Discussion:
Problem with grant and revoke user roles in turbine-4
Georg Kallidis
2017-11-24 14:59:31 UTC
Permalink
Hi Jeffery,

that´s in any case very cool to do this fluxTooling! ;-)

I checked out your GitHub project fluxtest and I may have found the bug
(in Turbine).

The issue is that the Turbine service class
org.apache.turbine.services.security.DefaultSecurityService implementing
org.apache.turbine.services.security.SecurityService requires as user
model org.apache.turbine.om.security.User (=User).
On the other side the Fulcrum implementation of the grant method uses a
method (update) (defined in
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity)
seems to expect as contract fulcrum user object, but also
TorqueAbstractSecurityEntity, which is implemented by the Turbineuser om
class by extending the appropriate baseClass
org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineUser in
the schema (= TurbineUser).
How to match this? It WOULD be possible to retrieve the backing
TurbineUser object from the User with the getUserDelegate() method.
But the interface TurbineUserDelegate is not part of the contract of
turbine.om.security.User (though DefaultUserImpl DOES implement
TurbineUserDelegate) this is somewhat hidden in the SecurityService (a
cast would be required later on).
The easiest and most transparent solution would be (in my view), that
org.apache.turbine.om.security.User interface extends TurbineUserDelegate
and that at one point the delegate is called (as the TurbineUser OM class
does implement Fulcrum TurbineUser, which implements Fulcrum User this
would be no problem. We have to call getUserDelegate before the
modelManager grant method is called, i.e. in DefaultSecurityService). No
other changes seem to be needed .. I'll create an issue in TRB JIRA as
soon as possible..

As a result you may have to use the Torque mapper for now, cft. your
action FluxUserAction, cft. the github patch
(https://github.com/jlpainter/turbine-flux/pull/1, you might just review
the changes).

I posted a copy to the dev list, where the discussion might continue ...

Best regards, Georg



Von: Jeffery Painter <***@jivecast.com>
An: ***@turbine.apache.org
Datum: 18.11.2017 00:43
Betreff: Re: Problem with grant and revoke user roles in turbine-4




I gave it one last shot, but I am still having trouble with casting the
user object. The security service seems to only want to give me the
wrapper version and I cannot cast it to anything that the removeUser()
method likes....

maybe you can take a look at the following method.


Here is my logging output.

2017-11-17 18:32:39,818 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction - getUser()
type: org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper

2017-11-17 18:32:41,105 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction -
o.a.t.o.s.User type:
org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper

2017-11-17 18:32:42,598 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction -
o.a.f.s.m.t.e.TurbineUser type:
org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper

2017-11-17 18:33:06,031 [http-nio-8080-exec-4] ERROR
org.apache.turbine.flux.modules.actions.user.FluxUserAction - Could not
remove user: org.apache.fulcrum.security.util.UnknownEntityException:
Could not find User/Group/Role

and the method call I am trying to use to delete the user...


/**
* ActionEvent responsible for removing a user from the Tambora
system.
*/
public void doDelete(PipelineData pipelineData, Context context)
throws Exception {

try {
RunData data = getRunData(pipelineData);
String username = data.getParameters().getString("username");
if (!StringUtils.isEmpty(username)) {
if (security.accountExists(username)) {

// this is always returning the wrapper version of
our user
User user1 = security.getUser(username);
log.debug("getUser() type: " +
user1.getClass().getTypeName().toString() );

// same and does not work
User user2 = (org.apache.turbine.om.security.User)
security.getUser(username);
log.debug("o.a.t.o.s.User type: " +
user2.getClass().getTypeName().toString() );

// no change - and you cannot use the interface
class as a parameter to the removeUser method
org.apache.fulcrum.security.model.turbine.entity.TurbineUser user3 =
(org.apache.fulcrum.security.model.turbine.entity.TurbineUser)
security.getUser(username);
log.debug("o.a.f.s.m.t.e.TurbineUser type: " +
user3.getClass().getTypeName().toString() );

// Tried using reflection to cast and still doesn't
work
org.apache.turbine.om.security.User forceUser =
org.apache.turbine.om.security.User.class.cast(
security.getUser(username) );
log.debug("o.a.t.o.s.User type: " +
forceUser.getClass().getTypeName().toString() );

//security.revokeAll(user);
// remove user does the revokeAll above...
security.removeUser(forceUser);

} else {
log.error("User does not exist!");
}
}
} catch (Exception e) {
log.error("Could not remove user: " + e);
}
}
Hi Georg,
I did a quick test on the remove role method with the following change
and it works. My problem with role removal was that in my test case,
the role was associated with users and could not be removed. Maybe a
better error message would help? :-) The user management needs a bit
more work as well to make it comply with the SecurityService. I will
work on that. The old flux tool also had some weirdness in the way it
handled the getRole() getGroup() getUser() method where it was caching
the last loaded entry... I am fixing that as well.
I inserted a few new roles and was able to remove them. I am working
on updating the rest of the FluxTool methods so they behave
appropriately. When I get it into decent shape, I will push updates
to my github project for you to test out if you like before we make a
space to put it into the apache source control.
That will most likely be after Nov 25th when I get back into town. Who
knows - if I get bored, I may open up some code on my laptop, but not
likely as we are going on a cruise where it will be nice and warm!
Thanks,
Jeff
Hi Jeff,
as far as I can see, I assume the implementation class might be
TorqueTurbineModelManagerImpl? Could you check this? Your second
attempt may be indeed close, but the reason is missing. Could you
provide the stack/cause of the exception?
Probably, if this is the case, at this point of the code of the model
manager the role, group and user are already checked, but what might
have caused the exception is a failing cast to
- org.apache.fulcrum.security.model.turbine.entity.TurbineUser of the
user object or
-
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
of any of the objects, which may be the reason, if in your schema the
baseclass attribute is not set to
org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineXXX
(XXX = User|Role|Group) class (or another class implementing the
required interface, cft. the example torque-security-schem.xml in the
Turbine webapp archetype)...
And thanks for your efforts to migrate / use the flux library!
Best regards, Georg
Datum: 16.11.2017 23:29
Betreff: Re: Problem with grant and revoke user roles in turbine-4
I looked a little more at the test cases, and got my code setup enough
to try and call the fulcrum security service directly...
// try using fulcrum service
((TurbineModelManager)fulcrumSecurityService.getModelManager()).grant(fulcrumUser,
group, role);
I verified that this loaded the user "dean" from the database as a
fulcrumUser and it came through with a class type of
com.jivecast.smartorder.om.TurbineUser rather than the wrapper that the
turbine security service provided. and now I get a DataBackendException
error on the grant call...
2017-11-16 17:24:43,722 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 17:24:47,895 [http-nio-8080-exec-3] DEBUG
com.jivecast.smartorder.om.TurbineUser
2017-11-16 17:24:54,147 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:24:55,750 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:24:56,031 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:24:56,315 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:24:56,599 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:25:03,129 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:25:03,143 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:25:09,097 [http-nio-8080-exec-3] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
role to user: inventory
2017-11-16 17:25:10,535 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.ModelManager' in the local
container
2017-11-16 17:25:10,545 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.RoleManager' in the local
container
2017-11-16 17:25:10,547 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:25:10,560 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 17:25:10,561 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:25:10,598 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.GroupManager' in the local
container
2017-11-16 17:25:10,599 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:25:25,202 [http-nio-8080-exec-3] ERROR
com.jivecast.smartorder.modules.actions.admin.UserAction - Error
setting
grant('dean', 'global', 'inventory') failed
any ideas?
--
Jeff
Hi Georg,
I am making some good progress. I don't know if you remember the old
flux library for user management, but I have started to re-write that
to work with Turbine 4.0. I am having some troubles however with the
grant/revoke roles with casting the user object incorrectly from the
TurbineWrapper class. Can you help me with the issue I am having
below? I looked at the unit tests in the Turbine source for
inspiration on migrating, but it isn't recognizing the user class
properly. I even tried to manually downcast (see my code below), and
still cannot make it work.
If I can get this all working, I thought it might be useful to publish
a new flux library compatible with Turbine-4.0 for user management as
a guide to others on how to get started.
My logs show the following error when calling the grant/revoke method
on the security service when trying to add the "inventory" role to a
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
role to user: inventory
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.RoleManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager - get cached
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager - get cached
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.GroupManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager - get cached
2017-11-16 16:49:26,919 [http-nio-8080-exec-13] ERROR
com.jivecast.smartorder.modules.actions.admin.UserAction - Error
com.jivecast.smartorder.wrapper.TurbineUserWrapper cannot be cast to
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
Here is the relevant code in my doRoles() method to make the new
import org.apache.turbine.services.security.SecurityService;
and in the body of the class, I use the injection to get the instance
mapped
/** Injected service instance */
@TurbineService
private SecurityService security;
.... then my action class method is called doRoles() which does the
role assignment and fails
/**
* Update the roles that are to assigned to a user for a project.
*/
public void doRoles(PipelineData pipelineData, Context context)
throws Exception {
try {
RunData data = getRunData(pipelineData);
// Get the Turbine ACL implementation for our current
user, only admin can update user roles
TurbineAccessControlList adminAcl =
getRunData(data).getACL();
if (adminAcl.hasRole("administrator")) {
// Username of the account we are updating
String username =
data.getParameters().getString("username");
if (security.accountExists(username)) {
// Try to downcast for the security grant
function
org.apache.turbine.om.security.User user =
(org.apache.turbine.om.security.User) security.getUser(username);
// Get the Turbine ACL implementation
TurbineAccessControlList acl =
security.getACL(user);
/*
* Grab all the Groups and Roles in the system.
*/
GroupSet groups = security.getAllGroups();
RoleSet roles = security.getAllRoles();
for (Group group : groups) {
String groupName = group.getName();
for (Role role : roles) {
String roleName = role.getName();
/*
* In the UserRoleForm.vm we made a
checkbox for every possible Group/Role
* combination so we will compare every
possible combination with the values
* that were checked off in the form. If
we have a match then we will grant the
* user the role in the group.
*/
String groupRole = groupName + roleName;
String formGroupRole =
data.getParameters().getString(groupRole);
if (formGroupRole != null &&
!acl.hasRole(role, group)) {
// add the role for this user
if (acl.hasRole(role) == false) {
log.debug("Adding new role to
user: " + role.getName());
security.grant(user, group,
role);
}
} else if (formGroupRole == null &&
acl.hasRole(role, group)) {
// revoke the role for this user
log.debug("Revoke role: " +
role.getName());
security.revoke(user, group, role);
}
}
}
} else {
log.error("User does not exist!");
}
} else {
data.setMessage("You do not have access to perform
this action.");
}
} catch (Exception e) {
log.error("Error setting roles: " + e.toString());
}
}
--
Jeff Painter

