Hi, Let me explain a little bit what i did with Syncope: I've been using syncope version 1.0.0-incubating embedded inside my application.
changes i made to my version of syncope: - DAL changed to work with Hibernate - Spring services replaced by my own services using CXF library.(In that time syncope didn't use CXF) - Client rewrite by Google web toolkit. - work flow engine changed to work with a Commercial BPMS - i also had to make entitlements dynamic instead of hard coded. so i replaced spring @HasRole annotation with something more dynamic. i tried to make minimum changes in syncope to be able to keep updated with the current version. so I wrote some sort of adapter for the controllers and call it from my own services. when request comes from my client, my security interceptor authenticate and authorized users using syncope authentication controllers. then request forwarded to specific Syncope controllers. I logged in as admin user and somewhere in my client code i called findAllusers(). i thought i could get all users when i'm admin user however i didn't got all users. what do u mean by "Performin valid query" ? I'm not using Syncope console I'm trying to rewrite some part of console with GWT. Regards Adi On Tue, Jul 9, 2013 at 10:41 AM, Francesco Chicchiriccò <[email protected] > wrote: > On 09/07/2013 05:16, morteza adi wrote: > > Hi fabio > > Since i queried by admin user, i expected to got all users. But i only got > those without membership. > > > Hi, > if you perform a valid query as admin, you will get all users in Syncope, > with or without memberships: you can easily prove this by logging into the > admin console and going to the Users tab. > > Could you please detail how you are querying Syncope for all users? > > I think you slightly misunderstood what Fabio tried to explain below; the > high-level requirement is to implement the general authorization model > defined in Syncope [1] via Entitlements. > > When executing any access to user data, Syncope checks that the > authenticated user that is currently performing such operation has the > required entitlements to actually access those users, and does so by > checking the owned "role operational entitlements": check the example at > [1]. > > Hope this clarifies. > Regards. > > [1] > https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization > > > Thank you for helping me. Now i can underestand why this happened;) > > Best wishes > Adi > On Jul 8, 2013 2:27 PM, "Fabio Martelli" <[email protected]> wrote: > >> Il 06/07/2013 11:07, morteza adi ha scritto: >> >> hi, >> I wonder why findAll() method in >> >> >> http://svn.apache.org/viewvc/syncope/tags/syncope-1.1.2/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/UserDAOImpl.java?view=co >> >> excludes user within membershib table? >> >> the query created by this function doesn't make any sense for me >> >> Hi, the created query doesn't exclude any user within membership table. >> It checks the possibility to perform such query by the user requiring the >> search operation. >> The possibility is computed upon entitlements (roles/memberships) owned >> by the user. >> >> E.g. >> 1. since I can search only for users in role A, the query must be created >> by excluding users without a membership for A. >> 2. since I have no memberships I can search only for users without >> memberships. >> >> Take a look at UserTest.findAll() to search for all users. >> >> Rgds, >> F. >> >> >> private StringBuilder getFindAllQuery(final Set<Long> adminRoles) { >> final StringBuilder queryString = new StringBuilder("SELECT id FROM >> SyncopeUser WHERE *id NOT IN* ("); >> >> if (adminRoles == null || adminRoles.isEmpty()) { >> queryString.append("SELECT syncopeUser_id AS id FROM >> Membership"); >> } else { >> queryString.append("SELECT syncopeUser_id FROM Membership M1 >> ").append("WHERE syncopeRole_id IN ("); >> queryString.append("SELECT syncopeRole_id FROM Membership M2 >> ").append( >> "WHERE M2.syncopeUser_id=M1.syncopeUser_id >> ").append("AND syncopeRole_id NOT IN ("); >> >> queryString.append("SELECT id AS syncopeRole_id FROM >> SyncopeRole"); >> boolean firstRole = true; >> for (Long adminRoleId : adminRoles) { >> if (firstRole) { >> queryString.append(" WHERE"); >> firstRole = false; >> } else { >> queryString.append(" OR"); >> } >> >> queryString.append(" id=").append(adminRoleId); >> } >> >> queryString.append("))"); >> } >> queryString.append(")"); >> >> return queryString; >> >> } >> >> * how can i query all users even those with memberships?* >> >> >> -- > Francesco Chicchiriccò > > ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC > Memberhttp://people.apache.org/~ilgrosso/ > >
