Hi Jeffery, >The weird part is the security.changePassword(user, oldpw, newpw) method >works with the wrapped user object whereas none of the other methods >like security.revokeAll(user) are working... maybe there is a clue in that.
The simple reason for this is that in the Turbine security service changePassword method the delegate is already called, but only by the called user manager (DefaultUserManager)! umDelegate.changePassword( ((TurbineUserDelegate)user).getUserDelegate(), oldPassword, newPassword); The same is true for the method store, but not for a couple of other security service methods (grant, revoke, revokeAll, addUser, removeUser, in user manager: forcePassword, getACL, removeAccount, createAccount, accountExists). Provided that we use Torque Security (Hibernate may be the same) we need using the delegate because only the OM classes extend from the (abstract) classes, which implement the required methods in org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity used by the Fulcrum Torque managers. I think about how to better define the interface in Fulcrum Turbine Torque (require the class, which is effectively used later). I'll nevertheless update Turbine (4.1-SNAPSHOT) Fulcrum Security 1.1.2-SNAPSHOT and Turbine Webapp for what we know now is bug. If we think about a more robust approach, the question is of course, where should the tests be placed? Fulcrum is a abstract module to Turbine and Turbine has up to now no Torque dependency and the tests are incomplete apparently. The only place where both Torque Fulcrum module and Turbine module come together is in the Turbine Webapp. It may be there, where a test should be added... it' s already kind of evolving into a test environment. I ´ll check this.. We may consider a follow-up Turbine release (better 4.0.1 than 4.1!) as well as a Fulcrum Security Torque 1.1.2. What do you think? Best regards, Georg Von: Jeffery Painter <[email protected]> An: [email protected] Datum: 26.11.2017 16:26 Betreff: Re: Problem with grant and revoke user roles in turbine-4 Hi Georg, I was able to develop a work around but it is pretty ugly. I can now add/delete/update user accounts. I have posted the flux update here: https://github.com/jlpainter/turbine-flux/commit/762efbf4fb02c339e4cea384ffee5d46689693d4 The weird part is the security.changePassword(user, oldpw, newpw) method works with the wrapped user object whereas none of the other methods like security.revokeAll(user) are working... maybe there is a clue in that. -- Jeff On 11/25/2017 02:59 PM, Jeffery Painter wrote: > Hi Georg, > > That helped a lot with the grant/revoke of roles. I updated the code > for revoking as well to match. I have flux tool now managing the > add/removal/update for both groups and roles. Permissions was still > giving me some issues and I need to look into that more when I have > time. I don't use permission level security (just groups and roles) > but to call the tool complete, I should get it working as well. > > I pushed my last updates here: > > https://github.com/jlpainter/turbine-flux/commit/81420058acfff26cca346b58ee971fab2eb8201e > > > The one main issue I see now is that I cannot add/update/delete a > user. I am getting the same cryptic DataBackendException error and > can't seem to get past it. It looks like it is most likely related to > the issue you have already identified below. > > Let me know where I can help with this. > > Thanks, > Jeff > > > > On 11/24/2017 09:59 AM, Georg Kallidis wrote: >> Hi Jeffery, >> >> that´s in any case very cool to do this fluxTooling! ;-) >> >> I checked out your GitHub project fluxtest and I may have found the bug >> (in Turbine). >> >> The issue is that the Turbine service class >> org.apache.turbine.services.security.DefaultSecurityService implementing >> org.apache.turbine.services.security.SecurityService requires as user >> model org.apache.turbine.om.security.User (=User). >> On the other side the Fulcrum implementation of the grant method uses a >> method (update) (defined in >> org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity) >> >> seems to expect as contract fulcrum user object, but also >> TorqueAbstractSecurityEntity, which is implemented by the