CEO and Founder of JiveCast
Software and analytics, made together
http://jivecast.com

301 Fayetteville St. Unit 2301, Raleigh, NC 27601
(919) 533-9024


---------------------------------------------------------------------
To unsubscribe, e-mail: user-***@turbine.apache.org
For additional commands, e-mail: user-***@turbine.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@turbine.apache.org
For additional commands, e-mail: dev-***@turbine.apache.org
Jeffery Painter
2017-11-25 19:59:36 UTC
Permalink
Hi Georg,

That helped a lot with the grant/revoke of roles.  I updated the code
for revoking as well to match.  I have flux tool now managing the
add/removal/update for both groups and roles. Permissions was still
giving me some issues and I need to look into that more when I have
time.  I don't use permission level security (just groups and roles) but
to call the tool complete, I should get it working as well.

I pushed my last updates here:

https://github.com/jlpainter/turbine-flux/commit/81420058acfff26cca346b58ee971fab2eb8201e

The one main issue I see now is that I cannot add/update/delete a user. 
I am getting the same cryptic DataBackendException error and can't seem
to get past it. It looks like it is most likely related to the issue you
have already identified below.

Let me know where I can help with this.

Thanks,
Jeff
Post by Georg Kallidis
Hi Jeffery,
that´s in any case very cool to do this fluxTooling! ;-)
I checked out your GitHub project fluxtest and I may have found the bug
(in Turbine).
The issue is that the Turbine service class
org.apache.turbine.services.security.DefaultSecurityService implementing
org.apache.turbine.services.security.SecurityService requires as user
model org.apache.turbine.om.security.User (=User).
On the other side the Fulcrum implementation of the grant method uses a
method (update) (defined in
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity)
seems to expect as contract fulcrum user object, but also
TorqueAbstractSecurityEntity, which is implemented by the Turbineuser om
class by extending the appropriate baseClass
org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineUser in
the schema (= TurbineUser).
How to match this? It WOULD be possible to retrieve the backing
TurbineUser object from the User with the getUserDelegate() method.
But the interface TurbineUserDelegate is not part of the contract of
turbine.om.security.User (though DefaultUserImpl DOES implement
TurbineUserDelegate) this is somewhat hidden in the SecurityService (a
cast would be required later on).
The easiest and most transparent solution would be (in my view), that
org.apache.turbine.om.security.User interface extends TurbineUserDelegate
and that at one point the delegate is called (as the TurbineUser OM class
does implement Fulcrum TurbineUser, which implements Fulcrum User this
would be no problem. We have to call getUserDelegate before the
modelManager grant method is called, i.e. in DefaultSecurityService). No
other changes seem to be needed .. I'll create an issue in TRB JIRA as
soon as possible..
As a result you may have to use the Torque mapper for now, cft. your
action FluxUserAction, cft. the github patch
(https://github.com/jlpainter/turbine-flux/pull/1, you might just review
the changes).
I posted a copy to the dev list, where the discussion might continue ...
Best regards, Georg
Datum: 18.11.2017 00:43
Betreff: Re: Problem with grant and revoke user roles in turbine-4
I gave it one last shot, but I am still having trouble with casting the
user object. The security service seems to only want to give me the
wrapper version and I cannot cast it to anything that the removeUser()
method likes....
maybe you can take a look at the following method.
Here is my logging output.
2017-11-17 18:32:39,818 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction - getUser()
type: org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:32:41,105 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction -
org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:32:42,598 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction -
org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:33:06,031 [http-nio-8080-exec-4] ERROR
org.apache.turbine.flux.modules.actions.user.FluxUserAction - Could not
Could not find User/Group/Role
and the method call I am trying to use to delete the user...
/**
* ActionEvent responsible for removing a user from the Tambora
system.
*/
public void doDelete(PipelineData pipelineData, Context context)
throws Exception {
try {
RunData data = getRunData(pipelineData);
String username = data.getParameters().getString("username");
if (!StringUtils.isEmpty(username)) {
if (security.accountExists(username)) {
// this is always returning the wrapper version of
our user
User user1 = security.getUser(username);
log.debug("getUser() type: " +
user1.getClass().getTypeName().toString() );
// same and does not work
User user2 = (org.apache.turbine.om.security.User)
security.getUser(username);
log.debug("o.a.t.o.s.User type: " +
user2.getClass().getTypeName().toString() );
// no change - and you cannot use the interface
class as a parameter to the removeUser method
org.apache.fulcrum.security.model.turbine.entity.TurbineUser user3 =
(org.apache.fulcrum.security.model.turbine.entity.TurbineUser)
security.getUser(username);
log.debug("o.a.f.s.m.t.e.TurbineUser type: " +
user3.getClass().getTypeName().toString() );
// Tried using reflection to cast and still doesn't
work
org.apache.turbine.om.security.User forceUser =
org.apache.turbine.om.security.User.class.cast(
security.getUser(username) );
log.debug("o.a.t.o.s.User type: " +
forceUser.getClass().getTypeName().toString() );
//security.revokeAll(user);
// remove user does the revokeAll above...
security.removeUser(forceUser);
} else {
log.error("User does not exist!");
}
}
} catch (Exception e) {
log.error("Could not remove user: " + e);
}
}
Hi Georg,
I did a quick test on the remove role method with the following change
and it works. My problem with role removal was that in my test case,
the role was associated with users and could not be removed. Maybe a
better error message would help? :-) The user management needs a bit
more work as well to make it comply with the SecurityService. I will
work on that. The old flux tool also had some weirdness in the way it
handled the getRole() getGroup() getUser() method where it was caching
the last loaded entry... I am fixing that as well.
I inserted a few new roles and was able to remove them. I am working
on updating the rest of the FluxTool methods so they behave
appropriately. When I get it into decent shape, I will push updates
to my github project for you to test out if you like before we make a
space to put it into the apache source control.
That will most likely be after Nov 25th when I get back into town. Who
knows - if I get bored, I may open up some code on my laptop, but not
likely as we are going on a cruise where it will be nice and warm!
Thanks,
Jeff
Hi Jeff,
as far as I can see, I assume the implementation class might be
TorqueTurbineModelManagerImpl? Could you check this? Your second
attempt may be indeed close, but the reason is missing. Could you
provide the stack/cause of the exception?
Probably, if this is the case, at this point of the code of the model
manager the role, group and user are already checked, but what might
have caused the exception is a failing cast to
