mdjj Posted December 10, 2008 Share Posted December 10, 2008 Has anyone else had problems getting Domain Security to work?We're trying to restrict what a user can see based on the Charity they are with. We've set up some users in jasperserver with an additional attribute of Charity (defined in the jiprofileattribute table). We can use the data from this in a scriptlet and applying this to a report it works fine. However, when we try and apply the security xml to a domain the data never gets restricted and the log outputs :16:58:05,734 DEBUG securiytyCheck,http-8081-Processor25:157 - filterPresentationObjectBySecurity: No relevantItemGroupAccessLists16:58:05,734 DEBUG SemanticLayerSecurityResolverImpl,http-8081-Processor25:515 - Evaluating JoinTree_1_List for resourceId: JoinTree_116:58:05,797 DEBUG SemanticLayerSecurityResolverImpl,http-8081-Processor25:522 - Evaluating authentication.getPrincipal().getAttributes().any{ it.getAttrName() in ['Charity'] } . got: null16:58:05,828 DEBUG JdbcTableDataSet,http-8081-Processor25:83 -The security xml looks like :<securityDefinition xmlns="http://www.jaspersoft.com/2007/SL/XMLSchema" version="1.0" itemGroupDefaultAccess="granted"> <resourceAccessGrants> <!-- Row level security --> <!-- What access do roles/users have to the rows in the resource? --> <!-- Row level security for the single data island--> <resourceAccessGrantList id="JoinTree_1_List" label="ListLabel" resourceId="JoinTree_1"> <resourceAccessGrants> <resourceAccessGrant id="JoinTree_1_Row_Access_Grant_Charity"> <principalExpression> <![CDATA[ authentication.getPrincipal().getAttributes().any{ it.getAttrName() in ['Charity'] } ]]> </principalExpression> <filterExpression>charity.charityCode in ('CharityX')</filterExpression> </resourceAccessGrant> </resourceAccessGrants> </resourceAccessGrantList> </resourceAccessGrants></securityDefinition>Have looked and relooked at the documentation and we seem to be following what's suggested. Have we missed something fundamental or has anyone got any suggestions? Link to comment Share on other sites More sharing options...
swood Posted December 30, 2008 Share Posted December 30, 2008 getAttributes() works in the principalExpression. Luke got this working for you, right? ShermanJaspersoft Link to comment Share on other sites More sharing options...
mdjj Posted January 2, 2009 Author Share Posted January 2, 2009 Yep thanks Luke got this working.My next question was around dynamic filtering. Is it possible to change the filter expression based on a groovy expression or something similar.I would like to do something like :<resourceAccessGrant id="JoinTree_1_Row_Access_Grant_Charity"> <principalExpression><![CDATA[authentication.getPrincipal().getAttributes().any{ it.getAttrName() in ['Charity']}]]></principalExpression> <filterExpression>charity.charityCode in ('<![CDATA[authentication.getPrincipal().getAttributes().find{it.getAttrName().equals('Charity')}.getAttrValue()]]>')</filterExpression></resourceAccessGrant>Where the attribute value is used in the filter expression. Because our users will all have the same role but will have a different attribute set in their security profile we want to restrict what they see based on this attribute. From all the examples I've seen each value of the attribute is coded into the security file so you filter on charity1, charity2 etc.I've tried this but filterExpression doesn't seem to handle scripting??? Link to comment Share on other sites More sharing options...
swood Posted January 12, 2009 Share Posted January 12, 2009 You can use an "groovy" expression in the filterExpression, like groovy('an expression'), to generate SQL elements. ShermanJaspersoft Link to comment Share on other sites More sharing options...
rkm258 Posted January 28, 2009 Share Posted January 28, 2009 Swood, Can you please explain how dynamic values can be used in filterExpression. I have a requirement where, i need to search for a value in User Profile Attribute valuelike <filterExpression>user.user_id in (${user_hierarchy})</filterExpression> where user_hierarchy (a user profile attribute) is a comma separated list of userid's In all the documentation that i have seen only static values are used in the filterExpressionThank YouRam Link to comment Share on other sites More sharing options...
pw1971 Posted April 8, 2009 Share Posted April 8, 2009 Did you manage to get the dynamic values to work? Thanks. Link to comment Share on other sites More sharing options...
andrewsok Posted April 8, 2009 Share Posted April 8, 2009 Dynamic values are available in filterExpression since v.3.5 (released recently).In 3.5 you can do the following: Code: Post Edited by Andrew Sokolnikov at 04/08/09 22:02Post Edited by Andrew Sokolnikov at 04/08/09 22:03 Link to comment Share on other sites More sharing options...
pw1971 Posted April 9, 2009 Share Posted April 9, 2009 Do you know how to retrieve the tenantId from the jasperserver JIUser table. I have tried the below but it doesn't allow access to any of the data. Changing it to <filterExpression>OwnerID in ('2')</filterExpression> allows the data to be displayed.Code:<securityDefinition xmlns="http://www.jaspersoft.com/2007/SL/XMLSchema" version="1.0" itemGroupDefaultAccess="granted"> <resourceAccessGrants> <resourceAccessGrantList id="Point_Array" label="Point_Array" resourceId="Point_Array"> <resourceAccessGrants> <resourceAccessGrant id="Point_Array1"> <principalExpression>authentication.getPrincipal().tenantId != null</principalExpression> <filterExpression>OwnerID in (groovy('authentication.principal.tenantId.toUpperCase()'))</filterExpression> </resourceAccessGrant> </resourceAccessGrants> </resourceAccessGrantList> </resourceAccessGrants></securityDefinition> Link to comment Share on other sites More sharing options...
rkm258 Posted April 9, 2009 Share Posted April 9, 2009 Hi, The tenantid column in JIUser relation is not of String type, i don't think u can use toUpperCase() method on it. Try converting the value to a String and then applying toUpperCase(). Also i saw that u used ownerID in ('2'), just wondering if ur ownerid is of type int Quick Question: 1. I'am new to Groovy, Does groovy expression groovy('expression') return only String values ?2. If i have a 'User Profile Attribute' say attrName 10,20,21,11,13 if want a filterExpression to perform the SQL operation userID in (10,20,21,11,13) i.e userID in (attrName), How should the filterExpression be defined ?RamPost Edited by Rama Mukkamalla at 04/09/09 13:45Post Edited by Rama Mukkamalla at 04/09/09 13:50 Link to comment Share on other sites More sharing options...
pw1971 Posted April 9, 2009 Share Posted April 9, 2009 I have also tried it without the toUpperCase() method but it didn't allow access to the data. OwnerID is of type Int. I'm also new to groovy and don't know the answer to your question :-( Thanks. Link to comment Share on other sites More sharing options...
andrewsok Posted April 10, 2009 Share Posted April 10, 2009 pw1971,For the type conversion you may use groovy as well :<filterExpression>OwnerID in (groovy('new Integer(authentication.getPrincipal().getTenantId()'))</filterExpression>Your tenantId though needs to be a string representation of an integer, i.e. '123' is Ok, 'My123' is not (again, you may use groovy substring(), etc. functions to extract numeric portion of id for the filter). rmukkamalla,1) No, it returns whatever type is, for example groovy('123') will return java.lang.Integer(123)2) Attributes are name-value pairs, lets say you have name:MyNumbers and value:10,20,21,11,13, then you do:<filterExpression>userId in (groovy('authentication.getPrincipal().getAttributes().find{ it.attrName == "MyNumbers" }.attrValue'))</filterExpression> Andrew S. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now