Re: Call /self API with invalid credentials
btw, the attached file doesn't work with the Syncope client (I forgot to set the contentType in the response header I think) Le vendredi 15 septembre 2017 à 17:12:17 UTC+2, Adrian Gonzalez <adr_gonza...@yahoo.fr> a écrit : Hi Francesco, I'll try something - not sure if next week or the one after.In the meantime I've quickly developed this class (attached). It really needs more polishing: - I'd like to do a bridge to RestServiceExceptionMapper so we have a central place for error handlig (but it's JAX-RS and I'm at servlet layer here). - I'd need to add types and codes in ClientExceptionType - I'd need to add the same customisation for syncopeAccessDeniedHandler Thanks,Adrian Le vendredi 15 septembre 2017 à 15:28:56 UTC+2, Francesco Chicchiriccò <ilgro...@apache.org> a écrit : On 15/09/2017 15:17, Adrian Gonzalez wrote: Hello, I'm using Syncope 2.0.5. I'm calling /self REST API with invalid credentials (withcontent-type: application/json .) /self returns HTML code and not a JSON message body. i.e. ``` curl -X GET \ http://localhost:9080/syncope/rest/users/self \ -H 'authorization: Basic YmVsbGluaTpiZWxsaW5pNjY1' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -H 'postman-token: 477ebc5a-6350-4ba5-a8a2-4d6ecea31712' ``` Returns an HTML error page i.e; HTTP Status 401 – Unauthorized...Message User bellini not authenticatedDescription The request has not been applied because it lacks valid authentication credentials for the target resource.Apache Tomcat/8.5.20 Shouldn't it be valid json (since I requested json ?) The pb is that when I use the syncope client REST API, I get: 2017-09-15 11:17:13.625 -ERROR [http-apr-9080-exec-6] org.apache.cxf.jaxrs.utils.JAXRSUtils : No message body reader has been found for class java.util.List, ContentType: text/html;charset=utf-8 2017-09-15 11:17:13.626 -DEBUG [http-apr-9080-exec-6] o.a.s.c.lib.RestClientExceptionMapper : Could not read org.apache.syncope.common.lib.to.ErrorTO list, attempting to read headers... javax.ws.rs.client.ResponseProcessingException: No message body reader has been found for class java.util.List, ContentType: text/html;charset=utf-8 atorg.apache.cxf.jaxrs.impl.ResponseImpl.reportMessageHandlerProblem(ResponseImpl.java:439) atorg.apache.cxf.jaxrs.impl.ResponseImpl.doReadEntity(ResponseImpl.java:390) at org.apache.cxf.jaxrs.impl.ResponseImpl.readEntity(ResponseImpl.java:326) at org.apache.cxf.jaxrs.impl.ResponseImpl.readEntity(ResponseImpl.java:314) atorg.apache.syncope.client.lib.RestClientExceptionMapper.checkSyncopeClientCompositeException(RestClientExceptionMapper.java:98) atorg.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:53) atorg.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42) atorg.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:313) atorg.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:876) atorg.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:789) atorg.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:235) at com.sun.proxy.$Proxy641.read(Unknown Source) at org.apache.syncope.client.lib.SyncopeClient.self(SyncopeClient.java:132) Should we modifythe org.apache.syncope.core.spring.security.SyncopeBasicAuthenticationEntryPoint ? (not super because we'd need to handle manually XML and JSON formatting) Hi Adrian, your proposal makes sense but I remember (not well enough, unfortunately) that there were some related issues when attempting to change the AuthenticationEntryPoint due to some Spring Security internals. Anyway, your contribution is more than welcome, as usual! Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Call /self API with invalid credentials
Hi Francesco, I'll try something - not sure if next week or the one after.In the meantime I've quickly developed this class (attached). It really needs more polishing: - I'd like to do a bridge to RestServiceExceptionMapper so we have a central place for error handlig (but it's JAX-RS and I'm at servlet layer here). - I'd need to add types and codes in ClientExceptionType - I'd need to add the same customisation for syncopeAccessDeniedHandler Thanks,Adrian Le vendredi 15 septembre 2017 à 15:28:56 UTC+2, Francesco Chicchiriccò <ilgro...@apache.org> a écrit : On 15/09/2017 15:17, Adrian Gonzalez wrote: Hello, I'm using Syncope 2.0.5. I'm calling /self REST API with invalid credentials (withcontent-type: application/json .) /self returns HTML code and not a JSON message body. i.e. ``` curl -X GET \ http://localhost:9080/syncope/rest/users/self \ -H 'authorization: Basic YmVsbGluaTpiZWxsaW5pNjY1' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -H 'postman-token: 477ebc5a-6350-4ba5-a8a2-4d6ecea31712' ``` Returns an HTML error page i.e; HTTP Status 401 – Unauthorized...Message User bellini not authenticatedDescription The request has not been applied because it lacks valid authentication credentials for the target resource.Apache Tomcat/8.5.20 Shouldn't it be valid json (since I requested json ?) The pb is that when I use the syncope client REST API, I get: 2017-09-15 11:17:13.625 -ERROR [http-apr-9080-exec-6] org.apache.cxf.jaxrs.utils.JAXRSUtils : No message body reader has been found for class java.util.List, ContentType: text/html;charset=utf-8 2017-09-15 11:17:13.626 -DEBUG [http-apr-9080-exec-6] o.a.s.c.lib.RestClientExceptionMapper : Could not read org.apache.syncope.common.lib.to.ErrorTO list, attempting to read headers... javax.ws.rs.client.ResponseProcessingException: No message body reader has been found for class java.util.List, ContentType: text/html;charset=utf-8 atorg.apache.cxf.jaxrs.impl.ResponseImpl.reportMessageHandlerProblem(ResponseImpl.java:439) atorg.apache.cxf.jaxrs.impl.ResponseImpl.doReadEntity(ResponseImpl.java:390) at org.apache.cxf.jaxrs.impl.ResponseImpl.readEntity(ResponseImpl.java:326) at org.apache.cxf.jaxrs.impl.ResponseImpl.readEntity(ResponseImpl.java:314) atorg.apache.syncope.client.lib.RestClientExceptionMapper.checkSyncopeClientCompositeException(RestClientExceptionMapper.java:98) atorg.