- org.apache.fulcrum.security.model.turbine.entity.TurbineUser of the
user object or
-
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
of any of the objects, which may be the reason, if in your schema the
baseclass attribute is not set to
org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineXXX
(XXX = User|Role|Group) class (or another class implementing the
required interface, cft. the example torque-security-schem.xml in the
Turbine webapp archetype)...
And thanks for your efforts to migrate / use the flux library!
Best regards, Georg
Datum: 16.11.2017 23:29
Betreff: Re: Problem with grant and revoke user roles in turbine-4
I looked a little more at the test cases, and got my code setup enough
to try and call the fulcrum security service directly...
// try using fulcrum service
((TurbineModelManager)fulcrumSecurityService.getModelManager()).grant(fulcrumUser,
group, role);
I verified that this loaded the user "dean" from the database as a
fulcrumUser and it came through with a class type of
com.jivecast.smartorder.om.TurbineUser rather than the wrapper that the
turbine security service provided. and now I get a DataBackendException
error on the grant call...
2017-11-16 17:24:43,722 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 17:24:47,895 [http-nio-8080-exec-3] DEBUG
com.jivecast.smartorder.om.TurbineUser
2017-11-16 17:24:54,147 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:24:55,750 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:24:56,031 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:24:56,315 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:24:56,599 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:25:03,129 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:25:03,143 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:25:09,097 [http-nio-8080-exec-3] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
role to user: inventory
2017-11-16 17:25:10,535 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.ModelManager' in the local
container
2017-11-16 17:25:10,545 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.RoleManager' in the local
container
2017-11-16 17:25:10,547 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:25:10,560 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 17:25:10,561 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:25:10,598 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.GroupManager' in the local
container
2017-11-16 17:25:10,599 [http-nio-8080-exec-3] DEBUG avalon.peerManager
- get cached
2017-11-16 17:25:25,202 [http-nio-8080-exec-3] ERROR
com.jivecast.smartorder.modules.actions.admin.UserAction - Error
setting
grant('dean', 'global', 'inventory') failed
any ideas?
--
Jeff
Hi Georg,
I am making some good progress. I don't know if you remember the old
flux library for user management, but I have started to re-write that
to work with Turbine 4.0. I am having some troubles however with the
grant/revoke roles with casting the user object incorrectly from the
TurbineWrapper class. Can you help me with the issue I am having
below? I looked at the unit tests in the Turbine source for
inspiration on migrating, but it isn't recognizing the user class
properly. I even tried to manually downcast (see my code below), and
still cannot make it work.
If I can get this all working, I thought it might be useful to publish
a new flux library compatible with Turbine-4.0 for user management as
a guide to others on how to get started.
My logs show the following error when calling the grant/revoke method
on the security service when trying to add the "inventory" role to a
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
role to user: inventory
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.RoleManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager - get cached
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager - get cached
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.GroupManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager - get cached
2017-11-16 16:49:26,919 [http-nio-8080-exec-13] ERROR
com.jivecast.smartorder.modules.actions.admin.UserAction - Error
com.jivecast.smartorder.wrapper.TurbineUserWrapper cannot be cast to
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
Here is the relevant code in my doRoles() method to make the new
import org.apache.turbine.services.security.SecurityService;
and in the body of the class, I use the injection to get the instance
mapped
/** Injected service instance */
@TurbineService
private SecurityService security;
.... then my action class method is called doRoles() which does the
role assignment and fails
/**
* Update the roles that are to assigned to a user for a project.
*/
public void doRoles(PipelineData pipelineData, Context context)
throws Exception {
try {
RunData data = getRunData(pipelineData);
// Get the Turbine ACL implementation for our current
user, only admin can update user roles
TurbineAccessControlList adminAcl =
getRunData(data).getACL();
if (adminAcl.hasRole("administrator")) {
// Username of the account we are updating
String username =
data.getParameters().getString("username");
if (security.accountExists(username)) {
// Try to downcast for the security grant
function
org.apache.turbine.om.security.User user =
(org.apache.turbine.om.security.User) security.getUser(username);
// Get the Turbine ACL implementation
TurbineAccessControlList acl =
security.getACL(user);
/*
* Grab all the Groups and Roles in the system.
*/
GroupSet groups = security.getAllGroups();
RoleSet roles = security.getAllRoles();
for (Group group : groups) {
String groupName = group.getName();
for (Role role : roles) {
String roleName = role.getName();
/*
* In the UserRoleForm.vm we made a
checkbox for every possible Group/Role
* combination so we will compare every
possible combination with the values
* that were checked off in the form. If
we have a match then we will grant the
* user the role in the group.
*/
String groupRole = groupName + roleName;
String formGroupRole =
data.getParameters().getString(groupRole);
if (formGroupRole != null &&
!acl.hasRole(role, group)) {
// add the role for this user
if (acl.hasRole(role) == false) {
log.debug("Adding new role to
user: " + role.getName());
security.grant(user, group,
role);
}
} else if (formGroupRole == null &&
acl.hasRole(role, group)) {
// revoke the role for this user
log.debug("Revoke role: " +
role.getName());
security.revoke(user, group, role);
}
}
}
} else {
log.error("User does not exist!");
}
} else {
data.setMessage("You do not have access to perform
this action.");
}
} catch (Exception e) {
log.error("Error setting roles: " + e.toString());
}
}
--
Jeff Painter

CEO and Founder of JiveCast
Software and analytics, made together
http://jivecast.com

301 Fayetteville St. Unit 2301, Raleigh, NC 27601
(919) 533-9024


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@turbine.apache.org
For additional commands, e-mail: dev-***@turbine.apache.org
Jeffery Painter
2017-11-26 15:26:23 UTC
Permalink
Hi Georg,

I was able to develop a work around but it is pretty ugly.  I can now
add/delete/update user accounts.  I have posted the flux update here:

https://github.com/jlpainter/turbine-flux/commit/762efbf4fb02c339e4cea384ffee5d46689693d4

The weird part is the security.changePassword(user, oldpw, newpw) method
works with the wrapped user object whereas none of the other methods
like security.revokeAll(user) are working... maybe there is a clue in that.


