Re: Call /self API with invalid credentials

[Adrian Gonzalez]

 btw, the attached file doesn't work with the Syncope client (I forgot to set 
the contentType in the response header I think)
Le vendredi 15 septembre 2017 à 17:12:17 UTC+2, Adrian Gonzalez 
<adr_gonza...@yahoo.fr> a écrit :  
 
  Hi Francesco,
I'll try something - not sure if next week or the one after.In the meantime 
I've quickly developed this class (attached).
It really needs more polishing: - I'd like to do a bridge to 
RestServiceExceptionMapper so we have a central place for error handlig (but 
it's JAX-RS and I'm at servlet layer here). - I'd need to add types and codes 
in ClientExceptionType - I'd need to add the same customisation for 
syncopeAccessDeniedHandler
Thanks,Adrian
Le vendredi 15 septembre 2017 à 15:28:56 UTC+2, Francesco Chicchiriccò 
<ilgro...@apache.org> a écrit :  
 
  On 15/09/2017 15:17, Adrian Gonzalez wrote:
  
  Hello, 
  I'm using Syncope 2.0.5. I'm calling /self REST API with invalid credentials 
(withcontent-type: application/json .) /self returns HTML code and not a JSON 
message body. 
  i.e.  ```
 curl -X GET \   http://localhost:9080/syncope/rest/users/self \   -H 
'authorization: Basic YmVsbGluaTpiZWxsaW5pNjY1' \   -H 'cache-control: 
no-cache' \   -H 'content-type: application/json' \   -H 'postman-token: 
477ebc5a-6350-4ba5-a8a2-4d6ecea31712'  ```
 
  Returns an HTML error page i.e; HTTP Status 401 – Unauthorized...Message 
User bellini not authenticatedDescription The request has not 
been applied because it lacks valid authentication credentials for the target 
resource.Apache Tomcat/8.5.20 
  Shouldn't it be valid json (since I requested json ?) 
  The pb is that when I use the syncope client REST API, I get:  2017-09-15 
11:17:13.625 -ERROR [http-apr-9080-exec-6] 
org.apache.cxf.jaxrs.utils.JAXRSUtils    : No message body reader has been 
found for class java.util.List, ContentType: text/html;charset=utf-8 2017-09-15 
11:17:13.626 -DEBUG [http-apr-9080-exec-6] 
o.a.s.c.lib.RestClientExceptionMapper    : Could not read 
org.apache.syncope.common.lib.to.ErrorTO list, attempting to read headers... 
javax.ws.rs.client.ResponseProcessingException: No message body reader has been 
found for class java.util.List, ContentType: text/html;charset=utf-8  
atorg.apache.cxf.jaxrs.impl.ResponseImpl.reportMessageHandlerProblem(ResponseImpl.java:439)
  atorg.apache.cxf.jaxrs.impl.ResponseImpl.doReadEntity(ResponseImpl.java:390)  
at org.apache.cxf.jaxrs.impl.ResponseImpl.readEntity(ResponseImpl.java:326)  at 
org.apache.cxf.jaxrs.impl.ResponseImpl.readEntity(ResponseImpl.java:314)  
atorg.apache.syncope.client.lib.RestClientExceptionMapper.checkSyncopeClientCompositeException(RestClientExceptionMapper.java:98)
  
atorg.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:53)
  
atorg.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42)
  
atorg.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:313)
  
atorg.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:876)
  
atorg.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:789)
  
atorg.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:235)  
at com.sun.proxy.$Proxy641.read(Unknown Source)  at 
org.apache.syncope.client.lib.SyncopeClient.self(SyncopeClient.java:132) 
  Should we modifythe 
org.apache.syncope.core.spring.security.SyncopeBasicAuthenticationEntryPoint ? 
(not super because we'd need to handle manually XML and JSON formatting)  
 
 Hi Adrian,
 your proposal makes sense but I remember (not well enough, unfortunately) that 
there were some related issues when attempting to change the 
AuthenticationEntryPoint due to some Spring Security internals.
 
 Anyway, your contribution is more than welcome, as usual!
 
 Regards.
 -- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/ 

Re: Call /self API with invalid credentials

[Adrian Gonzalez]

 Hi Francesco,
I'll try something - not sure if next week or the one after.In the meantime 
I've quickly developed this class (attached).
It really needs more polishing: - I'd like to do a bridge to 
RestServiceExceptionMapper so we have a central place for error handlig (but 
it's JAX-RS and I'm at servlet layer here). - I'd need to add types and codes 
in ClientExceptionType - I'd need to add the same customisation for 
syncopeAccessDeniedHandler
Thanks,Adrian
Le vendredi 15 septembre 2017 à 15:28:56 UTC+2, Francesco Chicchiriccò 
<ilgro...@apache.org> a écrit :  
 
  On 15/09/2017 15:17, Adrian Gonzalez wrote:
  
  Hello, 
  I'm using Syncope 2.0.5. I'm calling /self REST API with invalid credentials 
(withcontent-type: application/json .) /self returns HTML code and not a JSON 
message body. 
  i.e.  ```
 curl -X GET \   http://localhost:9080/syncope/rest/users/self \   -H 
'authorization: Basic YmVsbGluaTpiZWxsaW5pNjY1' \   -H 'cache-control: 
no-cache' \   -H 'content-type: application/json' \   -H 'postman-token: 
477ebc5a-6350-4ba5-a8a2-4d6ecea31712'  ```
 
