identity.isLoggedIn()) return;

      if (!permissionStore.isEnabled()) return; // to check if JpaPermissionStore is enabled


  • 1. Re: in PersistentPermissionResolver.filterSetByAction
    Richard Barabe Newbie

    I think you should read this : https://community.jboss.org/message/652004

     

    Unfortunately the permission stuff does not work in seam 3.  Except for Rule based permissions, these works well.

     

    ACL permissions where asked by many people but it doesn't seem to  be planned at all (hope I'm mistaking on this, though). 

     

    Is that because all the efforts are for the DeltaSpike project ? 

     

    I should probably ask in another thread

  • 2. Re: in PersistentPermissionResolver.filterSetByAction
    Richard Barabe Newbie

    Sorry for double posting, but indeed most of the efforts are on delta spike :

    https://community.jboss.org/message/730408#730408

  • 3. Re: in PersistentPermissionResolver.filterSetByAction
    Alim Abdulkhairov Newbie

    Thank you for link, Richard.

     

    But can I disable PersistentPermissionResolver.filterSetByAction from resolver chain? It fails with NullPointerException and my custom PermissionResolver implementation isn't called. This is the problem.

  • 4. Re: in PersistentPermissionResolver.filterSetByAction
    Richard Barabe Newbie

    I think not.  But you could provide a dummy identityPermissionClass :

    package foo.bar;
    
    import javax.persistence.GenerationType;
    import javax.persistence.Table;
    import java.io.Serializable;
    
    import javax.persistence.Entity;
    import javax.persistence.GeneratedValue;
    import javax.persistence.Id;
    import javax.persistence.ManyToOne;
    import javax.validation.constraints.NotNull;
    
    import org.jboss.seam.security.annotations.permission.PermissionProperty;
    
    import static org.jboss.seam.security.annotations.permission.PermissionPropertyType.*;
    
    /**
     * This entity stores ACL permissions
     *
     * @author Shane Bryzak
     */
    @Entity
    @Table(name="IdentityPermission")
    public class IdentityPermission implements Serializable {
        private static final long serialVersionUID = -5366058398015495583L;
    
        private Long id;
        private IdentityObject identityObject;
        private IdentityObjectRelationshipType relationshipType;
        private String relationshipName;
        private String resource;
        private String permission;
    
        /**
         * Surrogate primary key value for the permission.
         *
         * @return
         */
        @Id
        @GeneratedValue(strategy= GenerationType.IDENTITY)
        public Long getId() {
            return id;
        }
    
        public void setId(Long id) {
            this.id = id;
        }
    
        /**
         * Either the specific identity object for which this permission is granted,
         * or in the case of a permission granted against a group, this property
         * then represents the "to" side of the group relationship.  Required field.
         *
         * @return
         */
        @NotNull
        @ManyToOne
        @PermissionProperty(IDENTITY)
        public IdentityObject getIdentityObject() {
            return identityObject;
        }
    
        public void setIdentityObject(IdentityObject identityObject) {
            this.identityObject = identityObject;
        }
    
        /**
         * If this permission is granted to a group of identities, then this property may
         * be used to indicate the relationship type of the group membership.  For example,
         * a group or role relationship.  It is possible that the permission may also be
         * granted to identities that have *any* sort of membership within a group, in
         * which case this property would be null.
         *
         * @return
         */
        @ManyToOne
        @PermissionProperty(RELATIONSHIP_TYPE)
        public IdentityObjectRelationshipType getRelationshipType() {
            return relationshipType;
        }
    
        public void setRelationshipType(IdentityObjectRelationshipType relationshipType) {
            this.relationshipType = relationshipType;
        }
    
        /**
         * If this permission is granted to a group of identities, then this property
         * may be used to indicate the name for named relationships, such as role
         * memberships.
         *
         * @return
         */
        @PermissionProperty(RELATIONSHIP_NAME)
        public String getRelationshipName() {
            return relationshipName;
        }
    
        public void setRelationshipName(String relationshipName) {
            this.relationshipName = relationshipName;
        }
    
        /**
         * The unique identifier for the resource for which permission is granted
         *
         * @return
         */
        @PermissionProperty(RESOURCE)
        public String getResource() {
            return resource;
        }
    
        public void setResource(String resource) {
            this.resource = resource;
        }
    
        /**
         * The permission(s) granted for the resource.  May either be a comma-separated
         * list of permission names (such as create, delete, etc) or a bit-masked
         * integer value, in which each bit represents a different permission.
         *
         * @return
         */
        @PermissionProperty(PERMISSION)
        public String getPermission() {
            return permission;
        }
    
        public void setPermission(String permission) {
            this.permission = permission;
        }
    }
    

     

     

    And configure it :

     

     

    <beans    xmlns="http://java.sun.com/xml/ns/javaee"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xmlns:s="urn:java:ee"
              xmlns:security="urn:java:org.jboss.seam.security"
              xmlns:permission="urn:java:org.jboss.seam.security.permission"
              xsi:schemaLocation="http://java.sun.com/xml/ns/javaee  http://jboss.org/schema/cdi/beans_1_0.xsd">
        <security:JpaPermissionStore>
            <s:modifies/>
            <security:identityPermissionClass>foo.bar.IdentityPermission</security:identityPermissionClass>
        </security:JpaPermissionStore>
    </beans>
    

     


    That should work around the error.  Let me know if you make it work

  • 5. Re: in PersistentPermissionResolver.filterSetByAction
    Alim Abdulkhairov Newbie

    Thanks a lot, Richard.

