1

The problems I am facing is related to authorization,

  1. I am granting application's role to the users in this way: BasicModel.grantRole(relationshipManager, identity.getAccount(), role);

but when I use hasRole(this.relationshipManager, this.identity.getAccount(), role); seems to return always true, even if I grant another role, eg. I granted ROLEA role and when I ask for ROLEB it returns true. The grantRole methods that I found in the PL quickstarts are not recognized by the compiler but the hasRole it does.

  1. the authorization annotations seems that are not working, allow users that are not loggedin to invoke the method, and of course allow users with any role to invoke the method

@LoggedIn
@RolesAllowed({"borrower"})

Otherwise seems that PL is working well, with autenthication, and the identityManager. My enviornonment is WildFly 8.2 , and PK 2.7.Final, JPA. These are the classes that I am mapping from the basic model :

<class>org.picketlink.idm.jpa.model.sample.simple.AttributedTypeEntity</class>
<class>org.picketlink.idm.jpa.model.sample.simple.RoleTypeEntity</class>
<class>org.picketlink.idm.jpa.model.sample.simple.IdentityTypeEntity</class>
<class>org.picketlink.idm.jpa.model.sample.simple.RelationshipTypeEntity</class<
<class>org.picketlink.idm.jpa.model.sample.simple.RelationshipIdentityTypeEntity</class>
<class>org.picketlink.idm.jpa.model.sample.simple.PartitionTypeEntity</class>
<class>org.picketlink.idm.jpa.model.sample.simple.AttributeTypeEntity</class>
Jose Yances
  • 11
  • 1
  • How do you create the roles? – Alex Nevidomsky Apr 17 '15 at 16:07
  • I am creating the roles in a Singleton Startup EJB: Role investorRole = new Role(Roles.INVESTOR.getLabel()); Role borrowerRole = new Role(Roles.BORROWER.getLabel()); Partition partition = PartitionManager.getPartition(Realm.class,Resources.REALM_ACME_NAME); IdentityManager im = this.partitionManager.createIdentityManager(partition); im.add(investorRole); im.add(adminRole); im.add(borrowerRole); im.add(managerRole); – Jose Yances Apr 23 '15 at 19:28

2 Answers2

0

This may not be the final answer, just won't fit into a comment.

One radical way is to debug the whole thing manually. A slightly less mind-blowing approach, though, would be to look at the database contents. You didn't mention your db type, but there are plenty of tools for examining db contents around. Use one of them:

  1. Go to user_type_entity table (maybe without unserscores) and note the user id.

  2. Go to role_type_entity table and check your role names being there, only one line each. Note the ids of the roles.

  3. Go to relationship_identity_type_entity table and look at the role/assignee pairs with the same owner_id (owner_id likely points to some Grant type in relationship_type_entity table, but we do not need to exmine that now).

db table snapshot

So, the key question: do you have the undesired roles assigned to your users there? If so, your function does exactly what it is supposed to do, and you need to look at your code more closely to see if you granted the thing accidentally somewhere.

If your user is not listed as an assignee of the role and yet the hasRole returns true ... well, then you may have a problem with Picketlink itself, and debugging of the function may be required.

Alex Nevidomsky
  • 668
  • 7
  • 14
  • Alex, about my first issue, I was granting several times the same role to a user account. The issue is now solved. – Jose Yances Apr 29 '15 at 22:56
  • About the second one, I still have problems with the authorization annotations: @LoggedIn @RolesAllowed("borrower") I have added the interceptor in my beans.xml org.apache.deltaspike.security.impl.extension.SecurityInterceptor – Jose Yances Apr 29 '15 at 23:05
0

I checked the database registers and found that i was assigning all the roles to the users. I also used the HttpSecutiryConfiguration for the authorization problems.

Jose Yances
  • 11
  • 1