richard.cutts Posted January 13, 2014 Share Posted January 13, 2014 I am attempting to test the row level access and have created a join of 2 simple tables (see below for schema)<jdbcQuery id="JoinTree_1" datasourceId="SQL_Server_2012"> <fieldList> <field id="PageDetail.PageDescription" type="java.lang.String" /> <field id="PageDetail.PageIndex" type="java.lang.Integer" /> <field id="PageDetail.PageName" type="java.lang.String" /> <field id="PageDetail.PageRepeat" type="java.lang.Integer" /> <field id="PageDetail.PageTitle" type="java.lang.String" /> <field id="PageDetail.SiteId" type="java.lang.String" /> <field id="PageDetail.SiteTitle" type="java.lang.String" /> <field id="StudyAdmin_UserRoleSite.SiteId" type="java.lang.String" /> <field id="StudyAdmin_UserRoleSite.UserGroupId" type="java.lang.String" /> <field id="StudyAdmin_UserRoleSite.Username" type="java.lang.String" /> </fieldList> <joinInfo alias="PageDetail" referenceId="PageDetail" />[/code]I have added a security file to the domain with the following content<securityDefinition xmlns="http://www.jaspersoft.com/2007/SL/XMLSchema" version="1.0" itemGroupDefaultAccess="granted"> <resourceAccessGrants> <!-- Begin row-level security --> <resourceAccessGrantList id="JoinTree_1_access_grant" label="AccessJoinTree1" resourceId="JoinTree_1"> <resourceAccessGrants> <resourceAccessGrant id="JoinTree_1_ROLE_USER_row_grant"> <principalExpression> authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_USER'] } </principalExpression> <filterExpression> StudyAdmin_UserRoleSite.Username in ('user001') </filterExpression> </resourceAccessGrant> </resourceAccessGrants> </resourceAccessGrantList> </resourceAccessGrants></securityDefinition>[/code]When accessing a view based on this domain with a user role of ROLE_USER, I expected to only see results where the username was 'user001'. However, what I see is every row. Can any see anything obviously wrong with my security file? Link to comment Share on other sites More sharing options...
richard.cutts Posted January 13, 2014 Author Share Posted January 13, 2014 That's some really great formatting right there. Link to comment Share on other sites More sharing options...
ghudson_1 Posted January 13, 2014 Share Posted January 13, 2014 looks good to me. I'd expect you'd see the "where StudyAdmin_UserRoleSite.Username in ('user001')" clause in your sql when ROLE_USER. But ROLE_USER is inherited by everyone, so theoretically everyone would be impacted by this. For grins & giggles, I'd try a different role, and I'd also restart your webapp (clearing the temp dir which contains ACL(user/role/permissions) cache values) Link to comment Share on other sites More sharing options...
richard.cutts Posted January 14, 2014 Author Share Posted January 14, 2014 When clicking the 'View SQL Query' button in the adhoc view there's no WHERE clause present. Tried other user roles. I've rebooted the server. I've created a new, similar domain from scratch and a new adhoc view based on that. Still can't get anything filtered out. Link to comment Share on other sites More sharing options...
richard.cutts Posted January 14, 2014 Author Share Posted January 14, 2014 The supermart security file is behaving as I would expect and seems to be setup in the same way so all I can conclude at this point is that my domain design is squiffy in some respect. I'll update if I figure anything out. Link to comment Share on other sites More sharing options...
Solution richard.cutts Posted January 15, 2014 Author Solution Share Posted January 15, 2014 The problem with the above security file seems to be with the principal expression element.When I re-write the xml so that the opening tag and the content of the principal expression are on the same line, the filter works.<principalExpression>authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_SUPERUSER','ROLE_USER'] } </principalExpression>[/code]When split across lines, it doesn't seem to work.<principalExpression> authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_SUPERUSER','ROLE_USER'] } </principalExpression>[/code] Link to comment Share on other sites More sharing options...
richard.cutts Posted January 15, 2014 Author Share Posted January 15, 2014 Raised issue #3355 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now