  Returns an HTML error page i.e; HTTP Status 401 – Unauthorized...Message 
User bellini not authenticatedDescription The request has not 
been applied because it lacks valid authentication credentials for the target 
resource.Apache Tomcat/8.5.20 
  Shouldn't it be valid json (since I requested json ?) 
  The pb is that when I use the syncope client REST API, I get:  2017-09-15 
11:17:13.625 -ERROR [http-apr-9080-exec-6] 
org.apache.cxf.jaxrs.utils.JAXRSUtils    : No message body reader has been 
found for class java.util.List, ContentType: text/html;charset=utf-8 2017-09-15 
11:17:13.626 -DEBUG [http-apr-9080-exec-6] 
o.a.s.c.lib.RestClientExceptionMapper    : Could not read 
org.apache.syncope.common.lib.to.ErrorTO list, attempting to read headers... 
javax.ws.rs.client.ResponseProcessingException: No message body reader has been 
found for class java.util.List, ContentType: text/html;charset=utf-8  
atorg.apache.cxf.jaxrs.impl.ResponseImpl.reportMessageHandlerProblem(ResponseImpl.java:439)
  atorg.apache.cxf.jaxrs.impl.ResponseImpl.doReadEntity(ResponseImpl.java:390)  
at org.apache.cxf.jaxrs.impl.ResponseImpl.readEntity(ResponseImpl.java:326)  at 
org.apache.cxf.jaxrs.impl.ResponseImpl.readEntity(ResponseImpl.java:314)  
atorg.apache.syncope.client.lib.RestClientExceptionMapper.checkSyncopeClientCompositeException(RestClientExceptionMapper.java:98)
  
atorg.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:53)
  
atorg.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42)
  
atorg.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:313)
  
atorg.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:876)
  
atorg.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:789)
  
atorg.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:235)  
at com.sun.proxy.$Proxy641.read(Unknown Source)  at 
org.apache.syncope.client.lib.SyncopeClient.self(SyncopeClient.java:132) 
  Should we modifythe 
org.apache.syncope.core.spring.security.SyncopeBasicAuthenticationEntryPoint ? 
(not super because we'd need to handle manually XML and JSON formatting)  
 
 Hi Adrian,
 your proposal makes sense but I remember (not well enough, unfortunately) that 
there were some related issues when attempting to change the 
AuthenticationEntryPoint due to some Spring Security internals.
 
 Anyway, your contribution is more than welcome, as usual!
 
 Regards.
 -- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/   
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
import static org.springframework.http.MediaType.APPLICATION_XML_VALUE;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Marshaller;

import org.apache.syncope.common.lib.to.ErrorTO;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;

import com.fasterxml.jackson.databind.ObjectMapper;

/**
 * Extend Syncope authenticationEntryPoint to handle JSON or XML exceptions.
 */
public class SyncopeBasicAuthenticationEntryPoint
extends org.apache.syncope.core.spring.security.SyncopeBasicAuthenticationEntryPoint {

private static final Logger LOGGER = LoggerFactory.getLogger(SyncopeBasicAuthenticationEntryPoint.class);

private ObjectMapper objectMapper;

private String realmName;

private JAXBContext jc;

Call /self API with invalid credentials

[Adrian Gonzalez]

Hello,
I'm using Syncope 2.0.5.I'm calling /self REST API with invalid credentials 
(withcontent-type: application/json .)/self returns HTML code and not a JSON 
message body.
i.e. ```
curl -X GET \  http://localhost:9080/syncope/rest/users/self \  -H 
'authorization: Basic YmVsbGluaTpiZWxsaW5pNjY1' \  -H 'cache-control: no-cache' 
\  -H 'content-type: application/json' \  -H 'postman-token: 
477ebc5a-6350-4ba5-a8a2-4d6ecea31712'```

Returns an HTML error page i.e;HTTP 
Status 401 – Unauthorized...Message User bellini not 
authenticatedDescription The request has not been applied because 
it lacks valid authentication credentials for the target resource.Apache Tomcat/8.5.20
Shouldn't it be valid json (since I requested json ?)
The pb is that when I use the syncope client REST API, I get:2017-09-15 
11:17:13.625 -ERROR [http-apr-9080-exec-6] 
org.apache.cxf.jaxrs.utils.JAXRSUtils    : No message body reader has been 
found for class java.util.List, ContentType: text/html;charset=utf-82017-09-15 
11:17:13.626 -DEBUG [http-apr-9080-exec-6] 
o.a.s.c.lib.RestClientExceptionMapper    : Could not read 
org.apache.syncope.common.lib.to.ErrorTO list, attempting to read 
headers...javax.ws.rs.client.ResponseProcessingException: No message body 
reader has been found for class java.util.List, ContentType: 
text/html;charset=utf-8 at 
org.apache.cxf.jaxrs.impl.ResponseImpl.reportMessageHandlerProblem(ResponseImpl.java:439)
 at org.apache.cxf.jaxrs.impl.ResponseImpl.doReadEntity(ResponseImpl.java:390) 
at org.apache.cxf.jaxrs.impl.ResponseImpl.readEntity(ResponseImpl.java:326) at 
org.apache.cxf.jaxrs.impl.ResponseImpl.readEntity(ResponseImpl.java:314) at 
org.apache.syncope.client.lib.RestClientExceptionMapper.checkSyncopeClientCompositeException(RestClientExceptionMapper.java:98)
 at 
org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:53)
 at 
org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42)
 at 
org.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:313)
 at 
org.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:876)
 at 
org.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:789)
 at 
org.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:235) at 
com.sun.proxy.$Proxy641.read(Unknown Source) at 
org.apache.syncope.client.lib.SyncopeClient.self(SyncopeClient.java:132)
Should we modify the 
org.apache.syncope.core.spring.security.SyncopeBasicAuthenticationEntryPoint ? 
(not super because we'd need to handle manually XML and JSON formatting)
Thanks,Adrian

Custom user account locking and password expiration in syncope

[Adrian Gonzalez]