--
Jeff
Hi Georg,
That helped a lot with the grant/revoke of roles.  I updated the code
for revoking as well to match.  I have flux tool now managing the
add/removal/update for both groups and roles. Permissions was still
giving me some issues and I need to look into that more when I have
time.  I don't use permission level security (just groups and roles)
but to call the tool complete, I should get it working as well.
https://github.com/jlpainter/turbine-flux/commit/81420058acfff26cca346b58ee971fab2eb8201e
The one main issue I see now is that I cannot add/update/delete a
user.  I am getting the same cryptic DataBackendException error and
can't seem to get past it. It looks like it is most likely related to
the issue you have already identified below.
Let me know where I can help with this.
Thanks,
Jeff
Post by Georg Kallidis
Hi Jeffery,
that´s in any case very cool to do this fluxTooling! ;-)
I checked out your GitHub project fluxtest and I may have found the bug
(in Turbine).
The issue is that the Turbine service class
org.apache.turbine.services.security.DefaultSecurityService implementing
org.apache.turbine.services.security.SecurityService requires as user
model org.apache.turbine.om.security.User (=User).
On the other side the Fulcrum implementation of the grant method uses a
method (update) (defined in
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity)
seems to expect as contract fulcrum user object, but also
TorqueAbstractSecurityEntity, which is implemented by the Turbineuser om
class by extending the appropriate baseClass
org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineUser in
the schema (= TurbineUser).
How to match this? It WOULD be possible to retrieve the backing
TurbineUser object from the User with the getUserDelegate() method.
But the interface TurbineUserDelegate is not part of the contract of
turbine.om.security.User (though DefaultUserImpl DOES implement
TurbineUserDelegate) this is somewhat hidden in the SecurityService (a
cast would be required later on).
The easiest and most transparent solution would be (in my view), that
org.apache.turbine.om.security.User interface extends
TurbineUserDelegate
and that at one point the delegate is called (as the TurbineUser OM class
does implement Fulcrum TurbineUser, which implements Fulcrum User this
would be no problem. We have to call getUserDelegate before the
modelManager grant method is called, i.e. in DefaultSecurityService). No
other changes seem to be needed .. I'll create an issue in TRB JIRA as
soon as possible..
As a result you may have to use the Torque mapper for now, cft. your
action FluxUserAction, cft. the github patch
(https://github.com/jlpainter/turbine-flux/pull/1, you might just review
the changes).
I posted a copy to the dev list, where the discussion might continue ...
Best regards, Georg
Datum:  18.11.2017 00:43
Betreff:        Re: Problem with grant and revoke user roles in
turbine-4
I gave it one last shot, but I am still having trouble with casting the
user object. The security service seems to only want to give me the
wrapper version and I cannot cast it to anything that the removeUser()
method likes....
maybe you can take a look at the following method.
Here is my logging output.
2017-11-17 18:32:39,818 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction - getUser()
type: org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:32:41,105 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction -
org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:32:42,598 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction -
org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:33:06,031 [http-nio-8080-exec-4] ERROR
org.apache.turbine.flux.modules.actions.user.FluxUserAction - Could not
Could not find User/Group/Role
and the method call I am trying to use to delete the user...
      /**
       * ActionEvent responsible for removing a user from the Tambora
system.
       */
      public void doDelete(PipelineData pipelineData, Context context)
throws Exception {
          try {
              RunData data = getRunData(pipelineData);
              String username =
data.getParameters().getString("username");
              if (!StringUtils.isEmpty(username)) {
                  if (security.accountExists(username)) {
                      // this is always returning the wrapper version of
our user
                      User user1 = security.getUser(username);
                      log.debug("getUser() type: " +
user1.getClass().getTypeName().toString() );
                      // same and does not work
                      User user2 = (org.apache.turbine.om.security.User)
security.getUser(username);
                      log.debug("o.a.t.o.s.User type: " +
user2.getClass().getTypeName().toString() );
                      // no change - and you cannot use the interface
class as a parameter to the removeUser method
org.apache.fulcrum.security.model.turbine.entity.TurbineUser user3 =
(org.apache.fulcrum.security.model.turbine.entity.TurbineUser)
security.getUser(username);
                      log.debug("o.a.f.s.m.t.e.TurbineUser type: " +
user3.getClass().getTypeName().toString() );
                      // Tried using reflection to cast and still
doesn't
work
                      org.apache.turbine.om.security.User forceUser =
org.apache.turbine.om.security.User.class.cast(
security.getUser(username) );
                      log.debug("o.a.t.o.s.User type: " +
forceUser.getClass().getTypeName().toString() );
                      //security.revokeAll(user);
                      // remove user does the revokeAll above...
                      security.removeUser(forceUser);
                  } else {
                      log.error("User does not exist!");
                  }
              }
          } catch (Exception e) {
              log.error("Could not remove user: " + e);
          }
      }
Hi Georg,
I did a quick test on the remove role method with the following change
and it works.  My problem with role removal was that in my test case,
the role was associated with users and could not be removed. Maybe a
better error message would help? :-)   The user management needs a bit
more work as well to make it comply with the SecurityService. I will
work on that.  The old flux tool also had some weirdness in the way it
handled the getRole() getGroup() getUser() method where it was caching
the last loaded entry... I am fixing that as well.
I inserted a few new roles and was able to remove them.  I am working
on updating the rest of the FluxTool methods so they behave
appropriately.  When I get it into decent shape, I will push updates
to my github project for you to test out if you like before we make a
space to put it into the apache source control.
That will most likely be after Nov 25th when I get back into town. Who
knows - if I get bored, I may open up some code on my laptop, but not
likely as we are going on a cruise where it will be nice and warm!
Thanks,
Jeff
Hi Jeff,
as far as I can see, I assume the implementation class might be
TorqueTurbineModelManagerImpl? Could you check this? Your second
attempt may be indeed close, but the reason is missing. Could you
provide the stack/cause of the exception?
Probably, if this is the case, at this point of the code of the model
manager the role, group and user are already checked, but what might
have caused the exception is a failing cast to
- org.apache.fulcrum.security.model.turbine.entity.TurbineUser of the
user object or
-
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
of any of the objects, which may be the reason, if in your schema the
baseclass attribute is not set to
org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineXXX
(XXX = User|Role|Group) class (or another class implementing the
required interface, cft. the example torque-security-schem.xml in the
Turbine webapp archetype)...
And thanks for your efforts to migrate / use the flux library!
Best regards, Georg
Datum: 16.11.2017 23:29
Betreff: Re: Problem with grant and revoke user roles in turbine-4
I looked a little more at the test cases, and got my code setup enough
to try and call the fulcrum security service directly...
                                       // try using fulcrum service
((TurbineModelManager)fulcrumSecurityService.getModelManager()).grant(fulcrumUser,
group, role);
I verified that this loaded the user "dean" from the database as a
fulcrumUser and it came through with a class type of
com.jivecast.smartorder.om.TurbineUser rather than the wrapper that the
turbine security service provided. and now I get a
DataBackendException
error on the grant call...
2017-11-16 17:24:43,722 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 17:24:47,895 [http-nio-8080-exec-3] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction -
com.jivecast.smartorder.om.TurbineUser
2017-11-16 17:24:54,147 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:24:55,750 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:24:56,031 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:24:56,315 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:24:56,599 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:25:03,129 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:25:03,143 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:25:09,097 [http-nio-8080-exec-3] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
role to user: inventory
2017-11-16 17:25:10,535 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.ModelManager' in the local
container
2017-11-16 17:25:10,545 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.RoleManager' in the local
container
2017-11-16 17:25:10,547 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:25:10,560 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 17:25:10,561 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:25:10,598 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.GroupManager' in the local
container
2017-11-16 17:25:10,599 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:25:25,202 [http-nio-8080-exec-3] ERROR
com.jivecast.smartorder.modules.actions.admin.UserAction - Error
setting
grant('dean', 'global', 'inventory') failed
any ideas?
--
Jeff
Hi Georg,
I am making some good progress.  I don't know if you remember the old
flux library for user management, but I have started to re-write that
to work with Turbine 4.0.  I am having some troubles however with the
grant/revoke roles with casting the user object incorrectly from the
TurbineWrapper class.  Can you help me with the issue I am having
below?  I looked at the unit tests in the Turbine source for
inspiration on migrating, but it isn't recognizing the user class
properly.  I even tried to manually downcast (see my code below), and
still cannot make it work.
If I can get this all working, I thought it might be useful to publish
a new flux library compatible with Turbine-4.0 for user management as
a guide to others on how to get started.
My logs show the following error when calling the grant/revoke method
on the security service when trying to add the "inventory" role to a
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
role to user: inventory
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.RoleManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager -  get cached
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager -  get cached
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.GroupManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager -  get cached
2017-11-16 16:49:26,919 [http-nio-8080-exec-13] ERROR
com.jivecast.smartorder.modules.actions.admin.UserAction - Error
com.jivecast.smartorder.wrapper.TurbineUserWrapper cannot be cast to
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
Here is the relevant code in my doRoles() method to make the new
import org.apache.turbine.services.security.SecurityService;
and in the body of the class, I use the injection to get the instance
mapped
      /** Injected service instance */
      private SecurityService security;
.... then my action class method is called doRoles() which does the
role assignment and fails
      /**
       * Update the roles that are to assigned to a user for a
project.
       */
      public void doRoles(PipelineData pipelineData, Context context)
throws Exception {
          try {
              RunData data = getRunData(pipelineData);
              // Get the Turbine ACL implementation for our current
user, only admin can update user roles
              TurbineAccessControlList adminAcl =
getRunData(data).getACL();
              if (adminAcl.hasRole("administrator")) {
                  // Username of the account we are updating
                  String username =
data.getParameters().getString("username");
                  if (security.accountExists(username)) {
                      // Try to downcast for the security grant
function
org.apache.turbine.om.security.User user =
(org.apache.turbine.om.security.User) security.getUser(username);
                      // Get the Turbine ACL implementation
                      TurbineAccessControlList acl =
security.getACL(user);
                      /*
                       * Grab all the Groups and Roles in the system.
                       */
                      GroupSet groups = security.getAllGroups();
                      RoleSet roles = security.getAllRoles();
                      for (Group group : groups) {
                          String groupName = group.getName();
                          for (Role role : roles) {
                              String roleName = role.getName();
                              /*
                               * In the UserRoleForm.vm we made a
checkbox for every possible Group/Role
                               * combination so we will compare every
possible combination with the values
                               * that were checked off in the
form. If
we have a match then we will grant the
                               * user the role in the group.
                               */
                              String groupRole = groupName +
roleName;
                              String formGroupRole =
data.getParameters().getString(groupRole);
                              if (formGroupRole != null &&
!acl.hasRole(role, group)) {
                                  // add the role for this user
                                  if (acl.hasRole(role) == false) {
                                      log.debug("Adding new role to
user: " + role.getName());
                                      security.grant(user, group,
role);
                                  }
                              } else if (formGroupRole == null &&
acl.hasRole(role, group)) {
                                  // revoke the role for this user
                                  log.debug("Revoke role: " +
role.getName());
                                  security.revoke(user, group, role);
                              }
                          }
                      }
                  } else {
                      log.error("User does not exist!");
                  }
              } else {
                  data.setMessage("You do not have access to perform
this action.");
              }
          } catch (Exception e) {
              log.error("Error setting roles: " + e.toString());
          }
      }
--
Jeff Painter