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:53) atorg.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42) atorg.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:313) atorg.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:876) atorg.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:789) atorg.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:235) at com.sun.proxy.$Proxy641.read(Unknown Source) at org.apache.syncope.client.lib.SyncopeClient.self(SyncopeClient.java:132) Should we modifythe org.apache.syncope.core.spring.security.SyncopeBasicAuthenticationEntryPoint ? (not super because we'd need to handle manually XML and JSON formatting) Hi Adrian, your proposal makes sense but I remember (not well enough, unfortunately) that there were some related issues when attempting to change the AuthenticationEntryPoint due to some Spring Security internals. Anyway, your contribution is more than welcome, as usual! Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/ import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE; import static org.springframework.http.MediaType.APPLICATION_XML_VALUE; import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBException; import javax.xml.bind.Marshaller; import org.apache.syncope.common.lib.to.ErrorTO; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.http.HttpStatus; import org.springframework.security.core.AuthenticationException; import com.fasterxml.jackson.databind.ObjectMapper; /** * Extend Syncope authenticationEntryPoint to handle JSON or XML exceptions. */ public class SyncopeBasicAuthenticationEntryPoint extends org.apache.syncope.core.spring.security.SyncopeBasicAuthenticationEntryPoint { private static final Logger LOGGER = LoggerFactory.getLogger(SyncopeBasicAuthenticationEntryPoint.class); private ObjectMapper objectMapper; private String realmName; private JAXBContext jc;
Call /self API with invalid credentials
Hello, I'm using Syncope 2.0.5.I'm calling /self REST API with invalid credentials (withcontent-type: application/json .)/self returns HTML code and not a JSON message body. i.e. ``` curl -X GET \ http://localhost:9080/syncope/rest/users/self \ -H 'authorization: Basic YmVsbGluaTpiZWxsaW5pNjY1' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -H 'postman-token: 477ebc5a-6350-4ba5-a8a2-4d6ecea31712'``` Returns an HTML error page i.e;HTTP Status 401 – Unauthorized...Message User bellini not authenticatedDescription The request has not been applied because it lacks valid authentication credentials for the target resource.Apache Tomcat/8.5.20 Shouldn't it be valid json (since I requested json ?) The pb is that when I use the syncope client REST API, I get:2017-09-15 11:17:13.625 -ERROR [http-apr-9080-exec-6] org.apache.cxf.jaxrs.utils.JAXRSUtils : No message body reader has been found for class java.util.List, ContentType: text/html;charset=utf-82017-09-15 11:17:13.626 -DEBUG [http-apr-9080-exec-6] o.a.s.c.lib.RestClientExceptionMapper : Could not read org.apache.syncope.common.lib.to.ErrorTO list, attempting to read headers...javax.ws.rs.client.ResponseProcessingException: No message body reader has been found for class java.util.List, ContentType: text/html;charset=utf-8 at org.apache.cxf.jaxrs.impl.ResponseImpl.reportMessageHandlerProblem(ResponseImpl.java:439) at org.apache.cxf.jaxrs.impl.ResponseImpl.doReadEntity(ResponseImpl.java:390) at org.apache.cxf.jaxrs.impl.ResponseImpl.readEntity(ResponseImpl.java:326) at org.apache.cxf.jaxrs.impl.ResponseImpl.readEntity(ResponseImpl.java:314) at org.apache.syncope.client.lib.RestClientExceptionMapper.checkSyncopeClientCompositeException(RestClientExceptionMapper.java:98) at org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:53) at org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42) at org.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:313) at org.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:876) at org.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:789) at org.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:235) at com.sun.proxy.$Proxy641.read(Unknown Source) at org.apache.syncope.client.lib.SyncopeClient.self(SyncopeClient.java:132) Should we modify the org.apache.syncope.core.spring.security.SyncopeBasicAuthenticationEntryPoint ? (not super because we'd need to handle manually XML and JSON formatting) Thanks,Adrian
Custom user account locking and password expiration in syncope
Hello, I'd need to implement : - user account lockout - password expiration User account lockout needs to work like this :- when user has made more than in the last , then the user-account will be temporarily locked. the account is automatically unlocked after this (if no failed authentication attempt has been made in between, otherwise, it's prolongated). Password expiration needs to work like this:- when the lastPwdChange is more than then the user needs to change his password before being able to login. Both user account (enabled, lockoutPeriod, failedAttempts) and password expiration settings are specific for each tenant (1 user belonging to each tenant) As tenants are dynamic, we're not using Syncope domains for that. I can implement both of those feature in my own authentication layer (a wrapper around syncope REST API). But I'd like to know if it's possible to implement that inside syncope (perhaps it would be cleaner). I looked at LogicActions, AccountRuleConf and creating a PasswordPolicy for each of my tenants, but I don't think it will work. - I cannot compute the lastFailedLoginDatelastFailedLogin date (i.e. to check if the account must still be locked). - once a user is suspended, I cannot automatically reactivate it once lockoutPeriod has passed (perhaps adding a quartz job, but seems overweight).- I don't know if the current authentication is a success or a failure (to update the lastFailedLoginDate) Perhaps I'm missing something like pre/post authentication hooks that are able to update the current user and know the status of the current authentication ? Thanks,Adrian