Hello,
I'd need to implement : - user account lockout  - password expiration
User account lockout needs to work like this :- when user has made more than 
 in the last , then the 
user-account will be temporarily locked.  the account is automatically unlocked 
after this  (if no failed authentication attempt has been made 
in between, otherwise, it's prolongated).
Password expiration needs to work like this:- when the lastPwdChange is more 
than  then the user needs to change his password before 
being able to login.
Both user account (enabled, lockoutPeriod, failedAttempts) and password 
expiration settings are specific for each tenant (1 user belonging to each 
tenant)
As tenants are dynamic, we're not using Syncope domains for that.
I can implement both of those feature in my own authentication layer (a wrapper 
around syncope REST API).
But I'd like to know if it's possible to implement that inside syncope (perhaps 
it would be cleaner).
I looked at LogicActions, AccountRuleConf and creating a PasswordPolicy for 
each of my tenants, but I don't think it will work. - I cannot compute the 
lastFailedLoginDatelastFailedLogin date (i.e. to check if the account must 
still be locked).
 - once a user is suspended, I cannot automatically reactivate it once 
lockoutPeriod has passed (perhaps adding a quartz job, but seems overweight).- 
I don't know if the current authentication is a success or a failure (to update 
the lastFailedLoginDate)
Perhaps I'm missing something like pre/post authentication hooks that are able 
to update the current user and know the status of the current authentication ?
Thanks,Adrian

Re: Syncope core clustering

[Adrian Gonzalez]

Thanks Francesco !
I'll first try just disabling JPA cache (and save some time not doing the JMS 
setup) - I'd expect I'll have a performance downgrade but it should work (let's 
be optimistic).If I have unexpected issues in test environment, I'll configure 
JMS.
Regards,Adrian

  De : Francesco Chicchiriccò <ilgro...@apache.org>
 À : user@syncope.apache.org 
 Envoyé le : Jeudi 31 août 2017 17h59
 Objet : Re: Syncope core clustering
   
 Hi Adrian,
 see my replies embedded below.
 
 Regards.
 
 On 31/08/2017 17:14, Adrian Gonzalez wrote:
  
  Hello, 
  I read that we need to configure OpenJPA 2nd level cache in the syncope 
documentation 
https://syncope.apache.org/docs/reference-guide.html#high-availability if I 
want to use syncope in a cluster.
  
  I have syncope running in the cloud (with dynamic scalability and dynamic 
ips), so I'll have some issues configuring with fixed ips and a fixed number of 
instances. i.e.   
 
 Of course: in such cases you should be using JMS rather than TCP:
 
http://openjpa.apache.org/builds/2.4.2/apache-openjpa/docs/ref_guide_event.html#ref_guide_event_conf_jms
 
 
  I'm only using Syncope Core (aka REST Services), not the console or end-user 
app. 
  For the moment, I didn't activate the RemoteCommitProvider settings (and 
hence have the sjvm), and I'm running in some NPE errors when calling 
/syncope/rest/users/self REST API in one instance (but on the other with 
exactly the same parameter, it just works). See [1] for the stacktrace 
  I'd like to know if I can just disable JPA 2nd level cache (I'm only using 
Syncope core) or if I'm going to run in some rough issues ? 
NONE
   
 
 That's very likely: the 2nd level cache is what glues together the various 
OpenJPA instances (e.g. Syncope Core instances) in the cluster.
 
 You might try to disable all sort of JPA caches, but there is no guarantee 
that things keep working.
 
 Regards.
 -- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/ 

   

Syncope core clustering

[Adrian Gonzalez]

Hello,
I read that we need to configure OpenJPA 2nd level cache in the syncope 
documentation 
https://syncope.apache.org/docs/reference-guide.html#high-availability if I 
want to use syncope in a cluster.

I have syncope running in the cloud (with dynamic scalability and dynamic ips), 
so I'll have some issues configuring with fixed ips and a fixed number of 
instances.i.e. 
I'm only using Syncope Core (aka REST Services), not the console or end-user 
app.
For the moment, I didn't activate the RemoteCommitProvider settings (and hence 
have the sjvm), and I'm running in some NPE errors when calling 
/syncope/rest/users/self REST API in one instance (but on the other with 
exactly the same parameter, it just works).See [1] for the stacktrace
I'd like to know if I can just disable JPA 2nd level cache (I'm only using 
Syncope core) or if I'm going to run in some rough issues 
?NONE

Thanks,Adrian

[1] java.lang.NullPointerException: null13:28:35at 
org.apache.syncope.core.persistence.jpa.entity.AbstractPlainAttr$1.transform(AbstractPlainAttr.java:109)
 ~[syncope-core-persistence-jpa-2.0.2.jar:2.0.2]13:28:35at 
org.apache.syncope.core.persistence.jpa.entity.AbstractPlainAttr$1.transform(AbstractPlainAttr.java:105)
 ~[syncope-core-persistence-jpa-2.0.2.jar:2.0.2]13:28:35at 
org.apache.commons.collections4.CollectionUtils.collect(CollectionUtils.java:1077)
 ~[commons-collections4-4.1.jar:4.1]13:28:35at 
org.apache.commons.collections4.CollectionUtils.collect(CollectionUtils.java:1049)
 ~[commons-collections4-4.1.jar:4.1]13:28:35at 
org.apache.syncope.core.persistence.jpa.entity.AbstractPlainAttr.getValuesAsStrings(AbstractPlainAttr.java:105)
 ~[syncope-core-persistence-jpa-2.0.2.jar:2.0.2]13:28:35at 
org.apache.syncope.core.provisioning.java.data.AbstractAnyDataBinder.fillTO(AbstractAnyDataBinder.java:573)
 ~[syncope-core-provisioning-java-2.0.2.jar:2.0.2]13:28:35at 
org.apache.syncope.core.provisioning.java.data.UserDataBinderImpl.getUserTO(UserDataBinderImpl.java:568)
 ~[syncope-core-provisioning-java-2.0.2.jar:2.0.2]13:28:35at 
org.apache.syncope.core.provisioning.java.data.UserDataBinderImpl.getAuthenticatedUserTO(UserDataBinderImpl.java:135)
 ~[syncope-core-provisioning-java-2.0.2.jar:2.0.2]13:28:35at 
sun.reflect.GeneratedMethodAccessor483.invoke(Unknown Source) ~[?:?]13:28:35at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 ~[?:1.8.0_131]13:28:35at java.lang.reflect.Method.invoke(Method.java:498) 
~[?:1.8.0_131]13:28:35at 
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
 ~[spring-aop-4.3.6.RELEASE.jar:4.3.6.RELEASE]13:28:35at 
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
 ~[spring-aop-4.3.6.RELEASE.jar:4.3.6.RELEASE]13:28:35at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
 ~[spring-aop-4.3.6.RELEASE.jar:4.3.6.RELEASE]13:28:35at 
org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
 ~[spring-tx-4.3.6.RELEASE.jar:4.3.6.RELEASE]13:28:35at 
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
 ~[spring-tx-4.3.6.RELEASE.jar:4.3.6.RELEASE]13:28:35at 
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
 ~[spring-tx-4.3.6.RELEASE.jar:4.3.6.RELEASE]13:28:35at 
org.apache.syncope.core.persistence.jpa.spring.DomainTransactionInterceptor.invoke(DomainTransactionInterceptor.java:64)
 ~[syncope-core-persistence-jpa-2.0.2.jar:2.0.2]13:28:35at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
 ~[spring-aop-4.3.6.RELEASE.jar:4.3.6.RELEASE]13:28:35at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
 ~[spring-aop-4.3.6.RELEASE.jar:4.3.6.RELEASE]13:28:35at 
com.sun.proxy.$Proxy192.getAuthenticatedUserTO(Unknown Source) ~[?:?]

