Hi Jeffery,
that´s in any case very cool to do this fluxTooling! ;-)
I checked out your GitHub project fluxtest and I may have found the bug
(in Turbine).
The issue is that the Turbine service class
org.apache.turbine.services.security.DefaultSecurityService
implementing
org.apache.turbine.services.security.SecurityService requires as user
model org.apache.turbine.om.security.User (=User).
On the other side the Fulcrum implementation of the grant method uses a
method (update) (defined in
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity)
seems to expect as contract fulcrum user object, but also
TorqueAbstractSecurityEntity, which is implemented by the
Turbineuser om
class by extending the appropriate baseClass
org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineUser
in
the schema (= TurbineUser).
How to match this? It WOULD be possible to retrieve the backing
TurbineUser object from the User with the getUserDelegate() method.
But the interface TurbineUserDelegate is not part of the contract of
turbine.om.security.User (though DefaultUserImpl DOES implement
TurbineUserDelegate) this is somewhat hidden in the SecurityService (a
cast would be required later on).
The easiest and most transparent solution would be (in my view), that
org.apache.turbine.om.security.User interface extends
TurbineUserDelegate
and that at one point the delegate is called (as the TurbineUser OM
class
does implement Fulcrum TurbineUser, which implements Fulcrum User this
would be no problem. We have to call getUserDelegate before the
modelManager grant method is called, i.e. in
DefaultSecurityService). No
other changes seem to be needed .. I'll create an issue in TRB JIRA as
soon as possible..
As a result you may have to use the Torque mapper for now, cft. your
action FluxUserAction, cft. the github patch
(https://github.com/jlpainter/turbine-flux/pull/1, you might just
review
the changes).
I posted a copy to the dev list, where the discussion might continue
...
Best regards, Georg
Von: Jeffery Painter <[email protected]>
An: [email protected]
Datum: 18.11.2017 00:43
Betreff: Re: Problem with grant and revoke user roles in
turbine-4
I gave it one last shot, but I am still having trouble with casting the
user object. The security service seems to only want to give me the
wrapper version and I cannot cast it to anything that the removeUser()
method likes....
maybe you can take a look at the following method.
Here is my logging output.
2017-11-17 18:32:39,818 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction - getUser()
type: org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:32:41,105 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction -
o.a.t.o.s.User type:
org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:32:42,598 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction -
o.a.f.s.m.t.e.TurbineUser type:
org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:33:06,031 [http-nio-8080-exec-4] ERROR
org.apache.turbine.flux.modules.actions.user.FluxUserAction - Could not
remove user: org.apache.fulcrum.security.util.UnknownEntityException:
Could not find User/Group/Role
and the method call I am trying to use to delete the user...
/**
* ActionEvent responsible for removing a user from the Tambora
system.
*/
public void doDelete(PipelineData pipelineData, Context context)
throws Exception {
try {
RunData data = getRunData(pipelineData);
String username =
data.getParameters().getString("username");
if (!StringUtils.isEmpty(username)) {
if (security.accountExists(username)) {
// this is always returning the wrapper
version of
our user
User user1 = security.getUser(username);
log.debug("getUser() type: " +
user1.getClass().getTypeName().toString() );
// same and does not work
User user2 =
(org.apache.turbine.om.security.User)
security.getUser(username);
log.debug("o.a.t.o.s.User type: " +
user2.getClass().getTypeName().toString() );
// no change - and you cannot use the interface
class as a parameter to the removeUser method
org.apache.fulcrum.security.model.turbine.entity.TurbineUser user3 =
(org.apache.fulcrum.security.model.turbine.entity.TurbineUser)
security.getUser(username);
log.debug("o.a.f.s.m.t.e.TurbineUser type: " +
user3.getClass().getTypeName().toString() );
// Tried using reflection to cast and still
doesn't
work
org.apache.turbine.om.security.User forceUser =
org.apache.turbine.om.security.User.class.cast(
security.getUser(username) );
log.debug("o.a.t.o.s.User type: " +
forceUser.getClass().getTypeName().toString() );
//security.revokeAll(user);
// remove user does the revokeAll above...