CEO and Founder of JiveCast
Software and analytics, made together
http://jivecast.com

301 Fayetteville St. Unit 2301, Raleigh, NC 27601
(919) 533-9024


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@turbine.apache.org
For additional commands, e-mail: dev-***@turbine.apache.org
Jeffery Painter
2017-11-27 00:03:25 UTC
Permalink
Further testing with permissions reveals some more issues regarding the
security interface.  I was able to get a role-permission model
enforcement to work using the same kind of work around you had for
revoke/grant of user roles.

Last update for the night here:
https://github.com/jlpainter/turbine-flux/commit/1ff398ce2b48427dc94115bb389f89fac9f29856

--
Jeff
Hi Georg,
I was able to develop a work around but it is pretty ugly.  I can now
https://github.com/jlpainter/turbine-flux/commit/762efbf4fb02c339e4cea384ffee5d46689693d4
The weird part is the security.changePassword(user, oldpw, newpw)
method works with the wrapped user object whereas none of the other
methods like security.revokeAll(user) are working... maybe there is a
clue in that.
--
Jeff
Hi Georg,
That helped a lot with the grant/revoke of roles.  I updated the code
for revoking as well to match.  I have flux tool now managing the
add/removal/update for both groups and roles. Permissions was still
giving me some issues and I need to look into that more when I have
time.  I don't use permission level security (just groups and roles)
but to call the tool complete, I should get it working as well.
https://github.com/jlpainter/turbine-flux/commit/81420058acfff26cca346b58ee971fab2eb8201e
The one main issue I see now is that I cannot add/update/delete a
user.  I am getting the same cryptic DataBackendException error and
can't seem to get past it. It looks like it is most likely related to
the issue you have already identified below.
Let me know where I can help with this.
Thanks,
Jeff
Post by Georg Kallidis
Hi Jeffery,
that´s in any case very cool to do this fluxTooling! ;-)
I checked out your GitHub project fluxtest and I may have found the bug
(in Turbine).
The issue is that the Turbine service class
org.apache.turbine.services.security.DefaultSecurityService
implementing
org.apache.turbine.services.security.SecurityService requires as user
model org.apache.turbine.om.security.User (=User).
On the other side the Fulcrum implementation of the grant method uses a
method (update) (defined in
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity)
seems to expect as contract fulcrum user object, but also
TorqueAbstractSecurityEntity, which is implemented by the
Turbineuser om
class by extending the appropriate baseClass
org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineUser in
the schema (= TurbineUser).
How to match this? It WOULD be possible to retrieve the backing
TurbineUser object from the User with the getUserDelegate() method.
But the interface TurbineUserDelegate is not part of the contract of
turbine.om.security.User (though DefaultUserImpl DOES implement
TurbineUserDelegate) this is somewhat hidden in the SecurityService (a
cast would be required later on).
The easiest and most transparent solution would be (in my view), that
org.apache.turbine.om.security.User interface extends
TurbineUserDelegate
and that at one point the delegate is called (as the TurbineUser OM class
does implement Fulcrum TurbineUser, which implements Fulcrum User this
would be no problem. We have to call getUserDelegate before the
modelManager grant method is called, i.e. in
DefaultSecurityService). No
other changes seem to be needed .. I'll create an issue in TRB JIRA as
soon as possible..
As a result you may have to use the Torque mapper for now, cft. your
action FluxUserAction, cft. the github patch
(https://github.com/jlpainter/turbine-flux/pull/1, you might just review
the changes).
I posted a copy to the dev list, where the discussion might continue ...
Best regards, Georg
Datum:  18.11.2017 00:43
Betreff:        Re: Problem with grant and revoke user roles in
turbine-4
I gave it one last shot, but I am still having trouble with casting the
user object. The security service seems to only want to give me the
wrapper version and I cannot cast it to anything that the removeUser()
method likes....
maybe you can take a look at the following method.
Here is my logging output.
2017-11-17 18:32:39,818 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction - getUser()
type: org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:32:41,105 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction -
org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:32:42,598 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction -
org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:33:06,031 [http-nio-8080-exec-4] ERROR
org.apache.turbine.flux.modules.actions.user.FluxUserAction - Could not
Could not find User/Group/Role
and the method call I am trying to use to delete the user...
      /**
       * ActionEvent responsible for removing a user from the Tambora
system.
       */
      public void doDelete(PipelineData pipelineData, Context context)
throws Exception {
          try {
              RunData data = getRunData(pipelineData);
              String username =
data.getParameters().getString("username");
              if (!StringUtils.isEmpty(username)) {
                  if (security.accountExists(username)) {
                      // this is always returning the wrapper
version of
our user
                      User user1 = security.getUser(username);
                      log.debug("getUser() type: " +
user1.getClass().getTypeName().toString() );
                      // same and does not work
                      User user2 =
(org.apache.turbine.om.security.User)
security.getUser(username);
                      log.debug("o.a.t.o.s.User type: " +
user2.getClass().getTypeName().toString() );
                      // no change - and you cannot use the interface
class as a parameter to the removeUser method
org.apache.fulcrum.security.model.turbine.entity.TurbineUser user3 =
(org.apache.fulcrum.security.model.turbine.entity.TurbineUser)
security.getUser(username);
                      log.debug("o.a.f.s.m.t.e.TurbineUser type: " +
user3.getClass().getTypeName().toString() );
                      // Tried using reflection to cast and still
doesn't
work
                      org.apache.turbine.om.security.User forceUser =
org.apache.turbine.om.security.User.class.cast(
security.getUser(username) );
                      log.debug("o.a.t.o.s.User type: " +
forceUser.getClass().getTypeName().toString() );
                      //security.revokeAll(user);
                      // remove user does the revokeAll above...
                      security.removeUser(forceUser);
                  } else {
                      log.error("User does not exist!");
                  }
              }
          } catch (Exception e) {
              log.error("Could not remove user: " + e);
          }
      }
Hi Georg,
I did a quick test on the remove role method with the following change
and it works.  My problem with role removal was that in my test case,
the role was associated with users and could not be removed. Maybe a
better error message would help? :-)   The user management needs a bit
more work as well to make it comply with the SecurityService. I will
work on that.  The old flux tool also had some weirdness in the way it
handled the getRole() getGroup() getUser() method where it was caching
the last loaded entry... I am fixing that as well.
I inserted a few new roles and was able to remove them.  I am working
on updating the rest of the FluxTool methods so they behave
appropriately.  When I get it into decent shape, I will push updates
to my github project for you to test out if you like before we make a
space to put it into the apache source control.
That will most likely be after Nov 25th when I get back into town. Who
knows - if I get bored, I may open up some code on my laptop, but not
likely as we are going on a cruise where it will be nice and warm!
Thanks,
Jeff
Hi Jeff,
as far as I can see, I assume the implementation class might be
TorqueTurbineModelManagerImpl? Could you check this? Your second