Re: New blog post - Syncope Basics: Manage external DB

[Adrian Gonzalez]

Hi Matteo, 
Nice stuff and really clear !
Regards,Adrian

  De : Tirasa 
 À : user@syncope.apache.org 
 Envoyé le : Mercredi 23 août 2017 9h46
 Objet : New blog post - Syncope Basics: Manage external DB
   
  Hi all,
 
 Just to inform you that I wrote the first post of a series of tutorials about 
the "Syncope Basics" (Syncope Basics: Manage external DB).
 It covers the first steps to install a fresh instance of Syncope from 
archetype, add connectors, resources and create Pull/Push tasks to make some 
provisioning!
 
 Hope it could be useful for you!
 Regards,
 Matteo
  

   

Re: Customizing MasterDomain.xml

[Adrian Gonzalez]

Thanks Francesco, that's exactly what I need !
> Any special reason to not upgrade to 2.0.4?
The little story is that we have a little locking issue during authentication 
in Syncope (I didn't pinpointed the cause, could be syncope or our 
customization or my tests :) ), when calling the /syncope/rest/users/self 
endpoint from a JMeter test with multiple threads (10).
Digging a bit further, I've seen 2 pbs :a - inifinite connection timeout in 
jdbc dataSource settings.b - locking in db
I was working on a.It came from the default setting (I can customize it, no 
pb).But I've seen you changed the db pool in 2.0.4 and I wanted to give it a 
try (just for testing purposes).Since 2.0.4 has some db changes and we already 
have a 2.0.2 in production but *without* any flyway migration scripts, I wanted 
to see if I could integrate easily the 2.0.4 db pool changes in my 2.0.2.Hence 
this mail :)And I also wanted to know if there was a way to customize the 
configuration in case I had a more urgent need in the future - so I know how to 
do it next time :)
I'm switching to work on b now.
Thanks once more, and sorry for the long and boring details :)Adrian

  De : Francesco Chicchiriccò <ilgro...@apache.org>
 À : user@syncope.apache.org 
 Envoyé le : Jeudi 24 août 2017 9h47
 Objet : Re: Customizing MasterDomain.xml
   
 On 23/08/2017 18:18, Adrian Gonzalez wrote:
  
  Hello, 
  I'm using Syncope 2.0.2.  
 
 Any special reason to not upgrade to 2.0.4?
 
https://cwiki.apache.org/confluence/display/SYNCOPE/Upgrade+from+2.0.2+to+2.0.3
https://cwiki.apache.org/confluence/display/SYNCOPE/Upgrade+from+2.0.3+to+2.0.4
 
 
  Is there a way to customize MasterDomain.xml in syncope webapp ? 
  I've the impression that MasterDomain.xml is always loaded from 
syncope-core-persistence-jpa-*.jar#domains/MasterDomain.xml (in WEB-INF/lib), 
even if I add a  MasterDomain.xml in WEB-INF/classes/domains  
 
 As indicated in
 
https://syncope.apache.org/docs/reference-guide.html#customization-core
 
 (for 2.0.4, naturally), you'll need to tell Spring to load your local 
domains/MasterDomain.xml rather than the one included in the JAR file.
 
 But domains/MasterDomain.xml is loaded by domains.xml, which in turn is 
imported by persistenceContext.xml; as a result, you'll need to add to your own 
project's sources:
 
 * core/src/main/resources/persistenceContext.xml (copy from [1])
 * core/src/main/resources/domains.xml (copy from [2])
 * core/src/main/resources/domains/MasterDomain.xml (copy from [3])
 
 Even so, Spring will ignore such local files if you don't replace, in 
core/src/main/webapp/WEB-INF/web.xml:
 
   
     contextConfigLocation
     
   classpath*:/*Context.xml
     
   
 
 with
 
   
     contextConfigLocation
     
   classpath*:/coreContext.xml
   classpath*:/securityContext.xml
   classpath*:/logicContext.xml
   classpath*:/restCXFContext.xml
   classpath:/persistenceContext.xml
   classpath*:/provisioning*Context.xml
   classpath*:/workflow*Context.xml
     
   
 
 (please note the missing '*' before persistenceContext.xml).
 
 FYI, the starting value for contextConfigLocation is set as [4] since 2.0.4.
 
 HTH
 Regards.
 