Re: Syncope core clustering
Thanks Francesco ! I'll first try just disabling JPA cache (and save some time not doing the JMS setup) - I'd expect I'll have a performance downgrade but it should work (let's be optimistic).If I have unexpected issues in test environment, I'll configure JMS. Regards,Adrian De : Francesco Chicchiriccò <ilgro...@apache.org> À : user@syncope.apache.org Envoyé le : Jeudi 31 août 2017 17h59 Objet : Re: Syncope core clustering Hi Adrian, see my replies embedded below. Regards. On 31/08/2017 17:14, Adrian Gonzalez wrote: Hello, I read that we need to configure OpenJPA 2nd level cache in the syncope documentation https://syncope.apache.org/docs/reference-guide.html#high-availability if I want to use syncope in a cluster. I have syncope running in the cloud (with dynamic scalability and dynamic ips), so I'll have some issues configuring with fixed ips and a fixed number of instances. i.e. Of course: in such cases you should be using JMS rather than TCP: http://openjpa.apache.org/builds/2.4.2/apache-openjpa/docs/ref_guide_event.html#ref_guide_event_conf_jms I'm only using Syncope Core (aka REST Services), not the console or end-user app. For the moment, I didn't activate the RemoteCommitProvider settings (and hence have the sjvm), and I'm running in some NPE errors when calling /syncope/rest/users/self REST API in one instance (but on the other with exactly the same parameter, it just works). See [1] for the stacktrace I'd like to know if I can just disable JPA 2nd level cache (I'm only using Syncope core) or if I'm going to run in some rough issues ? NONE That's very likely: the 2nd level cache is what glues together the various OpenJPA instances (e.g. Syncope Core instances) in the cluster. You might try to disable all sort of JPA caches, but there is no guarantee that things keep working. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Syncope core clustering
Hello, I read that we need to configure OpenJPA 2nd level cache in the syncope documentation https://syncope.apache.org/docs/reference-guide.html#high-availability if I want to use syncope in a cluster. I have syncope running in the cloud (with dynamic scalability and dynamic ips), so I'll have some issues configuring with fixed ips and a fixed number of instances.i.e. I'm only using Syncope Core (aka REST Services), not the console or end-user app. For the moment, I didn't activate the RemoteCommitProvider settings (and hence have the sjvm), and I'm running in some NPE errors when calling /syncope/rest/users/self REST API in one instance (but on the other with exactly the same parameter, it just works).See [1] for the stacktrace I'd like to know if I can just disable JPA 2nd level cache (I'm only using Syncope core) or if I'm going to run in some rough issues ?NONE Thanks,Adrian [1] java.lang.NullPointerException: null13:28:35at org.apache.syncope.core.persistence.jpa.entity.AbstractPlainAttr$1.transform(AbstractPlainAttr.java:109) ~[syncope-core-persistence-jpa-2.0.2.jar:2.0.2]13:28:35at org.apache.syncope.core.persistence.jpa.entity.AbstractPlainAttr$1.transform(AbstractPlainAttr.java:105) ~[syncope-core-persistence-jpa-2.0.2.jar:2.0.2]13:28:35at org.apache.commons.collections4.CollectionUtils.collect(CollectionUtils.java:1077) ~[commons-collections4-4.1.jar:4.1]13:28:35at org.apache.commons.collections4.CollectionUtils.collect(CollectionUtils.java:1049) ~[commons-collections4-4.1.jar:4.1]13:28:35at org.apache.syncope.core.persistence.jpa.entity.AbstractPlainAttr.getValuesAsStrings(AbstractPlainAttr.java:105) ~[syncope-core-persistence-jpa-2.0.2.jar:2.0.2]13:28:35at org.apache.syncope.core.provisioning.java.data.AbstractAnyDataBinder.fillTO(AbstractAnyDataBinder.java:573) ~[syncope-core-provisioning-java-2.0.2.jar:2.0.2]13:28:35at org.apache.syncope.core.provisioning.java.data.UserDataBinderImpl.getUserTO(UserDataBinderImpl.java:568) ~[syncope-core-provisioning-java-2.0.2.jar:2.0.2]13:28:35at org.apache.syncope.core.provisioning.java.data.UserDataBinderImpl.getAuthenticatedUserTO(UserDataBinderImpl.java:135) ~[syncope-core-provisioning-java-2.0.2.jar:2.0.2]13:28:35at sun.reflect.GeneratedMethodAccessor483.invoke(Unknown Source) ~[?:?]13:28:35at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_131]13:28:35at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_131]13:28:35at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333) ~[spring-aop-4.3.6.RELEASE.jar:4.3.6.RELEASE]13:28:35at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190) ~[spring-aop-4.3.6.RELEASE.jar:4.3.6.RELEASE]13:28:35at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) ~[spring-aop-4.3.6.RELEASE.jar:4.3.6.RELEASE]13:28:35at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99) ~[spring-tx-4.3.6.RELEASE.jar:4.3.6.RELEASE]13:28:35at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282) ~[spring-tx-4.3.6.RELEASE.jar:4.3.6.RELEASE]13:28:35at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96) ~[spring-tx-4.3.6.RELEASE.jar:4.3.6.RELEASE]13:28:35at org.apache.syncope.core.persistence.jpa.spring.DomainTransactionInterceptor.invoke(DomainTransactionInterceptor.java:64) ~[syncope-core-persistence-jpa-2.0.2.jar:2.0.2]13:28:35at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) ~[spring-aop-4.3.6.RELEASE.jar:4.3.6.RELEASE]13:28:35at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213) ~[spring-aop-4.3.6.RELEASE.jar:4.3.6.RELEASE]13:28:35at com.sun.proxy.$Proxy192.getAuthenticatedUserTO(Unknown Source) ~[?:?]