security.removeUser(forceUser);
} else {
log.error("User does not exist!");
}
}
} catch (Exception e) {
log.error("Could not remove user: " + e);
}
}
On 11/17/2017 06:03 PM, Jeffery Painter wrote:
Hi Georg,
I did a quick test on the remove role method with the following change
and it works. My problem with role removal was that in my test case,
the role was associated with users and could not be removed. Maybe a
better error message would help? :-) The user management needs a bit
more work as well to make it comply with the SecurityService. I will
work on that. The old flux tool also had some weirdness in the way it
handled the getRole() getGroup() getUser() method where it was caching
the last loaded entry... I am fixing that as well.
I inserted a few new roles and was able to remove them. I am working
on updating the rest of the FluxTool methods so they behave
appropriately. When I get it into decent shape, I will push updates
to my github project for you to test out if you like before we make a
space to put it into the apache source control.
That will most likely be after Nov 25th when I get back into town. Who
knows - if I get bored, I may open up some code on my laptop, but not
likely as we are going on a cruise where it will be nice and warm!
Thanks,
Jeff
On 11/17/2017 05:17 PM, Georg Kallidis wrote:
Hi Jeff,
as far as I can see, I assume the implementation class might be
TorqueTurbineModelManagerImpl? Could you check this? Your second
attempt may be indeed close, but the reason is missing. Could you
provide the stack/cause of the exception?
Probably, if this is the case, at this point of the code of the model
manager the role, group and user are already checked, but what might
have caused the exception is a failing cast to
- org.apache.fulcrum.security.model.turbine.entity.TurbineUser of the
user object or
-
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
of any of the objects, which may be the reason, if in your schema the
baseclass attribute is not set to
org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineXXX
(XXX = User|Role|Group) class (or another class implementing the
required interface, cft. the example torque-security-schem.xml in the
Turbine webapp archetype)...
And thanks for your efforts to migrate / use the flux library!
Best regards, Georg
-----Jeffery Painter <[email protected]> schrieb: -----
An: [email protected]
Von: Jeffery Painter <[email protected]>
Datum: 16.11.2017 23:29
Betreff: Re: Problem with grant and revoke user roles in turbine-4
I looked a little more at the test cases, and got my code setup
enough
to try and call the fulcrum security service directly...
// try using fulcrum service
((TurbineModelManager)fulcrumSecurityService.getModelManager()).grant(fulcrumUser,
group, role);
The error logs are still reporting problems:
I verified that this loaded the user "dean" from the database as a
fulcrumUser and it came through with a class type of
com.jivecast.smartorder.om.TurbineUser rather than the wrapper
that the
turbine security service provided. and now I get a
DataBackendException
error on the grant call...
2017-11-16 17:24:43,722 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 17:24:47,895 [http-nio-8080-exec-3] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction -
fulcrumUser:
com.jivecast.smartorder.om.TurbineUser
2017-11-16 17:24:54,147 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
2017-11-16 17:24:55,750 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
2017-11-16 17:24:56,031 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
2017-11-16 17:24:56,315 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
2017-11-16 17:24:56,599 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
2017-11-16 17:25:03,129 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
2017-11-16 17:25:03,143 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
2017-11-16 17:25:09,097 [http-nio-8080-exec-3] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
role to user: inventory
2017-11-16 17:25:10,535 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.ModelManager' in the local
container
2017-11-16 17:25:10,545 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.RoleManager' in the local
container
2017-11-16 17:25:10,547 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
2017-11-16 17:25:10,560 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 17:25:10,561 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@86cedb4
2017-11-16 17:25:10,598 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.GroupManager' in the local
container
2017-11-16 17:25:10,599 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
2017-11-16 17:25:25,202 [http-nio-8080-exec-3] ERROR
com.jivecast.smartorder.modules.actions.admin.UserAction - Error
setting
roles: org.apache.fulcrum.security.util.DataBackendException:
grant('dean', 'global', 'inventory') failed
any ideas?
