JBoss Community Archive (Read Only)

PicketBox

Drools Authorization

Introduction

PicketBox has a Drools based authorization manager that decouples access control logic from your applications.

By default the manager looks for an "authorization.drl" in the classpath.

You can always use the setter - setDroolsFile on the authorization manager via your dependency injection framework to change the name of the drools file.

Configuration

Maven Dependencies

<dependency>
    <groupId>org.picketbox</groupId>
    <artifactId>picketbox-drools</artifactId>
    <version>5.0.0-SNAPSHOT</version>
</dependency>

JEE Application

If you want to use PicketBox Drools in a JEE application, the only thing you need is to define the following configuration in your web.xml: 

<context-param>
    <param-name>org.picketbox.authorization.manager</param-name>
    <param-value>Drools</param-value>
</context-param>

Make sure you already configured your web.xml as described in the SECURITY:DelegatingSecurityFilter documentation.

CDI Applications

If you want to use PicketBox Drools in a CDI application, please take a look at the TicketMonster example.

If you are using JBoss Application Server v7 you'll need to create AS7 module for Drools. Check the TicketMonster example documentation.

What objects are available in the Drools Knowledge Base Session?

  • PicketBoxSubject   (Contains the Principal, Role Names, Attributes and Context Data)

  • Java Principal

  • Resource

Example

Let us take a look at a simple authorization.drl 

package org.picketbox.drools.authorization;

import java.security.Principal;
import org.picketbox.core.authorization.Resource;

dialect "mvel"

rule "Authorize if principal == anil"
dialect "java"
no-loop
 when
  $principal : Principal( name == "anil" ) // condition
  $resource : Resource()
 then
    modify ($resource){
       setAuthorized(true)
    };
end

rule "Authorize if principal == Aladdin"
dialect "java"
no-loop
 when
  $principal : Principal( name == "Aladdin" ) // condition
  $resource : Resource()
 then
    modify ($resource){
       setAuthorized(true)
    };
end

In this example which can be easily cleaned up or enhanced,  if the user is "anil" or "Aladdin", we authorize the resource.

To authorize a resource, do the following in the drl file

modify($resource) {
setAuthorized(true);
};

JBoss.org Content Archive (Read Only), exported from JBoss Community Documentation Editor at 2020-03-11 12:16:22 UTC, last content change 2012-07-19 22:30:52 UTC.