I am attempting to test the row level access and have created a join of 2 simple tables (see below for schema)
<jdbcQuery id="JoinTree_1" datasourceId="SQL_Server_2012"> <fieldList> <field id="PageDetail.PageDescription" type="java.lang.String" /> <field id="PageDetail.PageIndex" type="java.lang.Integer" /> <field id="PageDetail.PageName" type="java.lang.String" /> <field id="PageDetail.PageRepeat" type="java.lang.Integer" /> <field id="PageDetail.PageTitle" type="java.lang.String" /> <field id="PageDetail.SiteId" type="java.lang.String" /> <field id="PageDetail.SiteTitle" type="java.lang.String" /> <field id="StudyAdmin_UserRoleSite.SiteId" type="java.lang.String" /> <field id="StudyAdmin_UserRoleSite.UserGroupId" type="java.lang.String" /> <field id="StudyAdmin_UserRoleSite.Username" type="java.lang.String" /> </fieldList> <joinInfo alias="PageDetail" referenceId="PageDetail" />
I have added a security file to the domain with the following content
<securityDefinition xmlns="http://www.jaspersoft.com/2007/SL/XMLSchema" version="1.0" itemGroupDefaultAccess="granted"> <resourceAccessGrants> <!-- Begin row-level security --> <resourceAccessGrantList id="JoinTree_1_access_grant" label="AccessJoinTree1" resourceId="JoinTree_1"> <resourceAccessGrants> <resourceAccessGrant id="JoinTree_1_ROLE_USER_row_grant"> <principalExpression> authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_USER'] } </principalExpression> <filterExpression> StudyAdmin_UserRoleSite.Username in ('user001') </filterExpression> </resourceAccessGrant> </resourceAccessGrants> </resourceAccessGrantList> </resourceAccessGrants> </securityDefinition>
When accessing a view based on this domain with a user role of ROLE_USER, I expected to only see results where the username was 'user001'. However, what I see is every row.
Can any see anything obviously wrong with my security file?
1 Answer:
Posted on January 15, 2014 at 2:19am
The problem with the above security file seems to be with the principal expression element.
When I re-write the xml so that the opening tag and the content of the principal expression are on the same line, the filter works.
<principalExpression>authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_SUPERUSER','ROLE_USER'] } </principalExpression>
When split across lines, it doesn't seem to work.
<principalExpression> authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_SUPERUSER','ROLE_USER'] } </principalExpression>
That's some really great formatting right there.
looks good to me. I'd expect you'd see the "where StudyAdmin_UserRoleSite.Username in ('user001')" clause in your sql when ROLE_USER. But ROLE_USER is inherited by everyone, so theoretically everyone would be impacted by this. For grins & giggles, I'd try a different role, and I'd also restart your webapp (clearing the temp dir which contains ACL(user/role/permissions) cache values)
The supermart security file is behaving as I would expect and seems to be setup in the same way so all I can conclude at this point is that my domain design is squiffy in some respect. I'll update if I figure anything out.