attempt may be indeed close, but the reason is missing. Could you
provide the stack/cause of the exception?
Probably, if this is the case, at this point of the code of the model
manager the role, group and user are already checked, but what might
have caused the exception is a failing cast to
- org.apache.fulcrum.security.model.turbine.entity.TurbineUser of the
user object or
-
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
of any of the objects, which may be the reason, if in your schema the
baseclass attribute is not set to
org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineXXX
(XXX = User|Role|Group) class (or another class implementing the
required interface, cft. the example torque-security-schem.xml in the
Turbine webapp archetype)...
And thanks for your efforts to migrate / use the flux library!
Best regards, Georg
Datum: 16.11.2017 23:29
Betreff: Re: Problem with grant and revoke user roles in turbine-4
I looked a little more at the test cases, and got my code setup enough
to try and call the fulcrum security service directly...
                                       // try using fulcrum service
((TurbineModelManager)fulcrumSecurityService.getModelManager()).grant(fulcrumUser,
group, role);
I verified that this loaded the user "dean" from the database as a
fulcrumUser and it came through with a class type of
com.jivecast.smartorder.om.TurbineUser rather than the wrapper that the
turbine security service provided. and now I get a
DataBackendException
error on the grant call...
2017-11-16 17:24:43,722 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 17:24:47,895 [http-nio-8080-exec-3] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction -
com.jivecast.smartorder.om.TurbineUser
2017-11-16 17:24:54,147 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:24:55,750 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:24:56,031 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:24:56,315 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:24:56,599 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:25:03,129 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:25:03,143 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:25:09,097 [http-nio-8080-exec-3] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
role to user: inventory
2017-11-16 17:25:10,535 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.ModelManager' in the local
container
2017-11-16 17:25:10,545 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.RoleManager' in the local
container
2017-11-16 17:25:10,547 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:25:10,560 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 17:25:10,561 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:25:10,598 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.GroupManager' in the local
container
2017-11-16 17:25:10,599 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
-  get cached
2017-11-16 17:25:25,202 [http-nio-8080-exec-3] ERROR
com.jivecast.smartorder.modules.actions.admin.UserAction - Error
setting
grant('dean', 'global', 'inventory') failed
any ideas?
--
Jeff
Hi Georg,
I am making some good progress.  I don't know if you remember the old
flux library for user management, but I have started to re-write that
to work with Turbine 4.0.  I am having some troubles however with the
grant/revoke roles with casting the user object incorrectly from the
TurbineWrapper class.  Can you help me with the issue I am having
below?  I looked at the unit tests in the Turbine source for
inspiration on migrating, but it isn't recognizing the user class
properly.  I even tried to manually downcast (see my code below), and
still cannot make it work.
If I can get this all working, I thought it might be useful to publish
a new flux library compatible with Turbine-4.0 for user
management as
a guide to others on how to get started.
My logs show the following error when calling the grant/revoke method
on the security service when trying to add the "inventory" role to a
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
role to user: inventory
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.RoleManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager -  get cached
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager -  get cached
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.GroupManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager -  get cached
2017-11-16 16:49:26,919 [http-nio-8080-exec-13] ERROR
com.jivecast.smartorder.modules.actions.admin.UserAction - Error
com.jivecast.smartorder.wrapper.TurbineUserWrapper cannot be cast to
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
Here is the relevant code in my doRoles() method to make the new
import org.apache.turbine.services.security.SecurityService;
and in the body of the class, I use the injection to get the instance
mapped
      /** Injected service instance */
      private SecurityService security;
.... then my action class method is called doRoles() which does the
role assignment and fails
      /**
       * Update the roles that are to assigned to a user for a
project.
       */
      public void doRoles(PipelineData pipelineData, Context context)
throws Exception {
          try {
              RunData data = getRunData(pipelineData);
              // Get the Turbine ACL implementation for our current
user, only admin can update user roles
              TurbineAccessControlList adminAcl =
getRunData(data).getACL();
              if (adminAcl.hasRole("administrator")) {
                  // Username of the account we are updating
                  String username =
data.getParameters().getString("username");
                  if (security.accountExists(username)) {
                      // Try to downcast for the security grant
function
org.apache.turbine.om.security.User user =
(org.apache.turbine.om.security.User) security.getUser(username);
                      // Get the Turbine ACL implementation
                      TurbineAccessControlList acl =
security.getACL(user);
                      /*
                       * Grab all the Groups and Roles in the
system.
                       */
                      GroupSet groups = security.getAllGroups();
                      RoleSet roles = security.getAllRoles();
                      for (Group group : groups) {
                          String groupName = group.getName();
                          for (Role role : roles) {
                              String roleName = role.getName();
                              /*
                               * In the UserRoleForm.vm we made a
checkbox for every possible Group/Role
                               * combination so we will compare
every
possible combination with the values
                               * that were checked off in the
form. If
we have a match then we will grant the
                               * user the role in the group.
                               */
                              String groupRole = groupName +
roleName;
                              String formGroupRole =
data.getParameters().getString(groupRole);
                              if (formGroupRole != null &&
!acl.hasRole(role, group)) {
                                  // add the role for this user
                                  if (acl.hasRole(role) == false) {
                                      log.debug("Adding new role to
user: " + role.getName());
security.grant(user, group,
role);
}
                              } else if (formGroupRole == null &&
acl.hasRole(role, group)) {
                                  // revoke the role for this user
                                  log.debug("Revoke role: " +
role.getName());
                                  security.revoke(user, group,
role);
                              }
                          }
                      }
                  } else {
                      log.error("User does not exist!");
                  }
              } else {
                  data.setMessage("You do not have access to perform
this action.");
              }
          } catch (Exception e) {
              log.error("Error setting roles: " + e.toString());
          }
      }
--
Jeff Painter