Re: New blog post - Syncope Basics: Manage external DB
Hi Matteo, Nice stuff and really clear ! Regards,Adrian De : TirasaÀ : user@syncope.apache.org Envoyé le : Mercredi 23 août 2017 9h46 Objet : New blog post - Syncope Basics: Manage external DB Hi all, Just to inform you that I wrote the first post of a series of tutorials about the "Syncope Basics" (Syncope Basics: Manage external DB). It covers the first steps to install a fresh instance of Syncope from archetype, add connectors, resources and create Pull/Push tasks to make some provisioning! Hope it could be useful for you! Regards, Matteo
Re: Customizing MasterDomain.xml
Thanks Francesco, that's exactly what I need ! > Any special reason to not upgrade to 2.0.4? The little story is that we have a little locking issue during authentication in Syncope (I didn't pinpointed the cause, could be syncope or our customization or my tests :) ), when calling the /syncope/rest/users/self endpoint from a JMeter test with multiple threads (10). Digging a bit further, I've seen 2 pbs :a - inifinite connection timeout in jdbc dataSource settings.b - locking in db I was working on a.It came from the default setting (I can customize it, no pb).But I've seen you changed the db pool in 2.0.4 and I wanted to give it a try (just for testing purposes).Since 2.0.4 has some db changes and we already have a 2.0.2 in production but *without* any flyway migration scripts, I wanted to see if I could integrate easily the 2.0.4 db pool changes in my 2.0.2.Hence this mail :)And I also wanted to know if there was a way to customize the configuration in case I had a more urgent need in the future - so I know how to do it next time :) I'm switching to work on b now. Thanks once more, and sorry for the long and boring details :)Adrian De : Francesco Chicchiriccò <ilgro...@apache.org> À : user@syncope.apache.org Envoyé le : Jeudi 24 août 2017 9h47 Objet : Re: Customizing MasterDomain.xml On 23/08/2017 18:18, Adrian Gonzalez wrote: Hello, I'm using Syncope 2.0.2. Any special reason to not upgrade to 2.0.4? https://cwiki.apache.org/confluence/display/SYNCOPE/Upgrade+from+2.0.2+to+2.0.3 https://cwiki.apache.org/confluence/display/SYNCOPE/Upgrade+from+2.0.3+to+2.0.4 Is there a way to customize MasterDomain.xml in syncope webapp ? I've the impression that MasterDomain.xml is always loaded from syncope-core-persistence-jpa-*.jar#domains/MasterDomain.xml (in WEB-INF/lib), even if I add a MasterDomain.xml in WEB-INF/classes/domains As indicated in https://syncope.apache.org/docs/reference-guide.html#customization-core (for 2.0.4, naturally), you'll need to tell Spring to load your local domains/MasterDomain.xml rather than the one included in the JAR file. But domains/MasterDomain.xml is loaded by domains.xml, which in turn is imported by persistenceContext.xml; as a result, you'll need to add to your own project's sources: * core/src/main/resources/persistenceContext.xml (copy from [1]) * core/src/main/resources/domains.xml (copy from [2]) * core/src/main/resources/domains/MasterDomain.xml (copy from [3]) Even so, Spring will ignore such local files if you don't replace, in core/src/main/webapp/WEB-INF/web.xml: contextConfigLocation classpath*:/*Context.xml with contextConfigLocation classpath*:/coreContext.xml classpath*:/securityContext.xml classpath*:/logicContext.xml classpath*:/restCXFContext.xml classpath:/persistenceContext.xml classpath*:/provisioning*Context.xml classpath*:/workflow*Context.xml (please note the missing '*' before persistenceContext.xml). FYI, the starting value for contextConfigLocation is set as [4] since 2.0.4. HTH Regards. [1]https://github.com/apache/syncope/blob/syncope-2.0.2/core/persistence-jpa/src/main/resources/persistenceContext.xml [2]https://github.com/apache/syncope/blob/syncope-2.0.2/core/persistence-jpa/src/main/resources/domains.xml [3]https://github.com/apache/syncope/blob/syncope-2.0.2/core/persistence-jpa/src/main/resources/domains/MasterDomain.xml [4]https://github.com/apache/syncope/blob/syncope-2.0.4/fit/core-reference/src/main/webapp/WEB-INF/web.xml#L31-L37 -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Customizing MasterDomain.xml
Hello, I'm using Syncope 2.0.2.Is there a way to customize MasterDomain.xml in syncope webapp ? I've the impression that MasterDomain.xml is always loaded from syncope-core-persistence-jpa-*.jar#domains/MasterDomain.xml (in WEB-INF/lib), even if I add a MasterDomain.xml in WEB-INF/classes/domains Thanks,Adrian
Re: syncope-standalone maven artifact not available
Hi Francesco, > Hope this clarifies.O yes, thanks ! I was getting the syncope-standalone from maven (with maven dependency plugin), it worked on SNAPSHOT, not on RELEASE - my bad !I'll switch to the syncope maven archetype. Thanks ! De : Francesco Chicchiriccò <ilgro...@apache.org> À : user@syncope.apache.org Envoyé le : Mardi 7 février 2017 7h42 Objet : Re: syncope-standalone maven artifact not available On 06/02/2017 19:56, Adrian Gonzalez wrote: Hello, I've the impression that syncope-standalone artifact is available only in SNAPSHOT repo. It's available from here : https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-standalone/ But not from here:https://repo.maven.apache.org/maven2/org/apache/syncope/syncope-standalone/ Am I missing a repo ? The release process [1] deploys to the central Maven repository only the artifacts that can be effectively used via Maven. The standalone distribution, the Eclipse IDE Plugin, the CLI, the DEB packages and the GUI installer are instead downloadable via the ASF dist area [2], and links to ASF mirror infrastructure are provided in [3]. The SNAPSHOT repository is instead populated by our Jenkins jobs [4]. Hope this clarifies. Regards. [1] http://syncope.apache.org/release-process.html [2] https://www.apache.org/dist/syncope/ [3] http://syncope.apache.org/downloads.html [4] https://builds.apache.org/view/S-Z/view/Syncope/ -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Cannot log into syncope after creating new user (latest 2.1.0-SNAPSHOT)
