Uploaded image for project: 'Seam Security'
  1. Seam Security
  2. SEAMSECURITY-62

Using identity management to add user in group prevent user to login

        Details

        • Type: Bug
        • Status: Resolved (View Workflow)
        • Priority: Major
        • Resolution: Done
        • Affects Version/s: 3.0.0.Final
        • Fix Version/s: 3.1.0.Beta1
        • Labels:
          None

          Description

          Hi,

          I'm using seam-security with JPAIdentityStore.
          When i use RelationshipManager to add a user in a group (as said in reference guide) i can not login anymore with this user.
          Indeed when i call associateUser the entry created in identityobjectrelationship table has a null name and when i call identity.login for this user i got :

          10:03:27,292 ERROR [org.jboss.seam.security.IdentityImpl] Login failed: java.lang.RuntimeException: java.lang.IllegalArgumentException: name cannot be null
          at org.jboss.seam.security.IdentityImpl.authenticate(IdentityImpl.java:329) [:3.0.0.Final]
          at org.jboss.seam.security.IdentityImpl.login(IdentityImpl.java:229) [:3.0.0.Final]
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_20]
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_20]
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [:1.6.0_20]
          at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_20]
          at org.apache.el.parser.AstValue.invoke(AstValue.java:196) [:6.0.0.Final]
          at org.apache.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276) [:6.0.0.Final]
          at org.jboss.weld.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:43) [:6.0.0.Final]
          at org.jboss.weld.el.WeldMethodExpression.invoke(WeldMethodExpression.java:56) [:6.0.0.Final]
          at org.jboss.weld.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:43) [:6.0.0.Final]
          at org.jboss.weld.el.WeldMethodExpression.invoke(WeldMethodExpression.java:56) [:6.0.0.Final]
          at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:102) [:2.0.3-]
          at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:84) [:2.0.3-]
          at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:98) [:2.0.3-]
          at javax.faces.component.UICommand.broadcast(UICommand.java:311) [:2.0.3-]
          at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:781) [:2.0.3-]
          at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1246) [:2.0.3-]
          at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:77) [:2.0.3-]
          at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:97) [:2.0.3-]
          at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:114) [:2.0.3-]
          at javax.faces.webapp.FacesServlet.service(FacesServlet.java:308) [:2.0.3-]
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:324) [:6.0.0.Final]
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242) [:6.0.0.Final]
          at org.jboss.weld.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:67) [:6.0.0.Final]
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:274) [:6.0.0.Final]
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242) [:6.0.0.Final]
          at com.ocpsoft.pretty.PrettyFilter.doFilter(PrettyFilter.java:118) [:]
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:274) [:6.0.0.Final]
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242) [:6.0.0.Final]
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [:6.0.0.Final]
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [:6.0.0.Final]
          at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:181) [:6.0.0.Final]
          at org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.event(CatalinaContext.java:285) [:1.1.0.Final]
          at org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.invoke(CatalinaContext.java:261) [:1.1.0.Final]
          at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:88) [:6.0.0.Final]
          at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:100) [:6.0.0.Final]
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [:6.0.0.Final]
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [:6.0.0.Final]
          at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) [:6.0.0.Final]
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [:6.0.0.Final]
          at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:53) [:6.0.0.Final]
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [:6.0.0.Final]
          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [:6.0.0.Final]
          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654) [:6.0.0.Final]
          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951) [:6.0.0.Final]
          at java.lang.Thread.run(Thread.java:619) [:1.6.0_20]
          Caused by: java.lang.IllegalArgumentException: name cannot be null
          at org.picketlink.idm.impl.api.model.SimpleRoleType.<init>(SimpleRoleType.java:41) [:1.5.0.Alpha02]
          at org.picketlink.idm.impl.api.session.managers.RoleManagerImpl.findUserRoleTypes(RoleManagerImpl.java:580) [:1.5.0.Alpha02]
          at org.picketlink.idm.impl.api.session.managers.RoleManagerImpl.findUserRoleTypes(RoleManagerImpl.java:552) [:1.5.0.Alpha02]
          at org.jboss.seam.security.management.IdmAuthenticator.authenticate(IdmAuthenticator.java:49) [:3.0.0.Final]
          at org.jboss.seam.security.IdentityImpl.authenticate(IdentityImpl.java:305) [:3.0.0.Final]
          ... 46 more

