Re: Problem with grant and revoke user roles in turbine-4

Fri, 17 Nov 2017 15:43:21 -0800
I gave it one last shot, but I am still having trouble with casting the user object. The security service seems to only want to give me the wrapper version and I cannot cast it to anything that the removeUser() method likes.... 

maybe you can take a look at the following method.


Here is my logging output.


2017-11-17 18:32:39,818 [http-nio-8080-exec-4] DEBUG 
org.apache.turbine.flux.modules.actions.user.FluxUserAction - getUser() 
type: org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper



2017-11-17 18:32:41,105 [http-nio-8080-exec-4] DEBUG 
org.apache.turbine.flux.modules.actions.user.FluxUserAction - 
o.a.t.o.s.User type: org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper



2017-11-17 18:32:42,598 [http-nio-8080-exec-4] DEBUG 
org.apache.turbine.flux.modules.actions.user.FluxUserAction - 
o.a.f.s.m.t.e.TurbineUser type: 
org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper



2017-11-17 18:33:06,031 [http-nio-8080-exec-4] ERROR 
org.apache.turbine.flux.modules.actions.user.FluxUserAction - Could not 
remove user: org.apache.fulcrum.security.util.UnknownEntityException: 
Could not find User/Group/Role


and the method call I am trying to use to delete the user...


    /**
     * ActionEvent responsible for removing a user from the Tambora system.
     */

    public void doDelete(PipelineData pipelineData, Context context) 
throws Exception {


        try {
            RunData data = getRunData(pipelineData);
            String username = data.getParameters().getString("username");
            if (!StringUtils.isEmpty(username)) {
                if (security.accountExists(username)) {


                    // this is always returning the wrapper version of 
our user

                    User user1 = security.getUser(username);

                    log.debug("getUser() type: " + 
user1.getClass().getTypeName().toString() );


                    // same and does not work

                    User user2 = (org.apache.turbine.om.security.User) 
security.getUser(username);
                    log.debug("o.a.t.o.s.User type: " + 
user2.getClass().getTypeName().toString() );



                    // no change - and you cannot use the interface 
class as a parameter to the removeUser method
org.apache.fulcrum.security.model.turbine.entity.TurbineUser user3 = 
(org.apache.fulcrum.security.model.turbine.entity.TurbineUser) 
security.getUser(username);
                    log.debug("o.a.f.s.m.t.e.TurbineUser type: " + 
user3.getClass().getTypeName().toString() );



                    // Tried using reflection to cast and still doesn't 
work
                    org.apache.turbine.om.security.User forceUser = 
org.apache.turbine.om.security.User.class.cast( 
security.getUser(username) );
                    log.debug("o.a.t.o.s.User type: " + 
forceUser.getClass().getTypeName().toString() );


                    //security.revokeAll(user);
                    // remove user does the revokeAll above...
                    security.removeUser(forceUser);

                } else {
                    log.error("User does not exist!");
                }
            }
        } catch (Exception e) {
            log.error("Could not remove user: " + e);
        }
    }


On 11/17/2017 06:03 PM, Jeffery Painter wrote:

Hi Georg,


I did a quick test on the remove role method with the following change 
and it works.  My problem with role removal was that in my test case, 
the role was associated with users and could not be removed.  Maybe a 
better error message would help? :-)   The user management needs a bit 
more work as well to make it comply with the SecurityService. I will 
work on that.  The old flux tool also had some weirdness in the way it 
handled the getRole() getGroup() getUser() method where it was caching 
the last loaded entry... I am fixing that as well.



I inserted a few new roles and was able to remove them.  I am working 
on updating the rest of the FluxTool methods so they behave 
appropriately.  When I get it into decent shape, I will push updates 
to my github project for you to test out if you like before we make a 
space to put it into the apache source control.



That will most likely be after Nov 25th when I get back into town. Who 
knows - if I get bored, I may open up some code on my laptop, but not 
likely as we are going on a cruise where it will be nice and warm!