--
Jeff
On 11/16/2017 05:00 PM, Jeffery Painter wrote:
Hi Georg,
I am making some good progress. I don't know if you remember the
old
flux library for user management, but I have started to re-write
that
to work with Turbine 4.0. I am having some troubles however with
the
grant/revoke roles with casting the user object incorrectly from the
TurbineWrapper class. Can you help me with the issue I am having
below? I looked at the unit tests in the Turbine source for
inspiration on migrating, but it isn't recognizing the user class
properly. I even tried to manually downcast (see my code below),
and
still cannot make it work.
If I can get this all working, I thought it might be useful to
publish
a new flux library compatible with Turbine-4.0 for user
management as
a guide to others on how to get started.
My logs show the following error when calling the grant/revoke
method
on the security service when trying to add the "inventory" role to a
user:
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction - Adding
new
role to user: inventory
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon -
Located
the service 'org.apache.fulcrum.security.RoleManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager - get cached
PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@71897a2b
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon -
Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager - get cached
PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@448e6624
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon -
Located
the service 'org.apache.fulcrum.security.GroupManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager - get cached
PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@151d470d
2017-11-16 16:49:26,919 [http-nio-8080-exec-13] ERROR
com.jivecast.smartorder.modules.actions.admin.UserAction - Error
setting roles: java.lang.ClassCastException:
com.jivecast.smartorder.wrapper.TurbineUserWrapper cannot be cast to
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
Here is the relevant code in my doRoles() method to make the new
assignment... it is modeled after the old flux methods:
I have the following import:
import org.apache.turbine.services.security.SecurityService;
and in the body of the class, I use the injection to get the
instance
mapped
/** Injected service instance */
@TurbineService
private SecurityService security;
.... then my action class method is called doRoles() which does the
role assignment and fails
/**
* Update the roles that are to assigned to a user for a
project.
*/
public void doRoles(PipelineData pipelineData, Context
context)
throws Exception {
try {
RunData data = getRunData(pipelineData);
// Get the Turbine ACL implementation for our current
user, only admin can update user roles
TurbineAccessControlList adminAcl =
getRunData(data).getACL();
if (adminAcl.hasRole("administrator")) {
// Username of the account we are updating
String username =
data.getParameters().getString("username");
if (security.accountExists(username)) {
// Try to downcast for the security grant
function
org.apache.turbine.om.security.User user =
(org.apache.turbine.om.security.User) security.getUser(username);
// Get the Turbine ACL implementation
TurbineAccessControlList acl =
security.getACL(user);
/*
* Grab all the Groups and Roles in the
system.
*/
GroupSet groups = security.getAllGroups();
RoleSet roles = security.getAllRoles();
for (Group group : groups) {
String groupName = group.getName();
for (Role role : roles) {
String roleName = role.getName();
/*
* In the UserRoleForm.vm we made a
checkbox for every possible Group/Role
* combination so we will compare
every
possible combination with the values
* that were checked off in the
form. If
we have a match then we will grant the
* user the role in the group.
*/
String groupRole = groupName +
roleName;
String formGroupRole =
data.getParameters().getString(groupRole);
if (formGroupRole != null &&
!acl.hasRole(role, group)) {
// add the role for this user
if (acl.hasRole(role) == false) {
log.debug("Adding new role to
user: " + role.getName());
security.grant(user, group,
role);
}
} else if (formGroupRole == null &&
acl.hasRole(role, group)) {
// revoke the role for this user
log.debug("Revoke role: " +
role.getName());
security.revoke(user, group,
role);
}
}
}
} else {
log.error("User does not exist!");
}
} else {
data.setMessage("You do not have access to perform
this action.");
}
} catch (Exception e) {
log.error("Error setting roles: " + e.toString());
}
}