            Gliffy Diagrams

              Activity

              Ascending order - Click to sort in descending order
              Hide
              Permalink
              maximilien wiktorowski maximilien added a comment - - edited

              Looking a little more into code shows me that the problem is JPAIdentityStore doesn't implements user/group association yet.
              It could be usefull to indicate this on the doc.

              Show
              maximilien wiktorowski maximilien added a comment - - edited Looking a little more into code shows me that the problem is JPAIdentityStore doesn't implements user/group association yet. It could be usefull to indicate this on the doc.
              Hide
              Permalink
              maximilien wiktorowski maximilien added a comment - - edited

              More info on this, when we try to retrieve user's roles calling identitySession.getRoleManager().findUserRoleTypes(u) picketlink RoleManager call JpaIdentityStore.getRelationShipNames to retrieve role names.
              The problem is that the function doesn't filter relationship entries with a null name (that correspond to a membership association).
              Looking at HibernateIdentityStore shows they filter this using a "%" restriction on the query :
              Path<String> rolesOnly = root.get(relationshipNameProperty.getName());
              predicates.add(builder.like(rolesOnly, "%"));

              That solves the roles loading, but then when we try to retrieve user's groups calling identitySession.getRelationshipManager().findAssociatedGroups(u) picketlink call this function :

              public Collection<IdentityObject> findIdentityObject(
              IdentityStoreInvocationContext invocationCxt, IdentityObject identity,
              IdentityObjectRelationshipType relationshipType, boolean parent,
              IdentityObjectSearchCriteria criteria) throws IdentityException

              { List<IdentityObject> objs = new ArrayList<IdentityObject>(); System.out.println("*** Invoked unimplemented method findIdentityObject()"); // TODO Auto-generated method stub return objs; }
              Show
              maximilien wiktorowski maximilien added a comment - - edited More info on this, when we try to retrieve user's roles calling identitySession.getRoleManager().findUserRoleTypes(u) picketlink RoleManager call JpaIdentityStore.getRelationShipNames to retrieve role names. The problem is that the function doesn't filter relationship entries with a null name (that correspond to a membership association). Looking at HibernateIdentityStore shows they filter this using a "%" restriction on the query : Path<String> rolesOnly = root.get(relationshipNameProperty.getName()); predicates.add(builder.like(rolesOnly, "%")); That solves the roles loading, but then when we try to retrieve user's groups calling identitySession.getRelationshipManager().findAssociatedGroups(u) picketlink call this function : public Collection<IdentityObject> findIdentityObject( IdentityStoreInvocationContext invocationCxt, IdentityObject identity, IdentityObjectRelationshipType relationshipType, boolean parent, IdentityObjectSearchCriteria criteria) throws IdentityException { List<IdentityObject> objs = new ArrayList<IdentityObject>(); System.out.println("*** Invoked unimplemented method findIdentityObject()"); // TODO Auto-generated method stub return objs; }
              Hide
              Permalink
              poulpe Charles Louppe added a comment -

              Attached, a temporary patch fixing the implementation of findIdentityObject waiting for official fix.

              Show
              poulpe Charles Louppe added a comment - Attached, a temporary patch fixing the implementation of findIdentityObject waiting for official fix.
              Hide
              Permalink
              shane.bryzak Shane Bryzak added a comment -

              Fixed, thanks for the patches. If there are still issues with this functionality after the 3.1.0.Beta1 release, please re-open with details.

              Show
              shane.bryzak Shane Bryzak added a comment - Fixed, thanks for the patches. If there are still issues with this functionality after the 3.1.0.Beta1 release, please re-open with details.

                People

                • Assignee:
                  shane.bryzak Shane Bryzak
                  Reporter:
                  maximilien wiktorowski maximilien
                • Votes:
                  3 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Development