Thanks,
Jeff



On 11/17/2017 05:17 PM, Georg Kallidis wrote:

Hi Jeff,


as far as I can see, I assume the implementation class might be 
TorqueTurbineModelManagerImpl? Could you check this? Your second 
attempt may be indeed close, but the reason is missing. Could you 
provide the stack/cause of the exception?



Probably, if this is the case, at this point of the code of the model 
manager the role, group and user are already checked, but what might 
have caused the exception is a failing cast to



- org.apache.fulcrum.security.model.turbine.entity.TurbineUser of the 
user object or
- 
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity 
of any of the objects, which may be the reason, if in your schema the 
baseclass attribute is not set to 
org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineXXX 
(XXX = User|Role|Group) class (or another class implementing the 
required interface, cft. the example torque-security-schem.xml in the 
Turbine webapp archetype)...


And thanks for your efforts to migrate / use the flux library!

Best regards, Georg

-----Jeffery Painter <[email protected]> schrieb: -----
An: [email protected]
Von: Jeffery Painter <[email protected]>
Datum: 16.11.2017 23:29
Betreff: Re: Problem with grant and revoke user roles in turbine-4

I looked a little more at the test cases, and got my code setup enough
to try and call the fulcrum security service directly...

                                      // try using fulcrum service

((TurbineModelManager)fulcrumSecurityService.getModelManager()).grant(fulcrumUser, 


group, role);

The error logs are still reporting problems:

I verified that this loaded the user "dean" from the database as a
fulcrumUser and it came through with a class type of
com.jivecast.smartorder.om.TurbineUser rather than the wrapper that the
turbine security service provided. and now I get a DataBackendException
error on the grant call...

2017-11-16 17:24:43,722 [http-nio-8080-exec-3] DEBUG avalon - Located

the service 'org.apache.fulcrum.security.UserManager' in the local 
container

2017-11-16 17:24:47,895 [http-nio-8080-exec-3] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction - fulcrumUser:
com.jivecast.smartorder.om.TurbineUser
2017-11-16 17:24:54,147 [http-nio-8080-exec-3] DEBUG avalon.peerManager
-  get cached
PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
2017-11-16 17:24:55,750 [http-nio-8080-exec-3] DEBUG avalon.peerManager
-  get cached
PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
2017-11-16 17:24:56,031 [http-nio-8080-exec-3] DEBUG avalon.peerManager
-  get cached
PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
2017-11-16 17:24:56,315 [http-nio-8080-exec-3] DEBUG avalon.peerManager
-  get cached
PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
2017-11-16 17:24:56,599 [http-nio-8080-exec-3] DEBUG avalon.peerManager
-  get cached
PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
2017-11-16 17:25:03,129 [http-nio-8080-exec-3] DEBUG avalon.peerManager
-  get cached
PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
2017-11-16 17:25:03,143 [http-nio-8080-exec-3] DEBUG avalon.peerManager
-  get cached
PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
2017-11-16 17:25:09,097 [http-nio-8080-exec-3] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
role to user: inventory
2017-11-16 17:25:10,535 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.ModelManager' in the local
container
2017-11-16 17:25:10,545 [http-nio-8080-exec-3] DEBUG avalon - Located

the service 'org.apache.fulcrum.security.RoleManager' in the local 
container

2017-11-16 17:25:10,547 [http-nio-8080-exec-3] DEBUG avalon.peerManager
-  get cached
PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807
2017-11-16 17:25:10,560 [http-nio-8080-exec-3] DEBUG avalon - Located

the service 'org.apache.fulcrum.security.UserManager' in the local 
container

2017-11-16 17:25:10,561 [http-nio-8080-exec-3] DEBUG avalon.peerManager
-  get cached
PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@86cedb4
2017-11-16 17:25:10,598 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.GroupManager' in the local
container
2017-11-16 17:25:10,599 [http-nio-8080-exec-3] DEBUG avalon.peerManager
-  get cached
PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c
2017-11-16 17:25:25,202 [http-nio-8080-exec-3] ERROR
com.jivecast.smartorder.modules.actions.admin.UserAction - Error setting
roles: org.apache.fulcrum.security.util.DataBackendException:
grant('dean', 'global', 'inventory') failed


any ideas?

