diff --git a/li.strolch.mvn.archetype.main/src/main/resources/archetype-resources/runtime/config/PrivilegeRoles.xml b/li.strolch.mvn.archetype.main/src/main/resources/archetype-resources/runtime/config/PrivilegeRoles.xml
index a79331544..d7a2109e7 100644
--- a/li.strolch.mvn.archetype.main/src/main/resources/archetype-resources/runtime/config/PrivilegeRoles.xml
+++ b/li.strolch.mvn.archetype.main/src/main/resources/archetype-resources/runtime/config/PrivilegeRoles.xml
@@ -89,10 +89,29 @@
+
+ li.strolch.service.privilege.users.PrivilegeSetUserPasswordService
+ li.strolch.service.privilege.users.PrivilegeSetUserLocaleService
+
+
+ li.strolch.service.privilege.users.PrivilegeUpdateUserService
+ li.strolch.service.privilege.users.PrivilegeUpdateUserRolesService
+ li.strolch.service.privilege.users.PrivilegeSetUserPasswordService
+ li.strolch.service.privilege.users.PrivilegeSetUserLocaleService
+ li.strolch.service.privilege.users.PrivilegeRemoveUserService
+ li.strolch.service.privilege.users.PrivilegeRemoveRoleFromUserService
+ li.strolch.service.privilege.users.PrivilegeAddUserService
+ li.strolch.service.privilege.users.PrivilegeAddRoleToUserService
+ li.strolch.service.privilege.roles.PrivilegeUpdateRoleService
+ li.strolch.service.privilege.roles.PrivilegeRemoveRoleService
+ li.strolch.service.privilege.roles.PrivilegeRemovePrivilegeFromRoleService
+ li.strolch.service.privilege.roles.PrivilegeAddRoleService
+ li.strolch.service.privilege.roles.PrivilegeAddOrReplacePrivilegeOnRoleService
+
true
diff --git a/li.strolch.mvn.archetype.webapp/src/main/resources/archetype-resources/runtime/config/PrivilegeRoles.xml b/li.strolch.mvn.archetype.webapp/src/main/resources/archetype-resources/runtime/config/PrivilegeRoles.xml
index 81a974e61..49cf215b3 100644
--- a/li.strolch.mvn.archetype.webapp/src/main/resources/archetype-resources/runtime/config/PrivilegeRoles.xml
+++ b/li.strolch.mvn.archetype.webapp/src/main/resources/archetype-resources/runtime/config/PrivilegeRoles.xml
@@ -101,10 +101,29 @@
+
+ li.strolch.service.privilege.users.PrivilegeSetUserPasswordService
+ li.strolch.service.privilege.users.PrivilegeSetUserLocaleService
+
+
+ li.strolch.service.privilege.users.PrivilegeUpdateUserService
+ li.strolch.service.privilege.users.PrivilegeUpdateUserRolesService
+ li.strolch.service.privilege.users.PrivilegeSetUserPasswordService
+ li.strolch.service.privilege.users.PrivilegeSetUserLocaleService
+ li.strolch.service.privilege.users.PrivilegeRemoveUserService
+ li.strolch.service.privilege.users.PrivilegeRemoveRoleFromUserService
+ li.strolch.service.privilege.users.PrivilegeAddUserService
+ li.strolch.service.privilege.users.PrivilegeAddRoleToUserService
+ li.strolch.service.privilege.roles.PrivilegeUpdateRoleService
+ li.strolch.service.privilege.roles.PrivilegeRemoveRoleService
+ li.strolch.service.privilege.roles.PrivilegeRemovePrivilegeFromRoleService
+ li.strolch.service.privilege.roles.PrivilegeAddRoleService
+ li.strolch.service.privilege.roles.PrivilegeAddOrReplacePrivilegeOnRoleService
+
true
diff --git a/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java b/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java
index 15fe39677..e83e56709 100644
--- a/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java
+++ b/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java
@@ -15,10 +15,13 @@
*/
package li.strolch.privilege.policy;
+import static java.util.stream.Collectors.toSet;
import static li.strolch.privilege.policy.PrivilegePolicyHelper.preValidate;
import static li.strolch.utils.helper.StringHelper.isEmpty;
import java.text.MessageFormat;
+import java.util.Set;
+import java.util.stream.Stream;
import li.strolch.privilege.base.AccessDeniedException;
import li.strolch.privilege.base.PrivilegeException;
@@ -38,7 +41,7 @@ import li.strolch.utils.dbc.DBC;
*/
public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege {
