Uploaded image for project: 'Seam Security'
  1. Seam Security
  2. SEAMSECURITY-84

identity.hasRole and identity.addRole do not seem to be interacting with JpaStore

        Details

        • Type: Bug
        • Status: Open (View Workflow)
        • Priority: Major
        • Resolution: Unresolved
        • Affects Version/s: 3.0.0.Final
        • Fix Version/s: None
        • Labels:
          None
        • Environment:
          Windows 7, MySQL 5.1, AS6

          Description

          I am trying to use Roles with Seam Security. I have added the following to my MySQL DB.

          insert into IdentityRoleName(id, name) values (1, 'admin');
          insert into IdentityRoleName(id, name) values (2, 'manager');

          insert into IdentityObjectType(id, name) values (1, 'USER');
          insert into IdentityObjectType(id, name) values (2, 'GROUP');

          insert into IdentityObject (id, name, identity_object_type_id) values (1, 'shane', 1);
          insert into IdentityObject (id, name, identity_object_type_id) values (2, 'demo', 1);
          insert into IdentityObject (id, name, identity_object_type_id) values (3, 'ROOT', 2);
          insert into IdentityObject (id, name, identity_object_type_id) values (4, 'USERS', 2);

          insert into IdentityObjectCredentialType (id, name) values (1, 'PASSWORD');

          insert into IdentityObjectCredential (id, identity_object_id, credential_type_id, value) values (1, 1, 1, 'password');
          insert into IdentityObjectCredential (id, identity_object_id, credential_type_id, value) values (2, 2, 1, 'demo');

          insert into IdentityObjectRelationshipType (id, name) values (1, 'JBOSS_IDENTITY_MEMBERSHIP');
          insert into IdentityObjectRelationshipType (id, name) values (2, 'JBOSS_IDENTITY_ROLE');

          insert into IdentityObjectRelationship (id, name, relationship_type_id, from_identity_id, to_identity_id) values (1, 'admin', 2, 3, 2);
          insert into IdentityObjectRelationship (id, name, relationship_type_id, from_identity_id, to_identity_id) values (2, 'admin', 2, 4, 2);

          And my seam-beans.xml has the following:

          <?xml version="1.0" encoding="UTF-8"?>
          <beans xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xmlns:s="urn:java:ee" xmlns:drools="urn:java:org.jboss.seam.drools:org.jboss.seam.drools.config"
          xmlns:auth="urn:java:org.jboss.seam.security" xmlns:security="urn:java:org.jboss.seam.security.permission"
          xmlns:plidm="urn:java:org.jboss.seam.security.management.picketlink"
          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://jboss.org/schema/cdi/beans_1_0.xsd">

          <auth:Identity>
          <s:modifies />
          <auth:authenticatorName>NGOAuthenticator</auth:authenticatorName>
          </auth:Identity>

          <security:JpaPermissionStore>
          <s:replaces />
          <security:identityPermissionClass>com.ngo.domain.IdentityPermission</security:identityPermissionClass>
          </security:JpaPermissionStore>

          <plidm:JpaIdentityStoreConfiguration>
          <s:replaces />
          <plidm:identityClass>com.ngo.domain.IdentityObject</plidm:identityClass>
          <plidm:credentialClass>com.ngo.domain.IdentityObjectCredential</plidm:credentialClass>
          <plidm:relationshipClass>com.ngo.domain.IdentityObjectRelationship</plidm:relationshipClass>
          <plidm:roleTypeClass>com.ngo.domain.IdentityRoleName</plidm:roleTypeClass>
          <plidm:attributeClass>com.ngo.domain.IdentityObjectAttribute</plidm:attributeClass>
          </plidm:JpaIdentityStoreConfiguration>

          </beans>

          When I try to execute the following "identity.getRoles()" I get no roles and therefore when I execute identity.hasRole( "admin", "ROOT", "GROUP" ) it returns false.

          What am I missing?

          I have also tried removing the relationship entries and executing identity.addRole( "admin", "ROOT", "GROUP" ) just before the hasRole and it says I now have the Role. But, the values are not added to the DB.

            Gliffy Diagrams

              Activity

              Ascending order - Click to sort in descending order
              Hide
              Permalink
              gkar47 Bill Elliot added a comment -

              I have tried this using org.picketlink.idm.api.RoleManager and the addRole does update the DB and hasRole gives the correct result. It just seems that the Identity object is not connecting to the RoleManager.

              Show
              gkar47 Bill Elliot added a comment - I have tried this using org.picketlink.idm.api.RoleManager and the addRole does update the DB and hasRole gives the correct result. It just seems that the Identity object is not connecting to the RoleManager.
              Hide
              Permalink
              shane.bryzak Shane Bryzak added a comment -

              That's right, Identity doesn't have an intrinsic link to the identity management API. Calling addRole() on the Identity bean is only supposed to add the role for the user's current session.

              Show
              shane.bryzak Shane Bryzak added a comment - That's right, Identity doesn't have an intrinsic link to the identity management API. Calling addRole() on the Identity bean is only supposed to add the role for the user's current session.
              Hide
              Permalink
              gkar47 Bill Elliot added a comment -

              Shane, that doesn't sound right. everything in the documentation (reference and API) seem to indicate that it is directly tied into the PicketLink security. Having identity.addRole only to be valid for the current session seems to be of limited use. Also, what about hasRole and getRoles? They also do not seem to return all of the user's authorizations. Yet, the documentation seems to indicate they are coming from PicketLink.

              Show
              gkar47 Bill Elliot added a comment - Shane, that doesn't sound right. everything in the documentation (reference and API) seem to indicate that it is directly tied into the PicketLink security. Having identity.addRole only to be valid for the current session seems to be of limited use. Also, what about hasRole and getRoles? They also do not seem to return all of the user's authorizations. Yet, the documentation seems to indicate they are coming from PicketLink.
              Hide
              Permalink
              gkar47 Bill Elliot added a comment -

              Any update on this?

              Show
              gkar47 Bill Elliot added a comment - Any update on this?

                People

                • Assignee:
                  meetoblivion John Ament
                  Reporter:
                  gkar47 Bill Elliot
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:

                    Development