     

    But identityPermissionClass is not injected in JpaPermissionStore anyway

    I have copied your IdentityPermission realization and configured seam. Now seam-beans.xml contents look this way:

     

    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://java.sun.com/xml/ns/javaee"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns:s="urn:java:ee"
           xmlns:security="urn:java:org.jboss.seam.security"
           xmlns:permission="urn:java:org.jboss.seam.security.permission"
           xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/beans_1_0.xsd">
    
    
        <security:JpaPermissionStore>
            <s:replaces/>
            <security:identityPermissionClass>com.foo.bar.security.IdentityPermission</security:identityPermissionClass>
        </security:JpaPermissionStore>
    
    
    </beans>
    
    

     

    seam-beans.xml is in src/main/resources/META-INF folder. I tried to use beans.xml with the same contents but it isn't work too. And it seems container doesn't attempt to load IdentityPermission class. There isn't any logs relatated to it, only "No identityPermissionClass set, JpaPermissionStore will be unavailable."


  • 6. Re: in PersistentPermissionResolver.filterSetByAction
    Richard Barabe Newbie

    I just tested it on my side, and it works for me. 
    I mean, as soon as I provide and configure the IdentityPermission as in my previous post, JpaPermissionStore.enabled becomes true. 
    Commenting the configuration in seam-beans make JpaPermissionStore.enabled false.

     

    By the way, I'm using seam 3.1.0.Final with glassfish 3.1.2

  • 7. Re: in PersistentPermissionResolver.filterSetByAction
    Roland Olsson Newbie

    I'm also struggling with enabling the JpaPermissionStore. No matter how I put things into beans.xml or seam-beans.xml it just doesn't work. I have spent hours debugging Seam Security, Seam Solder and Weld but to no avail. From what I can see the configuration files aren't even read, or at least not the portion that should configure the Seam beans. The deployment structure: EAR containing a WAR (with beans) which in turn contains a JAR (with beans). The classes related to JpaPermissionStore is located in the JAR file. I try to deploy this to an JBoss AS 7.1 server.

  • 8. Re: in PersistentPermissionResolver.filterSetByAction
    Jason Porter Master

    Try the annotations, they're easier to use anyway.

  • 9. Re: in PersistentPermissionResolver.filterSetByAction
    Alim Abdulkhairov Newbie

    Hi guys,
    I want to thank Richard, his answers hepled me a lot. And now it works for me. 

     

    Roland, I faced with the same problem - Seam didn't see my beans.xml.

     

    So I had added Seam Config XML dependency in my pom.xml an it worked!

     

     

          <dependency>
             <groupId>org.jboss.seam.config</groupId>
             <artifactId>seam-config-xml</artifactId>
             <scope>runtime</scope>
          </dependency>
    
    

     

    And when your application are starting Seam Config XML provider installs beans from beans.xml

     

    BTW, Beans.xml is placed in .../main/resources/META-INF/beans.xml

     

    Hope it hepls.

  • 10. Re: in PersistentPermissionResolver.filterSetByAction
    Roland Olsson Newbie

    Which annotation? I already use the IdentityEntity annotation for the other identity entity classes. This annotation, however, lacks support for an identity permission entity type.

    Jason Porter wrote:

     

    Try the annotations, they're easier to use anyway.

  • 11. Re: in PersistentPermissionResolver.filterSetByAction
    Roland Olsson Newbie

    If I add the seam-config-xml module as a dependency it doesn't deploy at all. It doesn't allow my to use this module in parallel with the solder-impl module. From what I understand the functionality of the seam-config-xml module has now completely moved into Solder?

    Alim Abdulkhairov wrote:

     

    Hi guys,
    I want to thank Richard, his answers hepled me a lot. And now it works for me. 

     

    Roland, I faced with the same problem - Seam didn't see my beans.xml.

     

    So I had added Seam Config XML dependency in my pom.xml an it worked!

     

     

          <dependency>         <groupId>org.jboss.seam.config</groupId>         <artifactId>seam-config-xml</artifactId>         <scope>runtime</scope>      </dependency>
    

     

    And when your application are starting Seam Config XML provider installs beans from beans.xml

     

    BTW, Beans.xml is placed in .../main/resources/META-INF/beans.xml

     

    Hope it hepls.

  • 12. Re: in PersistentPermissionResolver.filterSetByAction
    Roland Olsson Newbie

    Debugging the process of retreiving the bean configuration files I end up in the org.jboss.solder.servlet.resource.WebResourceLocator and its getWebResourceUrl(path) method. This gets called with e g "WEB-INF/beans.xml". But something seems to go wrong in here. The ServiceLoader.load method doesn't find any WebResourceLocationProvider service and returns an iterator to an empty collection. This results in the method returning a null resource URL.

     

    Have I missed anything configuration wise or maybe is this a bug in Seam Solder? I deploy my application to a JBoss AS 7.1 Final server.

     

      package org.jboss.solder.servlet.resource;

      ...

      public class WebResourceLocator {

        ...

        public URL getWebResourceUrl(final String path) {

            // build sorted list of provider implementations

            List<WebResourceLocationProvider> providers = new ArrayList<WebResourceLocationProvider>();

            Iterator<WebResourceLocationProvider> iterator = ServiceLoader.load(WebResourceLocationProvider.class).iterator();


            while (iterator.hasNext()) {

                providers.add(iterator.next());

            }

            Collections.sort(providers, new Sortable.Comparator());

     

            // prefer the context classloader

            ClassLoader classLoader = WebResourceLocator.class.getClassLoader();

     

            // process each provider one by one

            for (WebResourceLocationProvider provider : providers) {

     

                // execute the SPI implementation

                final URL resourceLocation = provider.getWebResource(path, classLoader);

     

                if (resourceLocation != null) {

                    return resourceLocation;

                }

            }

            return null;