Thanks Marco ! De : Marco Di Sabatino Di Diodoro <marco.disabat...@tirasa.net> À : user@syncope.apache.org Envoyé le : Mardi 27 décembre 2016 10h59 Objet : Re: Cannot log into syncope after creating new user (latest 2.1.0-SNAPSHOT) Hi Adrian, Il 26/12/2016 14:36, Adrian Gonzalez ha scritto: Hello, I'm using latest version from Syncope (i.e. https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-standalone/2.1.0-SNAPSHOT/syncope-standalone-2.1.0-20161224.075552-128-distribution.zip). What I do : * connect to syncope-console with user admin/password. * create a user via the console (this apparently works fine - but not so - see later) * logout * connect with this new user credentials I confirm your issue. I get an Error ! 'Wrong username and/or password' I tried Syncope 2.0.1, and this scenario works fine. I tried with Syncope 2_0_X and I have the same issue. When activating debugging, I see that the good password for UserTO is set on updateModel -> setPassword. But just after that, there's a call to AjaxWizardMgtButtonBar.onSubmit which reset password back to null. At the end of user creation, the password of the created user is null (that's why I cannot login with the newly created user). I don't know Wicket framework, so I have a hard time finding the culprit. Can anyone help me please ? It seems to be a problem given by the update of Wicket from version 7.4.0 to 7.5.0. I'm reopening issue SYNCOPE-962 [1] Regards M [1]https://issues.apache.org/jira/browse/SYNCOPE-962 Thanks Adrian -- Dott. Marco Di Sabatino Di Diodoro Tel. +39 3939065570 Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 085973 http://www.tirasa.net Apache Syncope PMC Member http://people.apache.org/~mdisabatino/
Cannot log into syncope after creating new user (latest 2.1.0-SNAPSHOT)
Hello, I'm using latest version from Syncope (i.e. https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-standalone/2.1.0-SNAPSHOT/syncope-standalone-2.1.0-20161224.075552-128-distribution.zip). What I do : * connect to syncope-console with user admin/password. * create a user via the console (this apparently works fine - but not so - see later) * logout * connect with this new user credentials I get an Error ! 'Wrong username and/or password' I tried Syncope 2.0.1, and this scenario works fine. When activating debugging, I see that the good password for UserTO is set on updateModel -> setPassword.But just after that, there's a call to AjaxWizardMgtButtonBar.onSubmit which reset password back to null.At the end of user creation, the password of the created user is null (that's why I cannot login with the newly created user). I don't know Wicket framework, so I have a hard time finding the culprit. Can anyone help me please ? ThanksAdrian
Re: User case insensitive search
Hi Francesco, Cool, I've just created SYNCOPE-971. > the problem is that, as far as I can tell, such clauses are DBMS-dependent. We can solve it using jpql LOWER ou UPPER function, i.e. LOWER(givenName) = LOWER('Martin') I can try to implement it, but I don't know for now if it is possible to introduce either : * custom operator in FIQL (i.e. some eqi operator like : givenName eqi Martin) * introduce custom functions in FIQL (i.e. uc(givenName) == uc(Martin)) Cheers,Adrian De : Francesco Chicchiriccò <ilgro...@apache.org> À : user@syncope.apache.org Envoyé le : Lundi 21 novembre 2016 13h25 Objet : Re: User case insensitive search On 21/11/2016 12:59, Adrian Gonzalez wrote: Hello, I'd like to execute a case insensitive search in Syncope. i.e. querying all users with an attribute givenName that matches 'martin' would return : Martin martin mArtin Is there a way to do this with a Fiql search ? i.e. something like UPPER(givenName) = UPPER('martin') ? If no are there other ways to do this ? If no, I can always store givenName attribute in 2 different attributes (i.e. the real givenName attribute and a givenNameCaseInsensitive attribute to store it in lowercase), but I would like to avoid it if possible. Hi Adrian, I confirm that currently it is *not* possible to perform case insensitive searches. Nevertheless, it would be a nice feature to add: essentially, one should be adding 'lowercase()' clauses to the native SQL queries manage by [1]: the problem is that, as far as I can tell, such clauses are DBMS-dependent. Would you mind creating an improvement on JIRA for this? Naturally, contributions are welcome ;-) Regards. [1]https://github.com/apache/syncope/blob/2_0_X/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPAAnySearchDAO.java -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
User case insensitive search