- private static final String PARAM_ORGANISATION = "organisation";
+ public static final String PARAM_ORGANISATION = "organisation";
@Override
public void validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable)
@@ -69,9 +72,7 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
}
// get user organisation
- String userOrg = ctx.getCertificate().getProperty(PARAM_ORGANISATION);
- if (isEmpty(userOrg))
- throw new PrivilegeException("No organisation configured for user " + ctx.getUsername());
+ Set userOrgs = getUserOrganisations(ctx);
Tuple tuple = (Tuple) object;
@@ -84,12 +85,12 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
// make sure old user has same organisation
User oldUser = tuple.getFirst();
if (oldUser != null) {
- String oldOrg = oldUser.getProperty(PARAM_ORGANISATION);
- if (!userOrg.equals(oldOrg)) {
+ Set oldOrgs = getUserOrganisations(oldUser);
+ if (!isUserInOrganisation(userOrgs, oldOrgs)) {
if (assertHasPrivilege)
throw new AccessDeniedException(
"User " + ctx.getUsername() + " may not access users outside of their organisation: "
- + userOrg + " / " + oldOrg);
+ + userOrgs + " / " + oldOrgs);
return false;
}
@@ -98,13 +99,13 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
// make sure new user has same organisation
User newUser = tuple.getSecond();
DBC.INTERIM.assertNotNull("For " + privilegeName + " second must not be null!", newUser);
- String newdOrg = newUser.getProperty(PARAM_ORGANISATION);
+ Set newOrgs = getUserOrganisations(newUser);
- if (!userOrg.equals(newdOrg)) {
+ if (!isUserInOrganisation(userOrgs, newOrgs)) {
if (assertHasPrivilege)
throw new AccessDeniedException(
"User " + ctx.getUsername() + " may not access users outside of their organisations: "
- + userOrg + " / " + newdOrg);
+ + userOrgs + " / " + newOrgs);
return false;
}
@@ -116,13 +117,13 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
User user = tuple.getFirst();
DBC.INTERIM.assertNotNull("For " + privilegeName + " first must not be null!", user);
- String org = user.getProperty(PARAM_ORGANISATION);
- if (!userOrg.equals(org)) {
+ Set orgs = getUserOrganisations(user);
+ if (!isUserInOrganisation(userOrgs, orgs)) {
if (assertHasPrivilege)
throw new AccessDeniedException(
"User " + ctx.getUsername() + " may not access users outside of their organisation: "
- + userOrg + " / " + org);
+ + userOrgs + " / " + orgs);
return false;
}
@@ -140,4 +141,22 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
// now delegate the rest of the validation to the super class
return super.validateAction(ctx, privilege, restrictable, assertHasPrivilege);
}
+
+ protected boolean isUserInOrganisation(Set organisations, Set userOrg) {
+ return userOrg.stream().anyMatch(organisations::contains);
+ }
+
+ protected Set getUserOrganisations(User user) {
+ String userOrg = user.getProperty(PARAM_ORGANISATION);
+ if (isEmpty(userOrg))
+ throw new PrivilegeException("No organisation configured for user " + user.getUsername());
+ return Stream.of(userOrg.split(",")).map(String::trim).collect(toSet());
+ }
+
+ protected Set getUserOrganisations(PrivilegeContext ctx) {
+ String userOrg = ctx.getCertificate().getProperty(PARAM_ORGANISATION);
+ if (isEmpty(userOrg))
+ throw new PrivilegeException("No organisation configured for user " + ctx.getUsername());
+ return Stream.of(userOrg.split(",")).map(String::trim).collect(toSet());
+ }
}
diff --git a/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java b/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java
index 137742b1d..874a6dadf 100644
--- a/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java
+++ b/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java
@@ -43,7 +43,7 @@ import li.strolch.privilege.model.Restrictable;
*/
public class UsernameFromCertificateWithSameOrganisationPrivilege extends UsernameFromCertificatePrivilege {
- private static final String PARAM_ORGANISATION = "organisation";
+ public static final String PARAM_ORGANISATION = "organisation";