Turbineuser om >> class by extending the appropriate baseClass >> org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineUser in >> the schema (= TurbineUser). >> How to match this? It WOULD be possible to retrieve the backing >> TurbineUser object from the User with the getUserDelegate() method. >> But the interface TurbineUserDelegate is not part of the contract of >> turbine.om.security.User (though DefaultUserImpl DOES implement >> TurbineUserDelegate) this is somewhat hidden in the SecurityService (a >> cast would be required later on). >> The easiest and most transparent solution would be (in my view), that >> org.apache.turbine.om.security.User interface extends >> TurbineUserDelegate >> and that at one point the delegate is called (as the TurbineUser OM >> class >> does implement Fulcrum TurbineUser, which implements Fulcrum User this >> would be no problem. We have to call getUserDelegate before the >> modelManager grant method is called, i.e. in DefaultSecurityService). No >> other changes seem to be needed .. I'll create an issue in TRB JIRA as >> soon as possible.. >> >> As a result you may have to use the Torque mapper for now, cft. your >> action FluxUserAction, cft. the github patch >> (https://github.com/jlpainter/turbine-flux/pull/1, you might just review >> the changes). >> >> I posted a copy to the dev list, where the discussion might continue ... >> >> Best regards, Georg >> >> >> >> Von: Jeffery Painter <[email protected]> >> An: [email protected] >> Datum: 18.11.2017 00:43 >> Betreff: Re: Problem with grant and revoke user roles in >> turbine-4 >> >> >> >> >> I gave it one last shot, but I am still having trouble with casting the >> user object. The security service seems to only want to give me the >> wrapper version and I cannot cast it to anything that the removeUser() >> method likes.... >> >> maybe you can take a look at the following method. >> >> >> Here is my logging output. >> >> 2017-11-17 18:32:39,818 [http-nio-8080-exec-4] DEBUG >> org.apache.turbine.flux.modules.actions.user.FluxUserAction - getUser() >> type: org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper >> >> 2017-11-17 18:32:41,105 [http-nio-8080-exec-4] DEBUG >> org.apache.turbine.flux.modules.actions.user.FluxUserAction - >> o.a.t.o.s.User type: >> org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper >> >> 2017-11-17 18:32:42,598 [http-nio-8080-exec-4] DEBUG >> org.apache.turbine.flux.modules.actions.user.FluxUserAction - >> o.a.f.s.m.t.e.TurbineUser type: >> org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper >> >> 2017-11-17 18:33:06,031 [http-nio-8080-exec-4] ERROR >> org.apache.turbine.flux.modules.actions.user.FluxUserAction - Could not >> remove user: org.apache.fulcrum.security.util.UnknownEntityException: >> Could not find User/Group/Role >> >> and the method call I am trying to use to delete the user... >> >> >> /** >> * ActionEvent responsible for removing a user from the Tambora >> system. >> */ >> public void doDelete(PipelineData pipelineData, Context context) >> throws Exception { >> >> try { >> RunData data = getRunData(pipelineData); >> String username = >> data.getParameters().getString("username"); >> if (!StringUtils.isEmpty(username)) { >> if (security.accountExists(username)) { >> >> // this is always returning the wrapper version of >> our user >> User user1 = security.getUser(username); >> log.debug("getUser() type: " + >> user1.getClass().getTypeName().toString() ); >> >> // same and does not work >> User user2 = (org.apache.turbine.om.security.User) >> security.getUser(username); >> log.debug("o.a.t.o.s.User type: " + >> user2.getClass().getTypeName().toString() ); >> >> // no change - and you cannot use the interface >> class as a parameter to the removeUser method >> org.apache.fulcrum.security.model.turbine.entity.TurbineUser user3 = >> (org.apache.fulcrum.security.model.turbine.entity.TurbineUser) >> security.getUser(username); >> log.debug("o.a.f.s.m.t.e.TurbineUser type: " + >> user3.getClass().getTypeName().toString() ); >> >> // Tried using reflection to cast and still >> doesn't >> work >> org.apache.turbine.om.security.User forceUser = >> org.apache.turbine.om.security.User.class.cast( >> security.getUser(username) ); >> log.debug("o.a.t.o.s.User