 
[1]https://github.com/apache/syncope/blob/syncope-2.0.2/core/persistence-jpa/src/main/resources/persistenceContext.xml
 
[2]https://github.com/apache/syncope/blob/syncope-2.0.2/core/persistence-jpa/src/main/resources/domains.xml
 
[3]https://github.com/apache/syncope/blob/syncope-2.0.2/core/persistence-jpa/src/main/resources/domains/MasterDomain.xml
 
[4]https://github.com/apache/syncope/blob/syncope-2.0.4/fit/core-reference/src/main/webapp/WEB-INF/web.xml#L31-L37
 -- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/ 

   

Customizing MasterDomain.xml

[Adrian Gonzalez]

Hello,
I'm using Syncope 2.0.2.Is there a way to customize MasterDomain.xml in syncope 
webapp ?
I've the impression that MasterDomain.xml is always loaded from 
syncope-core-persistence-jpa-*.jar#domains/MasterDomain.xml (in WEB-INF/lib), 
even if I add a  MasterDomain.xml in WEB-INF/classes/domains
Thanks,Adrian

Re: syncope-standalone maven artifact not available

[Adrian Gonzalez]

Hi Francesco,
> Hope this clarifies.O yes, thanks !
I was getting the syncope-standalone from maven (with maven dependency plugin), 
it worked on SNAPSHOT, not on RELEASE - my bad !I'll switch to the syncope 
maven archetype.
Thanks !

  De : Francesco Chicchiriccò <ilgro...@apache.org>
 À : user@syncope.apache.org 
 Envoyé le : Mardi 7 février 2017 7h42
 Objet : Re: syncope-standalone maven artifact not available
   
 On 06/02/2017 19:56, Adrian Gonzalez wrote:
  
  Hello, 
  I've the impression that syncope-standalone artifact is available only in 
SNAPSHOT repo. 
  It's available from here : 
https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-standalone/
  
  But not from 
here:https://repo.maven.apache.org/maven2/org/apache/syncope/syncope-standalone/
 
  Am I missing a repo ?  
 
 The release process [1] deploys to the central Maven repository only the 
artifacts that can be effectively used via Maven.
 
 The standalone distribution, the Eclipse IDE Plugin, the CLI, the DEB packages 
and the GUI installer are instead downloadable via the ASF dist area [2], and 
links to ASF mirror infrastructure are provided in [3].
 
 The SNAPSHOT repository is instead populated by our Jenkins jobs [4].
 
 Hope this clarifies.
 Regards.
 
 [1] http://syncope.apache.org/release-process.html
 [2] https://www.apache.org/dist/syncope/
 [3] http://syncope.apache.org/downloads.html
 [4] https://builds.apache.org/view/S-Z/view/Syncope/
 -- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/ 

   

Re: Cannot log into syncope after creating new user (latest 2.1.0-SNAPSHOT)

[Adrian Gonzalez]

Thanks Marco !

  De : Marco Di Sabatino Di Diodoro <marco.disabat...@tirasa.net>
 À : user@syncope.apache.org 
 Envoyé le : Mardi 27 décembre 2016 10h59
 Objet : Re: Cannot log into syncope after creating new user (latest 
2.1.0-SNAPSHOT)
   
 Hi Adrian,
  
 Il 26/12/2016 14:36, Adrian Gonzalez ha scritto:
  
  Hello, 
  I'm using latest version from Syncope (i.e. 
https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-standalone/2.1.0-SNAPSHOT/syncope-standalone-2.1.0-20161224.075552-128-distribution.zip).
 
  What I do :  * connect to syncope-console with user admin/password.  * create 
a user via the console (this apparently works fine - but not so - see later)  * 
logout  * connect with this new user credentials  
 I confirm your issue. 
 
  
  I get an Error ! 'Wrong username and/or password' 
  I tried Syncope 2.0.1, and this scenario works fine.  
 I tried with Syncope 2_0_X and I have the same issue.
 
  
  When activating debugging, I see that the good password for UserTO is set on 
updateModel -> setPassword. But just after that, there's a call to 
AjaxWizardMgtButtonBar.onSubmit which reset password back to null. At the end 
of user creation, the password of the created user is null (that's why I cannot 
login with the newly created user). 
  I don't know Wicket framework, so I have a hard time finding the culprit. 
  Can anyone help me please ?  
 It seems to be a problem given by the update of Wicket from version 7.4.0 to 
7.5.0.
 I'm reopening issue SYNCOPE-962 [1]
 
 Regards
 M
 
 [1]https://issues.apache.org/jira/browse/SYNCOPE-962
 
  
  
  Thanks Adrian  
 
 -- 
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 085973
http://www.tirasa.net

Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/ 

   

Cannot log into syncope after creating new user (latest 2.1.0-SNAPSHOT)

[Adrian Gonzalez]

Hello,
I'm using latest version from Syncope (i.e. 
https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-standalone/2.1.0-SNAPSHOT/syncope-standalone-2.1.0-20161224.075552-128-distribution.zip).
What I do : * connect to syncope-console with user admin/password. * create a 
user via the console (this apparently works fine - but not so - see later) * 
logout * connect with this new user credentials
I get an Error ! 'Wrong username and/or password'
I tried Syncope 2.0.1, and this scenario works fine.
When activating debugging, I see that the good password for UserTO is set on 
updateModel -> setPassword.But just after that, there's a call to 
AjaxWizardMgtButtonBar.onSubmit which reset password back to null.At the end of 
user creation, the password of the created user is null (that's why I cannot 
login with the newly created user).
I don't know Wicket framework, so I have a hard time finding the culprit.
Can anyone help me please ?
ThanksAdrian

Re: User case insensitive search

[Adrian Gonzalez]

Hi Francesco,
Cool, I've just created SYNCOPE-971.
> the problem is that, as far as I can tell, such clauses are DBMS-dependent.
We can solve it using jpql LOWER ou UPPER function, i.e. 
LOWER(givenName) = LOWER('Martin')

I can try to implement it, but I don't know for now if it is possible to 
introduce either : * custom operator in FIQL (i.e. some eqi operator like : 
givenName eqi Martin) * introduce custom functions in FIQL (i.e. uc(givenName) 
== uc(Martin))
Cheers,Adrian

  De : Francesco Chicchiriccò <ilgro...@apache.org>
 À : user@syncope.apache.org 
 Envoyé le : Lundi 21 novembre 2016 13h25
 Objet : Re: User case insensitive search
  


 On 21/11/2016 12:59, Adrian Gonzalez wrote:
  
  Hello, 
  I'd like to execute a case insensitive search in Syncope. 
  i.e. querying all users with an attribute givenName that matches  'martin' 
would return : Martin martin mArtin 
  Is there a way to do this with a Fiql search ? i.e. something like 
UPPER(givenName) = UPPER('martin') ? 
  If no are there other ways to do this ? If no, I can always store givenName 
attribute in 2 different attributes (i.e. the real givenName attribute and a 
givenNameCaseInsensitive attribute to store it in lowercase), but I would like 
to avoid it if possible.  
 