--
Jeff



On 11/16/2017 05:00 PM, Jeffery Painter wrote:

Hi Georg,

I am making some good progress.  I don't know if you remember the old
flux library for user management, but I have started to re-write that
to work with Turbine 4.0.  I am having some troubles however with the
grant/revoke roles with casting the user object incorrectly from the
TurbineWrapper class.  Can you help me with the issue I am having
below?  I looked at the unit tests in the Turbine source for
inspiration on migrating, but it isn't recognizing the user class
properly.  I even tried to manually downcast (see my code below), and
still cannot make it work.

If I can get this all working, I thought it might be useful to publish
a new flux library compatible with Turbine-4.0 for user management as
a guide to others on how to get started.


My logs show the following error when calling the grant/revoke method
on the security service when trying to add the "inventory" role to a
user:

2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
role to user: inventory

2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.RoleManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager -  get cached
PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@71897a2b

2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager -  get cached
PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@448e6624

2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.GroupManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager -  get cached
PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@151d470d

2017-11-16 16:49:26,919 [http-nio-8080-exec-13] ERROR
com.jivecast.smartorder.modules.actions.admin.UserAction - Error
setting roles: java.lang.ClassCastException:
com.jivecast.smartorder.wrapper.TurbineUserWrapper cannot be cast to

org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity 




Here is the relevant code in my doRoles() method to make the new
assignment... it is modeled after the old flux methods:

I have the following import:

import org.apache.turbine.services.security.SecurityService;

and in the body of the class, I use the injection to get the instance
mapped

     /** Injected service instance */
     @TurbineService
     private SecurityService security;

.... then my action class method is called doRoles() which does the
role assignment and fails

     /**
      * Update the roles that are to assigned to a user for a project.
      */
     public void doRoles(PipelineData pipelineData, Context context)
throws Exception {

         try {

             RunData data = getRunData(pipelineData);

             // Get the Turbine ACL implementation for our current
user, only admin can update user roles
             TurbineAccessControlList adminAcl =
getRunData(data).getACL();
             if (adminAcl.hasRole("administrator")) {

                 // Username of the account we are updating
                 String username =
data.getParameters().getString("username");
                 if (security.accountExists(username)) {

                     // Try to downcast for the security grant function
                     org.apache.turbine.om.security.User user =
(org.apache.turbine.om.security.User) security.getUser(username);

                     // Get the Turbine ACL implementation

                     TurbineAccessControlList acl = 
security.getACL(user);


                     /*
                      * Grab all the Groups and Roles in the system.
                      */
                     GroupSet groups = security.getAllGroups();
                     RoleSet roles = security.getAllRoles();

                     for (Group group : groups) {
                         String groupName = group.getName();
                         for (Role role : roles) {
                             String roleName = role.getName();

                             /*
                              * In the UserRoleForm.vm we made a
checkbox for every possible Group/Role
                              * combination so we will compare every
possible combination with the values
                              * that were checked off in the form. If
we have a match then we will grant the
                              * user the role in the group.
                              */
                             String groupRole = groupName + roleName;
                             String formGroupRole =
data.getParameters().getString(groupRole);

                             if (formGroupRole != null &&
!acl.hasRole(role, group)) {
                                 // add the role for this user
                                 if (acl.hasRole(role) == false) {
                                     log.debug("Adding new role to
user: " + role.getName());
                                     security.grant(user, group, role);
                                 }
                             } else if (formGroupRole == null &&
acl.hasRole(role, group)) {
                                 // revoke the role for this user
                                 log.debug("Revoke role: " +
role.getName());
                                 security.revoke(user, group, role);
                             }
                         }
                     }

                 } else {
                     log.error("User does not exist!");
                 }
             } else {
                 data.setMessage("You do not have access to perform
this action.");
             }
         } catch (Exception e) {
             log.error("Error setting roles: " + e.toString());
         }

     }






--
Jeff Painter

CEO and Founder of JiveCast
Software and analytics, made together
http://jivecast.com

301 Fayetteville St. Unit 2301, Raleigh, NC 27601
(919) 533-9024


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]























					Reply via email to