type: " + >> forceUser.getClass().getTypeName().toString() ); >> >> //security.revokeAll(user); >> // remove user does the revokeAll above... >> security.removeUser(forceUser); >> >> } else { >> log.error("User does not exist!"); >> } >> } >> } catch (Exception e) { >> log.error("Could not remove user: " + e); >> } >> } >> >> >> On 11/17/2017 06:03 PM, Jeffery Painter wrote: >>> Hi Georg, >>> >>> I did a quick test on the remove role method with the following change >>> and it works. My problem with role removal was that in my test case, >>> the role was associated with users and could not be removed. Maybe a >>> better error message would help? :-) The user management needs a bit >>> more work as well to make it comply with the SecurityService. I will >>> work on that. The old flux tool also had some weirdness in the way it >>> handled the getRole() getGroup() getUser() method where it was caching >>> the last loaded entry... I am fixing that as well. >>> >>> I inserted a few new roles and was able to remove them. I am working >>> on updating the rest of the FluxTool methods so they behave >>> appropriately. When I get it into decent shape, I will push updates >>> to my github project for you to test out if you like before we make a >>> space to put it into the apache source control. >>> >>> That will most likely be after Nov 25th when I get back into town. Who >>> knows - if I get bored, I may open up some code on my laptop, but not >>> likely as we are going on a cruise where it will be nice and warm! >>> >>> Thanks, >>> Jeff >>> >>> >>> >>> On 11/17/2017 05:17 PM, Georg Kallidis wrote: >>>> Hi Jeff, >>>> >>>> as far as I can see, I assume the implementation class might be >>>> TorqueTurbineModelManagerImpl? Could you check this? Your second >>>> attempt may be indeed close, but the reason is missing. Could you >>>> provide the stack/cause of the exception? >>>> >>>> Probably, if this is the case, at this point of the code of the model >>>> manager the role, group and user are already checked, but what might >>>> have caused the exception is a failing cast to >>>> >>>> - org.apache.fulcrum.security.model.turbine.entity.TurbineUser of the >>>> user object or >>>> - >>>> >> org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity >>>> of any of the objects, which may be the reason, if in your schema the >>>> baseclass attribute is not set to >>>> org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineXXX >>>> (XXX = User|Role|Group) class (or another class implementing the >>>> required interface, cft. the example torque-security-schem.xml in the >>>> Turbine webapp archetype)... >>>> >>>> And thanks for your efforts to migrate / use the flux library! >>>> >>>> Best regards, Georg >>>> >>>> -----Jeffery Painter <[email protected]> schrieb: ----- >>>> An: [email protected] >>>> Von: Jeffery Painter <[email protected]> >>>> Datum: 16.11.2017 23:29 >>>> Betreff: Re: Problem with grant and revoke user roles in turbine-4 >>>> >>>> I looked a little more at the test cases, and got my code setup enough >>>> to try and call the fulcrum security service directly... >>>> >>>> // try using fulcrum service >>>> >> ((TurbineModelManager)fulcrumSecurityService.getModelManager()).grant(fulcrumUser, >> >> >>>> group, role); >>>> >>>> The error logs are still reporting problems: >>>> >>>> I verified that this loaded the user "dean" from the database as a >>>> fulcrumUser and it came through with a class type of >>>> com.jivecast.smartorder.om.TurbineUser rather than the wrapper that >>>> the >>>> turbine security service provided. and now I get a >>>> DataBackendException >>>> error on the grant call... >>>> >>>> 2017-11-16 17:24:43,722 [http-nio-8080-exec-3] DEBUG avalon - Located >>>> the service 'org.apache.fulcrum.security.UserManager' in the local >>>> container >>>> 2017-11-16 17:24:47,895 [http-nio-8080-exec-3] DEBUG >>>> com.jivecast.smartorder.modules.actions.admin.UserAction - >>>> fulcrumUser: >>>> com.jivecast.smartorder.om.TurbineUser >>>> 2017-11-16 17:24:54,147 [http-nio-8080-exec-3] DEBUG >>>> avalon.peerManager >>>> - get cached >>>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c >>>> 2017-11-16 