Hello, I'd like to execute a case insensitive search in Syncope. i.e. querying all users with an attribute givenName that matches 'martin' would return :MartinmartinmArtin Is there a way to do this with a Fiql search ?i.e. something like UPPER(givenName) = UPPER('martin') ? If no are there other ways to do this ?If no, I can always store givenName attribute in 2 different attributes (i.e. the real givenName attribute and a givenNameCaseInsensitive attribute to store it in lowercase), but I would like to avoid it if possible. Thanks,Adrian
Re: SCIM & Syncope : OptimisticLockException on user groups membership update
cxf-rt-transports-http-3.1.7.jar:3.1.7] at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[cxf-rt-transports-http-3.1.7.jar:3.1.7] at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[cxf-rt-transports-http-3.1.7.jar:3.1.7] at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180) ~[cxf-rt-transports-http-3.1.7.jar:3.1.7] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:299) ~[cxf-rt-transports-http-3.1.7.jar:3.1.7] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) ~[cxf-rt-transports-http-3.1.7.jar:3.1.7] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292) ~[catalina.jar:8.0.35] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) ~[catalina.jar:8.0.35] at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) ~[tomcat-websocket.jar:8.0.35] icationFilterChain.java:240) ~[catalina.jar:8.0.35]erChain.internalDoFilter(Appl--More-- at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) ~[catalina.jar:8.0.35] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317) ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE] at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127) ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE] at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE] at org.apache.syncope.core.spring.security.MustChangePasswordFilter.doFilter(MustChangePasswordFilter.java:77) ~[syncope-core-spring-2.0.0-SNAPSHOT.jar:2.0.0-SNAPSHOT] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE] jar:4.1.3.RELEASE]ingframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:115) ~[spring-security-web-4.1.3.RELEASE.--More-- at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE] at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE] at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE] at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169) ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE] .doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE] at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:215) ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.2.RELEASE.jar:4.3.2.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE]http://localhost:9091/groups/fad94db3-9245-449e-994d-b39245449e De : Francesco Chicchiriccò <ilgro...@apache.org> À : user@syncope.apache.org Envoyé le : Mardi 27 septembre 2016 15h20 Objet : Re: SCIM & Syncope : OptimisticLockException on user groups membership update On 27/09/2016 15:00, Adrian Gonzalez wrote: Hello, We're trying to build a POC on SCIM APIs on top of Syncope. That's very good to hear: looks it is for SC
SCIM & Syncope : OptimisticLockException on user groups membership update
Hello, We're trying to build a POC on SCIM APIs on top of Syncope.Problem is when we're using some basic SCIM APIs to update the groups membership of a given user, we got a OptimisticLockException. This is due to the fact that SCIM group membership can be updated only from the Group endpoint (not from the User endpoint).From https://tools.ietf.org/html/rfc7643#page-24 groups A list of groups to which the user belongs,... Since this attribute has a mutability of "readOnly", group membership changes MUST be applied via the "Group" Resource (Section 4.2). This attribute has a mutability of "readOnly". So, we have the following scenario : * we have a user1 member of 2 groups (group1 and group2). * we want to remove the user1 from both groups from a UI console. * the UI then needs to send 2 HTTP PUT on SCIM /Groups endpoint (one for each group). /PUT Groups/group1 /PUT Groups/group2 * we get a OptimisticLockException since both calls are made for a relation on the same user - because on the SCIM side for the Group endpoint, we must call userService.update(userTO) to update a user <-> group relation. i.e. MembershipTO membershipTO = new MembershipTO.Builder().group(userTO.getKey(), "USER").group(groupTO.getKey(), groupTO.getName()).build(); userTO.getMemberships().add(membershipTO); try { userService.update(userTO); } catch (SyncopeClientException e) { throw new SCIMException(String.format("User %s was not added to the group %s", userId, groupTO.getName()), e); } Is there an API to update user or group membership without testing @Version field ? (i.e like a syncope REST API on top of a jpql update ?) Perhaps we're not using the good API here (is there an API to handle membership from the group's side ? Do you see another possible solution (besides updating membership from the Group side/screen) ? Thanks,Adrian Sample stacktrace on client side :2016-09-27 09:31:46.065 DEBUG 1 --- [tp1754926770-22] o.s.web.client.RestTemplate : PUT request for "http://scim:/Groups/2564b3a7-0f5d-424d-a4b3-a70f5d624d80; resulted in 500 (Server Error); invoking error handler at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) [jetty-server-9.2.14.v20151106.jar!