Row Level Access Help

[richard.cutts]

I am attempting to test the row level access and have created a join of 2 simple tables (see below for schema)

<jdbcQuery id="JoinTree_1" datasourceId="SQL_Server_2012">        <fieldList>                    <field id="PageDetail.PageDescription" type="java.lang.String" />            <field id="PageDetail.PageIndex" type="java.lang.Integer" />            <field id="PageDetail.PageName" type="java.lang.String" />            <field id="PageDetail.PageRepeat" type="java.lang.Integer" />            <field id="PageDetail.PageTitle" type="java.lang.String" />                   <field id="PageDetail.SiteId" type="java.lang.String" />            <field id="PageDetail.SiteTitle" type="java.lang.String" />                     <field id="StudyAdmin_UserRoleSite.SiteId" type="java.lang.String" />            <field id="StudyAdmin_UserRoleSite.UserGroupId" type="java.lang.String" />            <field id="StudyAdmin_UserRoleSite.Username" type="java.lang.String" />        </fieldList>      <joinInfo alias="PageDetail" referenceId="PageDetail" />[/code]

I have added a security file to the domain with the following content

<securityDefinition xmlns="http://www.jaspersoft.com/2007/SL/XMLSchema" version="1.0" itemGroupDefaultAccess="granted">     <resourceAccessGrants>    <!-- Begin row-level security -->        <resourceAccessGrantList id="JoinTree_1_access_grant" label="AccessJoinTree1" resourceId="JoinTree_1">            <resourceAccessGrants>                <resourceAccessGrant id="JoinTree_1_ROLE_USER_row_grant">                    <principalExpression>             authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_USER'] }           </principalExpression>                    <filterExpression>             StudyAdmin_UserRoleSite.Username in ('user001')                    </filterExpression>                </resourceAccessGrant>            </resourceAccessGrants>        </resourceAccessGrantList>    </resourceAccessGrants></securityDefinition>[/code]

When accessing a view based on this domain with a user role of ROLE_USER, I expected to only see results where the username was 'user001'. However, what I see is every row.

 

Can any see anything obviously wrong with my security file?

[richard.cutts]

That's some really great formatting right there.

[ghudson_1]

looks good to me.  I'd expect you'd see the "where StudyAdmin_UserRoleSite.Username in ('user001')" clause in your sql when ROLE_USER. But ROLE_USER is inherited by everyone, so theoretically everyone would be impacted by this. For grins & giggles, I'd try a different role, and I'd also restart your webapp (clearing the temp dir which contains ACL(user/role/permissions) cache values)

[richard.cutts]

When clicking the 'View SQL Query' button in the adhoc view there's no WHERE clause present.

 

Tried other user roles.

 

I've rebooted the server.

 

I've created a new, similar domain from scratch and a new adhoc view based on that. Still can't get anything filtered out.

[richard.cutts]

The supermart security file is behaving as I would expect and seems to be setup in the same way so all I can conclude at this point is that my domain design is squiffy in some respect. I'll update if I figure anything out.

[richard.cutts]

The problem with the above security file seems to be with the principal expression element.

When I re-write the xml so that the opening tag and the content of the principal expression are on the same line, the filter works.

<principalExpression>authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_SUPERUSER','ROLE_USER'] }          </principalExpression>[/code]

When split across lines, it doesn't seem to work.

<principalExpression>  authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_SUPERUSER','ROLE_USER'] }          </principalExpression>[/code]

 

[richard.cutts]

Raised issue #3355