17:24:55,750 [http-nio-8080-exec-3] DEBUG >>>> avalon.peerManager >>>> - get cached >>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807 >>>> 2017-11-16 17:24:56,031 [http-nio-8080-exec-3] DEBUG >>>> avalon.peerManager >>>> - get cached >>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807 >>>> 2017-11-16 17:24:56,315 [http-nio-8080-exec-3] DEBUG >>>> avalon.peerManager >>>> - get cached >>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807 >>>> 2017-11-16 17:24:56,599 [http-nio-8080-exec-3] DEBUG >>>> avalon.peerManager >>>> - get cached >>>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c >>>> 2017-11-16 17:25:03,129 [http-nio-8080-exec-3] DEBUG >>>> avalon.peerManager >>>> - get cached >>>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c >>>> 2017-11-16 17:25:03,143 [http-nio-8080-exec-3] DEBUG >>>> avalon.peerManager >>>> - get cached >>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807 >>>> 2017-11-16 17:25:09,097 [http-nio-8080-exec-3] DEBUG >>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new >>>> role to user: inventory >>>> 2017-11-16 17:25:10,535 [http-nio-8080-exec-3] DEBUG avalon - Located >>>> the service 'org.apache.fulcrum.security.ModelManager' in the local >>>> container >>>> 2017-11-16 17:25:10,545 [http-nio-8080-exec-3] DEBUG avalon - Located >>>> the service 'org.apache.fulcrum.security.RoleManager' in the local >>>> container >>>> 2017-11-16 17:25:10,547 [http-nio-8080-exec-3] DEBUG >>>> avalon.peerManager >>>> - get cached >>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807 >>>> 2017-11-16 17:25:10,560 [http-nio-8080-exec-3] DEBUG avalon - Located >>>> the service 'org.apache.fulcrum.security.UserManager' in the local >>>> container >>>> 2017-11-16 17:25:10,561 [http-nio-8080-exec-3] DEBUG >>>> avalon.peerManager >>>> - get cached >>>> PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@86cedb4 >>>> 2017-11-16 17:25:10,598 [http-nio-8080-exec-3] DEBUG avalon - Located >>>> the service 'org.apache.fulcrum.security.GroupManager' in the local >>>> container >>>> 2017-11-16 17:25:10,599 [http-nio-8080-exec-3] DEBUG >>>> avalon.peerManager >>>> - get cached >>>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c >>>> 2017-11-16 17:25:25,202 [http-nio-8080-exec-3] ERROR >>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Error >> setting >>>> roles: org.apache.fulcrum.security.util.DataBackendException: >>>> grant('dean', 'global', 'inventory') failed >>>> >>>> >>>> any ideas? >>>> >>>> -- >>>> Jeff >>>> >>>> >>>> >>>> On 11/16/2017 05:00 PM, Jeffery Painter wrote: >>>>> Hi Georg, >>>>> >>>>> I am making some good progress. I don't know if you remember the old >>>>> flux library for user management, but I have started to re-write that >>>>> to work with Turbine 4.0. I am having some troubles however with the >>>>> grant/revoke roles with casting the user object incorrectly from the >>>>> TurbineWrapper class. Can you help me with the issue I am having >>>>> below? I looked at the unit tests in the Turbine source for >>>>> inspiration on migrating, but it isn't recognizing the user class >>>>> properly. I even tried to manually downcast (see my code below), and >>>>> still cannot make it work. >>>>> >>>>> If I can get this all working, I thought it might be useful to >>>>> publish >>>>> a new flux library compatible with Turbine-4.0 for user management as >>>>> a guide to others on how to get started. >>>>> >>>>> >>>>> My logs show the following error when calling the grant/revoke method >>>>> on the security service when trying to add the "inventory" role to a >>>>> user: >>>>> >>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG >>>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new >>>>> role to user: inventory >>>>> >>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - >>>>> Located >>>>> the service 'org.apache.fulcrum.security.RoleManager' in the local >>>>> container >>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG >>>>> avalon.peerManager - get cached >>>>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@71897a2b >>>>> >>>>> >>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - >>>>> Located >>>>> the service 'org.apache.fulcrum.security.UserManager' in