/:9.2.14.v20151106] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.2.14.v20151106.jar!/:9.2.14.v20151106] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) [jetty-server-9.2.14.v20151106.jar!/:9.2.14.v20151106] at org.eclipse.jetty.server.Server.handle(Server.java:499) [jetty-server-9.2.14.v20151106.jar!/:9.2.14.v20151106] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) [jetty-server-9.2.14.v20151106.jar!/:9.2.14.v20151106] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) [jetty-server-9.2.14.v20151106.jar!/:9.2.14.v20151106] at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) [jetty-io-9.2.14.v20151106.jar!/:9.2.14.v20151106] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) [jetty-util-9.2.14.v20151106.jar!/:9.2.14.v20151106] at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) [jetty-util-9.2.14.v20151106.jar!/:9.2.14.v20151106] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_92-internal] Caused by: org.apache.syncope.common.lib.SyncopeClientException: GenericPersistence [OptimisticLockException: An optimistic lock violation was detected when flushing object instance "org.apache.syncope.core.persistence.jpa.entity.user.JPAUPlainAttrValue-62f5f8bf-b390-4354-b5f8-bfb390a354e8" to the data store. This indicates that the object was concurrently modified in another transaction.] at org.apache.syncope.common.lib.SyncopeClientException.build(SyncopeClientException.java:37) ~[syncope-common-lib-2.0.0-SNAPSHOT.jar!/:2.0.0-SNAPSHOT] at org.apache.syncope.client.lib.RestClientExceptionMapper.checkSyncopeClientCompositeException(RestClientExceptionMapper.java:147) ~[syncope-client-lib-2.0.0-SNAPSHOT.jar!/:2.0.0-SNAPSHOT] at org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:58) ~[syncope-client-lib-2.0.0-SNAPSHOT.jar!/:2.0.0-SNAPSHOT] at org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42) ~[syncope-client-lib-2.0.0-SNAPSHOT.jar!/:2.0.0-SNAPSHOT] at org.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:306) ~[cxf-rt-rs-client-3.1.7.jar!/:3.1.7] 2016-09-27 09:31:46.068 DEBUG 1 --- [tp1754926770-22] .m.m.a.ExceptionHandlerExceptionResolver : Resolving exception from handler [public void
Re: Syncope startup performance improvements
Hi, Just a little feedback on 2.0.0-M5 and SYNCOPE-926 : * we've upgraded to syncope-2.0.0-SNAPSHOT (past M5) it works fine, so far so good ;) * with the improvements made in 2.0.0-M5 and in SYNCOPE-926, we changed our startup speed from 215s to 24s. Note that our tomcat server contains both syncope and cxf, and I also added scanClassPath="false" and startStopThreads="5" to our tomcat configuration. Thanks once more !Adrian De : Francesco Chicchiriccò <ilgro...@apache.org> À : user@syncope.apache.org Envoyé le : Lundi 29 août 2016 18h47 Objet : Re: Syncope startup performance improvements Hi, your improvement looks interesting; would you mind: 1. sending an ICLA, as explained in the last paragraph from http://syncope.apache.org/contributing.html 2. opening an improvement on JIRA? I'll take a deeper look once back at work, this Thursday. Thanks for your contribution. Regards. On 29 aug 2016 16:04:50 CEST, Adrian Gonzalez <adr_gonza...@yahoo.fr> wrote: >Hello, >I'm using syncope 2.0.0-M4.Standalone startup takes 135s on my laptop. >I would like to improve syncope's startup. >I've made some experimentations : >1. Restricting scanning on basePackages I've changed >ClassPathScanImplementationLookup to scan only some specific >packages. This results in a 32s startup. > https://github.com/apache/syncope/pull/36 > >2. Adding startStopThreads="5" in server.xml This results in a 26s >startup. >3. I've also tried to set in >context.xml, but no improvement. >4. I've further modified ClassPathScanImplementationLookup to scan a >fixed list of classes. As is, this doesn't work. I would have a >20.7s startup (cumulated with change 2) >https://github.com/gonzalad/syncope/tree/2.0.0-M2-startup-perf2 > > >Could it be possible to incorporate first PR in syncope code (pull/36) >? Sorry, I made PR on 2.0.0-M4, but could make 2.0.0-SNASPHOT work >Are you interested in improvement #4 ? (in this case, I can spend a bit >more time on it) >Thanks,Adrian -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Involved at The Apache Software Foundation: member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF Committer, OpenJPA Committer http://home.apache.org/~ilgrosso/
Re: Syncope startup performance improvements
Hi Francesco, I've signed the ICLA (sent you in pm), and created issue https://issues.apache.org/jira/browse/SYNCOPE-926 Thanks for considering the fix !Adrian De : Francesco Chicchiriccò <ilgro...@apache.org> À : user@syncope.apache.org Envoyé le : Lundi 29 août 2016 18h47 Objet : Re: Syncope startup performance improvements Hi, your improvement looks interesting; would you mind: 1. sending an ICLA, as explained in the last paragraph from http://syncope.apache.org/contributing.html 2. opening an improvement on JIRA? I'll take a deeper look once back at work, this Thursday. Thanks for your contribution. Regards. On 29 aug 2016 16:04:50 CEST, Adrian Gonzalez <adr_gonza...