CEO and Founder of JiveCast
Software and analytics, made together
http://jivecast.com

301 Fayetteville St. Unit 2301, Raleigh, NC 27601
(919) 533-9024


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@turbine.apache.org
For additional commands, e-mail: dev-***@turbine.apache.org
Georg Kallidis
2017-11-27 14:13:48 UTC
Permalink
Hi Jeffery,
Post by Jeffery Painter
The weird part is the security.changePassword(user, oldpw, newpw) method
works with the wrapped user object whereas none of the other methods
like security.revokeAll(user) are working... maybe there is a clue in that.
The simple reason for this is that in the Turbine security service
changePassword method the delegate is already called, but only by the
called user manager (DefaultUserManager)!

umDelegate.changePassword( ((TurbineUserDelegate)user).getUserDelegate(),
oldPassword, newPassword);

The same is true for the method store, but not for a couple of other
security service methods (grant, revoke, revokeAll, addUser, removeUser,
in user manager: forcePassword, getACL, removeAccount, createAccount,
accountExists). Provided that we use Torque Security (Hibernate may be the
same) we need using the delegate because only the OM classes extend from
the (abstract) classes, which implement the required methods in
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
used by the Fulcrum Torque managers.

I think about how to better define the interface in Fulcrum Turbine Torque
(require the class, which is effectively used later). I'll nevertheless
update Turbine (4.1-SNAPSHOT) Fulcrum Security 1.1.2-SNAPSHOT and Turbine
Webapp for what we know now is bug.

If we think about a more robust approach, the question is of course, where
should the tests be placed? Fulcrum is a abstract module to Turbine and
Turbine has up to now no Torque dependency and the tests are incomplete
apparently. The only place where both Torque Fulcrum module and Turbine
module come together is in the Turbine Webapp. It may be there, where a
test should be added... it' s already kind of evolving into a test
environment. I ´ll check this..

We may consider a follow-up Turbine release (better 4.0.1 than 4.1!) as
well as a Fulcrum Security Torque 1.1.2. What do you think?


Best regards, Georg



Von: Jeffery Painter <***@jivecast.com>
An: ***@turbine.apache.org
Datum: 26.11.2017 16:26
Betreff: Re: Problem with grant and revoke user roles in turbine-4



Hi Georg,

I was able to develop a work around but it is pretty ugly. I can now
add/delete/update user accounts. I have posted the flux update here:

https://github.com/jlpainter/turbine-flux/commit/762efbf4fb02c339e4cea384ffee5d46689693d4


The weird part is the security.changePassword(user, oldpw, newpw) method
works with the wrapped user object whereas none of the other methods
like security.revokeAll(user) are working... maybe there is a clue in
that.


