On 09/07/2013 18:13, morteza adi wrote:
Hi,
Let me explain a little bit what i did with Syncope:
I've been using syncope version 1.0.0-incubating embedded inside my
application.
changes i made to my version of syncope:
- DAL changed to work with Hibernate
- Spring services replaced by my own services using CXF library.(In
that time syncope didn't use CXF)
- Client rewrite by Google web toolkit.
- work flow engine changed to work with a Commercial BPMS
- i also had to make entitlements dynamic instead of hard coded. so i
replaced spring @HasRole annotation with something more dynamic.
i tried to make minimum changes in syncope to be able to keep updated
with the current version.
so I wrote some sort of adapter for the controllers and call it from
my own services.
when request comes from my client, my security interceptor
authenticate and authorized users using syncope authentication
controllers.
then request forwarded to specific Syncope controllers.
I logged in as admin user and somewhere in my client code i called
findAllusers().
i thought i could get all users when i'm admin user however i didn't
got all users.
You should, so I guess there is a problem somewhere in your adapter code.
Anyway, you are quite far from Syncope standard behaviour (because of
the great number of changes and adaptations you report above), so I have
no idea of where this specific problem might be,
what do u mean by "Performin valid query" ? I'm not using Syncope
console I'm trying to rewrite some part of console with GWT.
Understand: I was using the admin console as reference only to easily
show you what the expected result should have been: admin user can
access *all* users.
Regards.
On Tue, Jul 9, 2013 at 10:41 AM, Francesco Chicchiriccò
<[email protected] <mailto:[email protected]>> wrote:
On 09/07/2013 05:16, morteza adi wrote:
Hi fabio
Since i queried by admin user, i expected to got all users. But i
only got those without membership.
Hi,
if you perform a valid query as admin, you will get all users in
Syncope, with or without memberships: you can easily prove this by
logging into the admin console and going to the Users tab.
Could you please detail how you are querying Syncope for all users?
I think you slightly misunderstood what Fabio tried to explain
below; the high-level requirement is to implement the general
authorization model defined in Syncope [1] via Entitlements.
When executing any access to user data, Syncope checks that the
authenticated user that is currently performing such operation has
the required entitlements to actually access those users, and does
so by checking the owned "role operational entitlements": check
the example at [1].
Hope this clarifies.
Regards.
[1]
https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization
Thank you for helping me. Now i can underestand why this happened;)
Best wishes
Adi
On Jul 8, 2013 2:27 PM, "Fabio Martelli"
<[email protected] <mailto:[email protected]>> wrote:
Il 06/07/2013 11:07, morteza adi ha scritto:
hi,
I wonder why findAll() method in
http://svn.apache.org/viewvc/syncope/tags/syncope-1.1.2/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/UserDAOImpl.java?view=co
excludes user within membershib table?
the query created by this function doesn't make any sense for me
Hi, the created query doesn't exclude any user within
membership table.
It checks the possibility to perform such query by the user
requiring the search operation.
The possibility is computed upon entitlements
(roles/memberships) owned by the user.
E.g.
1. since I can search only for users in role A, the query
must be created by excluding users without a membership for A.
2. since I have no memberships I can search only for users
without memberships.
Take a look at UserTest.findAll() to search for all users.
Rgds,
F.
private StringBuilder getFindAllQuery(final Set<Long> adminRoles) {
final StringBuilder queryString = new StringBuilder("SELECT id FROM
SyncopeUser WHERE*id NOT IN* (");
if (adminRoles == null || adminRoles.isEmpty()) {
queryString.append("SELECT syncopeUser_id AS id FROM
Membership");
} else {
queryString.append("SELECT syncopeUser_id FROM Membership M1
").append("WHERE syncopeRole_id IN (");
queryString.append("SELECT syncopeRole_id FROM Membership M2
").append(
"WHERE M2.syncopeUser_id=M1.syncopeUser_id
").append("AND syncopeRole_id NOT IN (");
queryString.append("SELECT id AS syncopeRole_id FROM
SyncopeRole");
boolean firstRole = true;
for (Long adminRoleId : adminRoles) {
if (firstRole) {
queryString.append(" WHERE");
firstRole = false;
} else {
queryString.append(" OR");
}
queryString.append(" id=").append(adminRoleId);
}
queryString.append("))");
}
queryString.append(")");
return queryString;
}
* how can i query all users even those with memberships?*
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