@yahoo.fr> wrote: >Hello, >I'm using syncope 2.0.0-M4.Standalone startup takes 135s on my laptop. >I would like to improve syncope's startup. >I've made some experimentations : >1. Restricting scanning on basePackages I've changed >ClassPathScanImplementationLookup to scan only some specific >packages. This results in a 32s startup. > https://github.com/apache/syncope/pull/36 > >2. Adding startStopThreads="5" in server.xml This results in a 26s >startup. >3. I've also tried to set in >context.xml, but no improvement. >4. I've further modified ClassPathScanImplementationLookup to scan a >fixed list of classes. As is, this doesn't work. I would have a >20.7s startup (cumulated with change 2) >https://github.com/gonzalad/syncope/tree/2.0.0-M2-startup-perf2 > > >Could it be possible to incorporate first PR in syncope code (pull/36) >? Sorry, I made PR on 2.0.0-M4, but could make 2.0.0-SNASPHOT work >Are you interested in improvement #4 ? (in this case, I can spend a bit >more time on it) >Thanks,Adrian -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Involved at The Apache Software Foundation: member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF Committer, OpenJPA Committer http://home.apache.org/~ilgrosso/
Syncope startup performance improvements
Hello, I'm using syncope 2.0.0-M4.Standalone startup takes 135s on my laptop. I would like to improve syncope's startup. I've made some experimentations : 1. Restricting scanning on basePackages I've changed ClassPathScanImplementationLookup to scan only some specific packages. This results in a 32s startup. https://github.com/apache/syncope/pull/36 2. Adding startStopThreads="5" in server.xml This results in a 26s startup. 3. I've also tried to set in context.xml, but no improvement. 4. I've further modified ClassPathScanImplementationLookup to scan a fixed list of classes. As is, this doesn't work. I would have a 20.7s startup (cumulated with change 2) https://github.com/gonzalad/syncope/tree/2.0.0-M2-startup-perf2 Could it be possible to incorporate first PR in syncope code (pull/36) ? Sorry, I made PR on 2.0.0-M4, but could make 2.0.0-SNASPHOT work Are you interested in improvement #4 ? (in this case, I can spend a bit more time on it) Thanks,Adrian
Role search where key in ids
Hello, Is there a way to search roles by keys ? i.e. 'select * from Roles where key in (1,2,3,4)' I found syncopeClient.getService(RoleService.class).list(), but this returns all syncope roles. Thanks,Adrian
Re: Authorisation with Syncope 2.x
Hi Fabio, I was thinking about creating my own apps (let's say PhotoGalleryApp). With a service like : @PreAuthorize("hasRole('photo.read')") public Photo find(Long id) { ..bla } @PreAuthorize("hasRole('photo.update')") public Photo update(Photo photo) { ..bla } } This is really a basic sample (it won't be Cruds only).How can I customize Syncope in order to have photo.read and photo.update for instance ? Moreover, I'm not at ease if customisation requires code modification for each new entitlement since I'm gonna have a lot of apps. Thanks for your insights, Adrian De : Fabio Martelli <fabio.marte...@gmail.com> À : user@syncope.apache.org Envoyé le : Mardi 12 juillet 2016 12h03 Objet : Re: Authorisation with Syncope 2.x Il 11/07/2016 16:27, Adrian Gonzalez ha scritto: Hello, Sorry once more :( Hi Adrian, do not apologize. Thank you, instead. Reporting and interaction in public ML is always welcome. See below for my comments. Best regards, F. I would like to use Syncope in my app (using Spring Security) for user authentication and authorisation. I would like to know if mapping GrantedAuthority to Syncope's role is the way to go ? I'm a bit lost, since there's also the notion of entitlements and groups. In fact, when I look into syncope's code, I see : @PreAuthorize("hasRole('" + StandardEntitlement.ROLE_CREATE + "')") public RoleTO create(final RoleTO roleTO) { So I would say I should use entitlements and not roles. You have to use the entitlements. You can assign entitlements to a user by assigning them to a role and a role to the user: the user owning that role will own those entitlements. This is the standard for Apache Syncope. Therefore you can think to add your own authorization method for some customizations. Please, if you will do in this way do it carefully. But entitlement appears to be fixed (in StandardEntitlement class) and for syncope 'internal' use [1] and [2] (aka checking if user has right to perform an action on syncope - and not checking if user has right to peform action on whatever application). Exactly! BTW you can perform some customization in order to extends the set of entitlements in order to use them to authorize access to some custom rest methods provided for your specific aims. This customization is not simple but feasible if strongly required. Thanks, Adrian P.S. Using Syncope 2.0.0-M2 [1] http://syncope-user.1051894.n5.nabble.com/Entitlements-how-do-we-create-change-these-tp5707009p5707010.html entitlements are not meant to be extended: their primary purpose is to define security constraints on RESTful methods. [2] https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization -- Fabio Martelli Tirasa - Open Source Excellence http://www.tirasa.net/ Apache Syncope PMC http://people.apache.org/~fmartelli/
Custom attributes for roles in syncope 2.x
Hello, I would like to know if there's a way to define custom attributes for roles (such as for User and Groups). I'm using syncope 2.0.0.M2. Thanks,Adrian