the local >>>>> container >>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG >>>>> avalon.peerManager - get cached >>>>> PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@448e6624 >>>>> >>>>> >>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - >>>>> Located >>>>> the service 'org.apache.fulcrum.security.GroupManager' in the local >>>>> container >>>>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG >>>>> avalon.peerManager - get cached >>>>> >> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@151d470d >>>>> 2017-11-16 16:49:26,919 [http-nio-8080-exec-13] ERROR >>>>> com.jivecast.smartorder.modules.actions.admin.UserAction - Error >>>>> setting roles: java.lang.ClassCastException: >>>>> com.jivecast.smartorder.wrapper.TurbineUserWrapper cannot be cast to >>>>> >> org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity >>>>> >>>>> >>>>> Here is the relevant code in my doRoles() method to make the new >>>>> assignment... it is modeled after the old flux methods: >>>>> >>>>> I have the following import: >>>>> >>>>> import org.apache.turbine.services.security.SecurityService; >>>>> >>>>> and in the body of the class, I use the injection to get the instance >>>>> mapped >>>>> >>>>> /** Injected service instance */ >>>>> @TurbineService >>>>> private SecurityService security; >>>>> >>>>> .... then my action class method is called doRoles() which does the >>>>> role assignment and fails >>>>> >>>>> /** >>>>> * Update the roles that are to assigned to a user for a >>>>> project. >>>>> */ >>>>> public void doRoles(PipelineData pipelineData, Context context) >>>>> throws Exception { >>>>> >>>>> try { >>>>> >>>>> RunData data = getRunData(pipelineData); >>>>> >>>>> // Get the Turbine ACL implementation for our current >>>>> user, only admin can update user roles >>>>> TurbineAccessControlList adminAcl = >>>>> getRunData(data).getACL(); >>>>> if (adminAcl.hasRole("administrator")) { >>>>> >>>>> // Username of the account we are updating >>>>> String username = >>>>> data.getParameters().getString("username"); >>>>> if (security.accountExists(username)) { >>>>> >>>>> // Try to downcast for the security grant >> function >>>>> org.apache.turbine.om.security.User user = >>>>> (org.apache.turbine.om.security.User) security.getUser(username); >>>>> >>>>> // Get the Turbine ACL implementation >>>>> TurbineAccessControlList acl = >>>>> security.getACL(user); >>>>> >>>>> /* >>>>> * Grab all the Groups and Roles in the system. >>>>> */ >>>>> GroupSet groups = security.getAllGroups(); >>>>> RoleSet roles = security.getAllRoles(); >>>>> >>>>> for (Group group : groups) { >>>>> String groupName = group.getName(); >>>>> for (Role role : roles) { >>>>> String roleName = role.getName(); >>>>> >>>>> /* >>>>> * In the UserRoleForm.vm we made a >>>>> checkbox for every possible Group/Role >>>>> * combination so we will compare every >>>>> possible combination with the values >>>>> * that were checked off in the >>>>> form. If >>>>> we have a match then we will grant the >>>>> * user the role in the group. >>>>> */ >>>>> String groupRole = groupName + >>>>> roleName; >>>>> String formGroupRole = >>>>> data.getParameters().getString(groupRole); >>>>> >>>>> if (formGroupRole != null && >>>>> !acl.hasRole(role, group)) { >>>>> // add the role for this user >>>>> if (acl.hasRole(role) == false) { >>>>> log.debug("Adding new role to >>>>> user: " + role.getName()); >>>>> security.grant(user, group, >> role); >>>>> } >>>>> } else if (formGroupRole == null && >>>>> acl.hasRole(role, group)) { >>>>> // revoke the role for this user >>>>> log.debug("Revoke role: " + >>>>> role.getName()); >>>>> security.revoke(user, group, role); >>>>> } >>>>> } >>>>> } >>>>> >>>>> } else { >>>>> log.error("User does not exist!"); >>>>> } >>>>> } else { >>>>> data.setMessage("You do not have access to perform >>>>> this action."); >>>>> } >>>>> } catch (Exception e) { >>>>> log.error("Error setting roles: " + e.toString()); >>>>> } >>>>> >>>>> } >>>>> >>>>> > -- Jeff Painter CEO and Founder of JiveCast Software and analytics, made together http://jivecast.com 301 Fayetteville St. Unit 2301, Raleigh, NC 27601 (919) 533-9024 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