--
Jeff
Post by Jeffery Painter
Hi Georg,
That helped a lot with the grant/revoke of roles. I updated the code
for revoking as well to match. I have flux tool now managing the
add/removal/update for both groups and roles. Permissions was still
giving me some issues and I need to look into that more when I have
time. I don't use permission level security (just groups and roles)
but to call the tool complete, I should get it working as well.
https://github.com/jlpainter/turbine-flux/commit/81420058acfff26cca346b58ee971fab2eb8201e
Post by Jeffery Painter
The one main issue I see now is that I cannot add/update/delete a
user. I am getting the same cryptic DataBackendException error and
can't seem to get past it. It looks like it is most likely related to
the issue you have already identified below.
Let me know where I can help with this.
Thanks,
Jeff
Post by Georg Kallidis
Hi Jeffery,
that´s in any case very cool to do this fluxTooling! ;-)
I checked out your GitHub project fluxtest and I may have found the bug
(in Turbine).
The issue is that the Turbine service class
org.apache.turbine.services.security.DefaultSecurityService
implementing
Post by Jeffery Painter
Post by Georg Kallidis
org.apache.turbine.services.security.SecurityService requires as user
model org.apache.turbine.om.security.User (=User).
On the other side the Fulcrum implementation of the grant method uses a
method (update) (defined in
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity)
Post by Jeffery Painter
Post by Georg Kallidis
seems to expect as contract fulcrum user object, but also
TorqueAbstractSecurityEntity, which is implemented by the Turbineuser om
class by extending the appropriate baseClass
org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineUser in
the schema (= TurbineUser).
How to match this? It WOULD be possible to retrieve the backing
TurbineUser object from the User with the getUserDelegate() method.
But the interface TurbineUserDelegate is not part of the contract of
turbine.om.security.User (though DefaultUserImpl DOES implement
TurbineUserDelegate) this is somewhat hidden in the SecurityService (a
cast would be required later on).
The easiest and most transparent solution would be (in my view), that
org.apache.turbine.om.security.User interface extends
TurbineUserDelegate
and that at one point the delegate is called (as the TurbineUser OM class
does implement Fulcrum TurbineUser, which implements Fulcrum User this
would be no problem. We have to call getUserDelegate before the
modelManager grant method is called, i.e. in DefaultSecurityService). No
other changes seem to be needed .. I'll create an issue in TRB JIRA as
soon as possible..
As a result you may have to use the Torque mapper for now, cft. your
action FluxUserAction, cft. the github patch
(https://github.com/jlpainter/turbine-flux/pull/1, you might just review
the changes).
I posted a copy to the dev list, where the discussion might continue ...
Best regards, Georg
Datum: 18.11.2017 00:43
Betreff: Re: Problem with grant and revoke user roles in turbine-4
I gave it one last shot, but I am still having trouble with casting the
user object. The security service seems to only want to give me the
wrapper version and I cannot cast it to anything that the removeUser()
method likes....
maybe you can take a look at the following method.
Here is my logging output.
2017-11-17 18:32:39,818 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction - getUser()
type: org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:32:41,105 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction -
org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:32:42,598 [http-nio-8080-exec-4] DEBUG
org.apache.turbine.flux.modules.actions.user.FluxUserAction -
org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper
2017-11-17 18:33:06,031 [http-nio-8080-exec-4] ERROR
org.apache.turbine.flux.modules.actions.user.FluxUserAction - Could not
Could not find User/Group/Role
and the method call I am trying to use to delete the user...
/**
* ActionEvent responsible for removing a user from the Tambora
system.
*/
public void doDelete(PipelineData pipelineData, Context context)
throws Exception {
try {
RunData data = getRunData(pipelineData);
String username =
data.getParameters().getString("username");
if (!StringUtils.isEmpty(username)) {
if (security.accountExists(username)) {
// this is always returning the wrapper version of
our user
User user1 = security.getUser(username);
log.debug("getUser() type: " +
user1.getClass().getTypeName().toString() );
// same and does not work
User user2 =
(org.apache.turbine.om.security.User)
Post by Jeffery Painter
Post by Georg Kallidis
security.getUser(username);
log.debug("o.a.t.o.s.User type: " +
user2.getClass().getTypeName().toString() );
// no change - and you cannot use the interface
class as a parameter to the removeUser method
org.apache.fulcrum.security.model.turbine.entity.TurbineUser user3 =
(org.apache.fulcrum.security.model.turbine.entity.TurbineUser)
security.getUser(username);
log.debug("o.a.f.s.m.t.e.TurbineUser type: " +
user3.getClass().getTypeName().toString() );
// Tried using reflection to cast and still doesn't
work
org.apache.turbine.om.security.User forceUser =
org.apache.turbine.om.security.User.class.cast(
security.getUser(username) );
log.debug("o.a.t.o.s.User type: " +
forceUser.getClass().getTypeName().toString() );
//security.revokeAll(user);
// remove user does the revokeAll above...
security.removeUser(forceUser);
} else {
log.error("User does not exist!");
}
}
} catch (Exception e) {
log.error("Could not remove user: " + e);
}
}
Hi Georg,
I did a quick test on the remove role method with the following change
and it works. My problem with role removal was that in my test case,
the role was associated with users and could not be removed. Maybe a
better error message would help? :-) The user management needs a bit
more work as well to make it comply with the SecurityService. I will
work on that. The old flux tool also had some weirdness in the way it
handled the getRole() getGroup() getUser() method where it was caching
the last loaded entry... I am fixing that as well.
I inserted a few new roles and was able to remove them. I am working
on updating the rest of the FluxTool methods so they behave
appropriately. When I get it into decent shape, I will push updates
to my github project for you to test out if you like before we make a
space to put it into the apache source control.
That will most likely be after Nov 25th when I get back into town. Who
knows - if I get bored, I may open up some code on my laptop, but not
likely as we are going on a cruise where it will be nice and warm!
Thanks,
Jeff
Hi Jeff,
as far as I can see, I assume the implementation class might be
TorqueTurbineModelManagerImpl? Could you check this? Your second
attempt may be indeed close, but the reason is missing. Could you
provide the stack/cause of the exception?
Probably, if this is the case, at this point of the code of the model
manager the role, group and user are already checked, but what might
have caused the exception is a failing cast to
- org.apache.fulcrum.security.model.turbine.entity.TurbineUser of the
user object or
-
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
Post by Jeffery Painter
Post by Georg Kallidis
of any of the objects, which may be the reason, if in your schema the
baseclass attribute is not set to
org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineXXX
(XXX = User|Role|Group) class (or another class implementing the
required interface, cft. the example torque-security-schem.xml in the
Turbine webapp archetype)...
And thanks for your efforts to migrate / use the flux library!
Best regards, Georg
Datum: 16.11.2017 23:29
Betreff: Re: Problem with grant and revoke user roles in turbine-4
I looked a little more at the test cases, and got my code setup enough
to try and call the fulcrum security service directly...
// try using fulcrum service
((TurbineModelManager)fulcrumSecurityService.getModelManager()).grant(fulcrumUser,
Post by Jeffery Painter
Post by Georg Kallidis
group, role);
I verified that this loaded the user "dean" from the database as a
fulcrumUser and it came through with a class type of
com.jivecast.smartorder.om.TurbineUser rather than the wrapper that the
turbine security service provided. and now I get a
DataBackendException
error on the grant call...
2017-11-16 17:24:43,722 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 17:24:47,895 [http-nio-8080-exec-3] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction -
com.jivecast.smartorder.om.TurbineUser
2017-11-16 17:24:54,147 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
2017-11-16 17:24:55,750 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
2017-11-16 17:24:56,031 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
2017-11-16 17:24:56,315 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
2017-11-16 17:24:56,599 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
2017-11-16 17:25:03,129 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
2017-11-16 17:25:03,143 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
2017-11-16 17:25:09,097 [http-nio-8080-exec-3] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
role to user: inventory
2017-11-16 17:25:10,535 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.ModelManager' in the local
container
2017-11-16 17:25:10,545 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.RoleManager' in the local
container
2017-11-16 17:25:10,547 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
2017-11-16 17:25:10,560 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 17:25:10,561 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
2017-11-16 17:25:10,598 [http-nio-8080-exec-3] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.GroupManager' in the local
container
2017-11-16 17:25:10,599 [http-nio-8080-exec-3] DEBUG
avalon.peerManager
- get cached
2017-11-16 17:25:25,202 [http-nio-8080-exec-3] ERROR
com.jivecast.smartorder.modules.actions.admin.UserAction - Error
setting
grant('dean', 'global', 'inventory') failed
any ideas?
--
Jeff
Hi Georg,
I am making some good progress. I don't know if you remember the old
flux library for user management, but I have started to re-write that
to work with Turbine 4.0. I am having some troubles however with the
grant/revoke roles with casting the user object incorrectly from the
TurbineWrapper class. Can you help me with the issue I am having
below? I looked at the unit tests in the Turbine source for
inspiration on migrating, but it isn't recognizing the user class
properly. I even tried to manually downcast (see my code below), and
still cannot make it work.
If I can get this all working, I thought it might be useful to publish
a new flux library compatible with Turbine-4.0 for user management as
a guide to others on how to get started.
My logs show the following error when calling the grant/revoke method
on the security service when trying to add the "inventory" role to a
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new
role to user: inventory
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.RoleManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager - get cached
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.UserManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager - get cached
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located
the service 'org.apache.fulcrum.security.GroupManager' in the local
container
2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG
avalon.peerManager - get cached
2017-11-16 16:49:26,919 [http-nio-8080-exec-13] ERROR
com.jivecast.smartorder.modules.actions.admin.UserAction - Error
com.jivecast.smartorder.wrapper.TurbineUserWrapper cannot be cast to
org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity
Post by Jeffery Painter
Post by Georg Kallidis
Here is the relevant code in my doRoles() method to make the new
import org.apache.turbine.services.security.SecurityService;
and in the body of the class, I use the injection to get the instance
mapped
/** Injected service instance */
@TurbineService
private SecurityService security;
.... then my action class method is called doRoles() which does the
role assignment and fails
/**
* Update the roles that are to assigned to a user for a project.
*/
public void doRoles(PipelineData pipelineData, Context context)
throws Exception {
try {
RunData data = getRunData(pipelineData);
// Get the Turbine ACL implementation for our current
user, only admin can update user roles
TurbineAccessControlList adminAcl =
getRunData(data).getACL();
if (adminAcl.hasRole("administrator")) {
// Username of the account we are updating
String username =
data.getParameters().getString("username");
if (security.accountExists(username)) {
// Try to downcast for the security grant
function
org.apache.turbine.om.security.User user =
(org.apache.turbine.om.security.User) security.getUser(username);
// Get the Turbine ACL implementation
TurbineAccessControlList acl =
security.getACL(user);
/*
* Grab all the Groups and Roles in the system.
*/
GroupSet groups = security.getAllGroups();
RoleSet roles = security.getAllRoles();
for (Group group : groups) {
String groupName = group.getName();
for (Role role : roles) {
String roleName = role.getName();
/*
* In the UserRoleForm.vm we made a
checkbox for every possible Group/Role
* combination so we will compare every
possible combination with the values
* that were checked off in the form. If
we have a match then we will grant the
* user the role in the group.
*/
String groupRole = groupName + roleName;
String formGroupRole =
data.getParameters().getString(groupRole);
if (formGroupRole != null &&
!acl.hasRole(role, group)) {
// add the role for this user
if (acl.hasRole(role) == false) {
log.debug("Adding new role to
user: " + role.getName());
security.grant(user, group,
role);
}
} else if (formGroupRole == null &&
acl.hasRole(role, group)) {
// revoke the role for this user
log.debug("Revoke role: " +
role.getName());
security.revoke(user, group, role);
}
}
}
} else {
log.error("User does not exist!");
}
} else {
data.setMessage("You do not have access to perform
this action.");
}
} catch (Exception e) {
log.error("Error setting roles: " + e.toString());
}
}
--
Jeff Painter

CEO and Founder of JiveCast
Software and analytics, made together
http://jivecast.com

301 Fayetteville St. Unit 2301, Raleigh, NC 27601
(919) 533-9024


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@turbine.apache.org
For additional commands, e-mail: dev-***@turbine.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@turbine.apache.org
For additional commands, e-mail: dev-***@turbine.apache.org
Loading...