I'm currently working on integration between PicketLink and Drools to provide rule-based security permissions which control access to protected application resources, similar to a feature that we had in Seam 2:

https://github.com/seam2/jboss-seam/blob/Seam_2_3/jboss-seam/src/main/java/org/jboss/seam/security/permission/RuleBasedPermissionResolver.java

The following quickstart (work in progress) is intended to demonstrate this integration:

https://github.com/picketlink/picketlink-quickstarts/tree/master/picketlink-authorization-drools

Building this quickstart first requires building the latest trunk of PicketLink locally:

https://github.com/picketlink/picketlink

What we would like is to allow the developer to define their security rules in the war project itself. Currently the quickstart defines the following kmodule.xml file in the src/main/resources/META-INF directory:

<?xml version="1.0" encoding="UTF-8"?>
<kmodule xmlns="http://jboss.org/kie/6.0.0/kmodule">
<kbase name="security" default="true">
<ksession name="ksession1" default="true"/>
</kbase>
</kmodule>

There is also a security-rules.drl file in the src/main/resources/security directory which defines the security rules.

Deployment of the quickstart yields the following errors and partial stacktrace:

18:52:56,036 INFO [org.drools.compiler.kie.builder.impl.ClasspathKieProject] (MSC service thread 1-7) Found kmodule: vfs:/content/picketlink-authorization-drools.war/WEB-INF/classes/META-INF/kmodule.xml
18:52:56,036 INFO [org.drools.compiler.kie.builder.impl.ClasspathKieProject] (MSC service thread 1-7) Virtual file physical path = /home/shane/apps/jboss/standalone/tmp/vfs/tempa9983c4071e1249/picketlink-authorization-drools.war-1c243fd87ed695cf/WEB-INF/classes
18:52:56,060 WARN [org.drools.compiler.kie.builder.impl.ClasspathKieProject] (MSC service thread 1-7) Unable to load pom.properties tried recursing down from/home/shane/apps/jboss/standalone/tmp/vfs/tempa9983c4071e1249/picketlink-authorization-drools.war-1c243fd87ed695cf/WEB-INF/classes
null
18:52:56,061 ERROR [org.drools.compiler.kie.builder.impl.ClasspathKieProject] (MSC service thread 1-7) Unable to build index of kmodule.xml url=vfs:/content/picketlink-authorization-drools.war/WEB-INF/classes/META-INF/kmodule.xml
null
18:52:56,140 ERROR [org.drools.compiler.cdi.KieCDIExtension] (MSC service thread 1-7) Annotation @KSession(ksession1) found, but no KieSessioneModel exist.
Either the required kproject.xml does not exist, was corrupted, or mising the KieBase entry
18:52:56,160 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC00001: Failed to start service jboss.deployment.unit."picketlink-authorization-drools.war".WeldService: org.jboss.msc.service.StartException in service jboss.deployment.unit."picketlink-authorization-drools.war".WeldService: org.jboss.weld.exceptions.DeploymentException: WELD-001408 Unsatisfied dependencies for type [KieSession] with qualifiers [@KSession] at injection point [[field] @Inject @KSession org.jboss.as.quickstarts.picketlink.authorization.drools.PermissionAuthorizer.kSession]
at org.jboss.as.weld.services.WeldService.start(WeldService.java:83)

Mario indicated (during a discussion on IRC) that the rules are currently expected to be deployed within a separate jar file (which is then packaged as a library in the war), however our users are likely to view this as an extraneous requirement. It would be far more convenient to allow them to create their rule definitions within the war project itself, and also be easier to promote this integration via tutorials and quickstarts.

Thanks for looking into this!