 Hi Adrian,
 I confirm that currently it is *not* possible to perform case insensitive 
searches.
 
 Nevertheless, it would be a nice feature to add: essentially, one should be 
adding 'lowercase()' clauses to the native SQL queries manage by [1]: the 
problem is that, as far as I can tell, such clauses are DBMS-dependent.
 
 Would you mind creating an improvement on JIRA for this?
 Naturally, contributions are welcome ;-)
 
 Regards.
 
 
[1]https://github.com/apache/syncope/blob/2_0_X/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPAAnySearchDAO.java
 -- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/ 

   

User case insensitive search

[Adrian Gonzalez]

Hello,
I'd like to execute a case insensitive search in Syncope.
i.e. querying all users with an attribute givenName that matches  'martin' 
would return :MartinmartinmArtin
Is there a way to do this with a Fiql search ?i.e. something like 
UPPER(givenName) = UPPER('martin') ?
If no are there other ways to do this ?If no, I can always store givenName 
attribute in 2 different attributes (i.e. the real givenName attribute and a 
givenNameCaseInsensitive attribute to store it in lowercase), but I would like 
to avoid it if possible.
Thanks,Adrian

Re: SCIM & Syncope : OptimisticLockException on user groups membership update

[Adrian Gonzalez]

cxf-rt-transports-http-3.1.7.jar:3.1.7]
    at 
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
 ~[cxf-rt-transports-http-3.1.7.jar:3.1.7]
    at 
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
 ~[cxf-rt-transports-http-3.1.7.jar:3.1.7]
    at 
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180)
 ~[cxf-rt-transports-http-3.1.7.jar:3.1.7]
    at 
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:299)
 ~[cxf-rt-transports-http-3.1.7.jar:3.1.7]
    at 
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
 ~[cxf-rt-transports-http-3.1.7.jar:3.1.7]
    at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
 ~[catalina.jar:8.0.35]
    at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
 ~[catalina.jar:8.0.35]
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) 
~[tomcat-websocket.jar:8.0.35]
icationFilterChain.java:240) 
~[catalina.jar:8.0.35]erChain.internalDoFilter(Appl--More--
    at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
 ~[catalina.jar:8.0.35]
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
 ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE]
    at 
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127)
 ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE]
    at 
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
 ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE]
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
 ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE]
    at 
org.apache.syncope.core.spring.security.MustChangePasswordFilter.doFilter(MustChangePasswordFilter.java:77)
 ~[syncope-core-spring-2.0.0-SNAPSHOT.jar:2.0.0-SNAPSHOT]
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
 ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE]
jar:4.1.3.RELEASE]ingframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:115)
 ~[spring-security-web-4.1.3.RELEASE.--More--
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
 ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE]
    at 
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
 ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE]
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
 ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE]
    at 
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
 ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE]
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
 ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE]
    at 
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169)
 ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE]
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
 ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE]
.doFilter(RequestCacheAwareFilter.java:63) 
~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE]
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
 ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE]
    at 
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:215)
 ~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE]
    at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
 ~[spring-web-4.3.2.RELEASE.jar:4.3.2.RELEASE]
    at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
 
~[spring-security-web-4.1.3.RELEASE.jar:4.1.3.RELEASE]http://localhost:9091/groups/fad94db3-9245-449e-994d-b39245449e


  De : Francesco Chicchiriccò <ilgro...@apache.org>
 À : user@syncope.apache.org 
 Envoyé le : Mardi 27 septembre 2016 15h20
 Objet : Re: SCIM & Syncope : OptimisticLockException on user groups membership 
update
   
 On 27/09/2016 15:00, Adrian Gonzalez wrote:
  
  Hello, 
  We're trying to build a POC on SCIM APIs on top of Syncope.  
 
 That's very good to hear: looks it is for SC

SCIM & Syncope : OptimisticLockException on user groups membership update

[Adrian Gonzalez]

Hello,
We're trying to build a POC on SCIM APIs on top of Syncope.Problem is when 
we're using some basic SCIM APIs to update the groups membership of a given 
user, we got a OptimisticLockException.
This is due to the fact that SCIM group membership can be updated only from the 
Group endpoint (not from the User endpoint).From 
https://tools.ietf.org/html/rfc7643#page-24 
groups
A list of groups to which the user belongs,...
Since this attribute has a mutability of "readOnly", group membership changes 
MUST be applied via the
"Group" Resource (Section 4.2).  This attribute has a mutability of "readOnly".
So, we have the following scenario : * we have a user1 member of 2 groups 
(group1 and group2). * we want to remove the user1 from both groups from a UI 
console. * the UI then needs to send 2 HTTP PUT on SCIM /Groups endpoint (one 
for each group).
    /PUT Groups/group1
    /PUT Groups/group2
 * we get a OptimisticLockException since both calls are made for a relation on 
the same user - because on the SCIM side for the Group endpoint, we must call   
userService.update(userTO) to update a user <-> group relation.
i.e.     MembershipTO membershipTO =
    new MembershipTO.Builder().group(userTO.getKey(), 
"USER").group(groupTO.getKey(), groupTO.getName()).build();
    userTO.getMemberships().add(membershipTO);
    try {
    userService.update(userTO);
    } catch (SyncopeClientException e) {
    throw new SCIMException(String.format("User %s was not added to the 
group %s", userId, groupTO.getName()), e);
    }

Is there an API to update user or group membership without testing @Version 
field ? (i.e like a syncope REST API on top of a jpql update ?) 
Perhaps we're not using the good API here (is there an API to handle membership 
from the group's side ?
Do you see another possible solution (besides updating membership from the 
Group side/screen) ?
Thanks,Adrian

Sample stacktrace on client side :2016-09-27 09:31:46.065 DEBUG 1 --- 
[tp1754926770-22] o.s.web.client.RestTemplate  : PUT request for 
"http://scim:/Groups/2564b3a7-0f5d-424d-a4b3-a70f5d624d80; resulted in 500 
(Server Error); invoking error handler
 at 
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
 [jetty-server-9.2.14.v20151106.jar!/:9.2.14.v20151106]
 at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) 
[jetty-server-9.2.14.v20151106.jar!/:9.2.14.v20151106]
 at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) 
[jetty-server-9.2.14.v20151106.jar!/:9.2.14.v20151106]
 at org.eclipse.jetty.server.Server.handle(Server.java:499) 
[jetty-server-9.2.14.v20151106.jar!/:9.2.14.v20151106]
 at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) 
[jetty-server-9.2.14.v20151106.jar!/:9.2.14.v20151106]
 at 
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) 
[jetty-server-9.2.14.v20151106.jar!/:9.2.14.v20151106]
 at 
org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) 
[jetty-io-9.2.14.v20151106.jar!/:9.2.14.v20151106]
 at 
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
 [jetty-util-9.2.14.v20151106.jar!/:9.2.14.v20151106]
 at 
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) 
[jetty-util-9.2.14.v20151106.jar!/:9.2.14.v20151106]
 at java.lang.Thread.run(Thread.java:745) [na:1.8.0_92-internal]
 Caused by: org.apache.syncope.common.lib.SyncopeClientException: 
GenericPersistence [OptimisticLockException: An optimistic lock violation was 
detected when flushing object instance 
"org.apache.syncope.core.persistence.jpa.entity.user.JPAUPlainAttrValue-62f5f8bf-b390-4354-b5f8-bfb390a354e8"
 to the data store.  This indicates that the object was concurrently modified 
in another transaction.]
 at 
org.apache.syncope.common.lib.SyncopeClientException.build(SyncopeClientException.java:37)
 ~[syncope-common-lib-2.0.0-SNAPSHOT.jar!/:2.0.0-SNAPSHOT]
 at 
org.apache.syncope.client.lib.RestClientExceptionMapper.checkSyncopeClientCompositeException(RestClientExceptionMapper.java:147)
 ~[syncope-client-lib-2.0.0-SNAPSHOT.jar!/:2.0.0-SNAPSHOT]
 at 
org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:58)
 ~[syncope-client-lib-2.0.0-SNAPSHOT.jar!/:2.0.0-SNAPSHOT]
 at 
org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42)
 ~[syncope-client-lib-2.0.0-SNAPSHOT.jar!/:2.0.0-SNAPSHOT]
 at 
org.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:306)
 ~[cxf-rt-rs-client-3.1.7.jar!/:3.1.7]
2016-09-27 09:31:46.068 DEBUG 1 --- [tp1754926770-22] 
.m.m.a.ExceptionHandlerExceptionResolver : Resolving exception from handler 
[public void 

Re: Syncope startup performance improvements

[Adrian Gonzalez]

Hi,

Just a little feedback on 2.0.0-M5 and SYNCOPE-926 :
 * we've upgraded to syncope-2.0.0-SNAPSHOT (past M5) it works fine, so far so 
good ;)
 * with the improvements made in 2.0.0-M5 and in SYNCOPE-926, we changed our 
startup speed from 215s to 24s.
    Note that our tomcat server contains both syncope and cxf, and I also added 
scanClassPath="false" and startStopThreads="5" to our tomcat configuration.

Thanks once more !Adrian

  De : Francesco Chicchiriccò <ilgro...@apache.org>
 À : user@syncope.apache.org 
 Envoyé le : Lundi 29 août 2016 18h47
 Objet : Re: Syncope startup performance improvements
   
Hi,
your improvement looks interesting; would you mind:

1. sending an ICLA, as explained in the last paragraph from

http://syncope.apache.org/contributing.html

2. opening an improvement on JIRA?

I'll take a deeper look once back at work, this Thursday.

Thanks for your contribution.
Regards.

On 29 aug 2016 16:04:50 CEST, Adrian Gonzalez <adr_gonza...@yahoo.fr> wrote:
>Hello,
>I'm using syncope 2.0.0-M4.Standalone startup takes 135s on my laptop.
>I would like to improve syncope's startup.
>I've made some experimentations :
>1. Restricting scanning on basePackages    I've changed
>ClassPathScanImplementationLookup to scan only some specific
>packages.    This results in a 32s startup.
>    https://github.com/apache/syncope/pull/36
>
>2. Adding startStopThreads="5" in server.xml    This results in a 26s
>startup.
>3. I've also tried to set  in
>context.xml, but no improvement.
>4. I've further modified ClassPathScanImplementationLookup to scan a
>fixed list of classes.   As is, this doesn't work.   I would have a
>20.7s startup (cumulated with change 2)  
>https://github.com/gonzalad/syncope/tree/2.0.0-M2-startup-perf2
>
>
>Could it be possible to incorporate first PR in syncope code (pull/36)
>? Sorry, I made PR on 2.0.0-M4, but could make 2.0.0-SNASPHOT work 
>Are you interested in improvement #4 ? (in this case, I can spend a bit
>more time on it)
>Thanks,Adrian


-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC,
CXF Committer, OpenJPA Committer
http://home.apache.org/~ilgrosso/

   

Re: Syncope startup performance improvements

[Adrian Gonzalez]

Hi Francesco,
I've signed the ICLA (sent you in pm), and created issue 
https://issues.apache.org/jira/browse/SYNCOPE-926
Thanks for considering the fix !Adrian

  De : Francesco Chicchiriccò <ilgro...@apache.org>
 À : user@syncope.apache.org 
 Envoyé le : Lundi 29 août 2016 18h47
 Objet : Re: Syncope startup performance improvements
   
Hi,
your improvement looks interesting; would you mind:

1. sending an ICLA, as explained in the last paragraph from

http://syncope.apache.org/contributing.html

2. opening an improvement on JIRA?

I'll take a deeper look once back at work, this Thursday.

Thanks for your contribution.
Regards.

On 29 aug 2016 16:04:50 CEST, Adrian Gonzalez <adr_gonza...@yahoo.fr> wrote:
>Hello,
>I'm using syncope 2.0.0-M4.Standalone startup takes 135s on my laptop.
>I would like to improve syncope's startup.
>I've made some experimentations :
>1. Restricting scanning on basePackages    I've changed
>ClassPathScanImplementationLookup to scan only some specific
>packages.    This results in a 32s startup.
>    https://github.com/apache/syncope/pull/36
>
>2. Adding startStopThreads="5" in server.xml    This results in a 26s
>startup.
>3. I've also tried to set  in
>context.xml, but no improvement.
>4. I've further modified ClassPathScanImplementationLookup to scan a
>fixed list of classes.   As is, this doesn't work.   I would have a
>20.7s startup (cumulated with change 2)  
>https://github.com/gonzalad/syncope/tree/2.0.0-M2-startup-perf2
>
>
>Could it be possible to incorporate first PR in syncope code (pull/36)
>? Sorry, I made PR on 2.0.0-M4, but could make 2.0.0-SNASPHOT work 
>Are you interested in improvement #4 ? (in this case, I can spend a bit
>more time on it)
>Thanks,Adrian


-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC,
CXF Committer, OpenJPA Committer
http://home.apache.org/~ilgrosso/

   

Syncope startup performance improvements

[Adrian Gonzalez]

Hello,
I'm using syncope 2.0.0-M4.Standalone startup takes 135s on my laptop.
I would like to improve syncope's startup.
I've made some experimentations :
1. Restricting scanning on basePackages    I've changed 
ClassPathScanImplementationLookup to scan only some specific packages.    This 
results in a 32s startup.
    https://github.com/apache/syncope/pull/36

2. Adding startStopThreads="5" in server.xml    This results in a 26s startup.
3. I've also tried to set  in context.xml, 
but no improvement.
4. I've further modified ClassPathScanImplementationLookup to scan a fixed list 
of classes.   As is, this doesn't work.   I would have a 20.7s startup 
(cumulated with change 2)   
https://github.com/gonzalad/syncope/tree/2.0.0-M2-startup-perf2


Could it be possible to incorporate first PR in syncope code (pull/36) ? Sorry, 
I made PR on 2.0.0-M4, but could make 2.0.0-SNASPHOT work 
Are you interested in improvement #4 ? (in this case, I can spend a bit more 
time on it)
Thanks,Adrian

Role search where key in ids

[Adrian Gonzalez]

Hello,
Is there a way to search roles by keys ? 
i.e. 'select * from Roles where key in (1,2,3,4)'
I found syncopeClient.getService(RoleService.class).list(), but this returns 
all syncope roles.
Thanks,Adrian

Re: Authorisation with Syncope 2.x

[Adrian Gonzalez]

Hi Fabio,
I was thinking about creating my own apps (let's say PhotoGalleryApp).
With a service like :    @PreAuthorize("hasRole('photo.read')")    public Photo 
find(Long id) {    ..bla
    }
    @PreAuthorize("hasRole('photo.update')")    public Photo update(Photo 
photo) {    ..bla
    }
}

This is really a basic sample (it won't be Cruds only).How can I customize 
Syncope in order to have photo.read and photo.update for instance ?
Moreover, I'm not at ease if customisation requires code modification for each 
new entitlement since I'm gonna have a lot of apps.
Thanks for your insights,
Adrian

  De : Fabio Martelli <fabio.marte...@gmail.com>
 À : user@syncope.apache.org 
 Envoyé le : Mardi 12 juillet 2016 12h03
 Objet : Re: Authorisation with Syncope 2.x
   
 Il 11/07/2016 16:27, Adrian Gonzalez ha scritto:
  
  Hello, Sorry once more :(
   
 Hi Adrian, do not apologize.
 Thank you, instead. Reporting and interaction in public ML is always welcome.
 See below for my comments.
 
 Best regards, 
 F.
 
 
  
  I would like to use Syncope in my app (using Spring Security) for user 
authentication and authorisation. 
 I would like to know if mapping GrantedAuthority to Syncope's role is the way 
to go ? I'm a bit lost, since there's also the notion of entitlements and 
groups. 
  In fact, when I look into syncope's code, I see :     
@PreAuthorize("hasRole('" + StandardEntitlement.ROLE_CREATE + "')")
     public RoleTO create(final RoleTO roleTO) {
  So I would say I should use entitlements and not roles.  
 
 You have to use the entitlements.
 You can assign entitlements to a user by assigning them to a role and a role 
to the user: the user owning that role will own those entitlements.
 
 This is the standard for Apache Syncope.
 Therefore you can think to add your own authorization method for some 
customizations. Please, if you will do in this way do it carefully.
 
 
  But entitlement appears to be fixed (in StandardEntitlement class) and for 
syncope 'internal' use [1] and [2] (aka checking if user has right to perform 
an action on syncope - and not checking if user has right to peform action on 
whatever application).  
 
 Exactly! BTW you can perform some customization in order to extends the set of 
entitlements in order to use them to authorize access to some custom rest 
methods provided for your specific aims.
 
 This customization is not simple but feasible if strongly required.
 
 
  
  Thanks, Adrian 
  P.S. Using Syncope 2.0.0-M2 
  [1] 
http://syncope-user.1051894.n5.nabble.com/Entitlements-how-do-we-create-change-these-tp5707009p5707010.html
 entitlements are not meant to be extended: their primary purpose is to 
define security constraints on RESTful methods. 
  [2] 
https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization
   
 
 
 -- 
Fabio Martelli

Tirasa - Open Source Excellence
http://www.tirasa.net/

Apache Syncope PMC
http://people.apache.org/~fmartelli/ 

  

Custom attributes for roles in syncope 2.x

[Adrian Gonzalez]

Hello,
I would like to know if there's a way to define custom attributes for roles 
(such as for User and Groups).
I'm using syncope 2.0.0.M2.
Thanks,Adrian