@Override
public void validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable)
diff --git a/li.strolch.privilege/src/test/resources/config/PrivilegeRoles.xml b/li.strolch.privilege/src/test/resources/config/PrivilegeRoles.xml
index e5340d696..d5a9479cb 100644
--- a/li.strolch.privilege/src/test/resources/config/PrivilegeRoles.xml
+++ b/li.strolch.privilege/src/test/resources/config/PrivilegeRoles.xml
@@ -2,27 +2,20 @@
-
- Persist
- Reload
- GetPolicies
-
-
-
- true
-
-
- true
-
-
- true
-
-
- true
-
-
-
- true
+
+ li.strolch.service.privilege.users.PrivilegeUpdateUserService
+ li.strolch.service.privilege.users.PrivilegeUpdateUserRolesService
+ li.strolch.service.privilege.users.PrivilegeSetUserPasswordService
+ li.strolch.service.privilege.users.PrivilegeSetUserLocaleService
+ li.strolch.service.privilege.users.PrivilegeRemoveUserService
+ li.strolch.service.privilege.users.PrivilegeRemoveRoleFromUserService
+ li.strolch.service.privilege.users.PrivilegeAddUserService
+ li.strolch.service.privilege.users.PrivilegeAddRoleToUserService
+ li.strolch.service.privilege.roles.PrivilegeUpdateRoleService
+ li.strolch.service.privilege.roles.PrivilegeRemoveRoleService
+ li.strolch.service.privilege.roles.PrivilegeRemovePrivilegeFromRoleService
+ li.strolch.service.privilege.roles.PrivilegeAddRoleService
+ li.strolch.service.privilege.roles.PrivilegeAddOrReplacePrivilegeOnRoleService
true
@@ -30,24 +23,52 @@
true
-
+
true
-
- true
-
-
+
true
true
-
- ENABLED
- DISABLED
- SYSTEM
+
+ Reload
+ GetPolicies
+ Persist
+ GetCertificates
+ PersistSessions
-
+
+ true
+
+
+ SYSTEM
+ DISABLED
+ ENABLED
+
+
+ true
+
+
+ true
+
+
+ true
+
+
+ true
+
+
+ true
+
+
+ true
+
+
+ true
+
+
true
diff --git a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeRolesService.java b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeRolesService.java
index 9d4ff8dd8..affa242b3 100644
--- a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeRolesService.java
+++ b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeRolesService.java
@@ -15,12 +15,13 @@
*/
package li.strolch.rest.endpoint;
+import static java.util.Comparator.comparing;
+
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.*;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
-import java.util.List;
import com.google.gson.JsonArray;
import li.strolch.agent.api.ComponentContainer;
@@ -53,8 +54,13 @@ public class PrivilegeRolesService {
Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
PrivilegeHandler privilegeHandler = getPrivilegeHandler();
- List roles = privilegeHandler.getRoles(cert);
- JsonArray rolesJ = toJson(roles);
+ PrivilegeElementToJsonVisitor visitor = new PrivilegeElementToJsonVisitor();
+ JsonArray rolesJ = privilegeHandler.getRoles(cert).stream() //
+ .sorted(comparing(roleRep -> roleRep.getName().toLowerCase())) //
+ .collect(JsonArray::new, //
+ (array, role) -> array.add(role.accept(visitor)), //
+ JsonArray::addAll);
+
return Response.ok(rolesJ.toString(), MediaType.APPLICATION_JSON).build();
}
@@ -173,12 +179,4 @@ public class PrivilegeRolesService {
}
return ResponseUtil.toResponse(svcResult);
}
-
- private JsonArray toJson(List roles) {
- JsonArray rolesArr = new JsonArray();
- for (RoleRep roleRep : roles) {
- rolesArr.add(roleRep.accept(new PrivilegeElementToJsonVisitor()));
- }
- return rolesArr;
- }
}
diff --git a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeUsersService.java b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeUsersService.java
index 932a3ab64..55fb0127f 100644
--- a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeUsersService.java
+++ b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeUsersService.java
@@ -15,6 +15,7 @@
*/
package li.strolch.rest.endpoint;
+import static java.util.Comparator.comparing;
import static li.strolch.rest.helper.RestfulHelper.toJson;
import static li.strolch.search.SearchBuilder.buildSimpleValueSearch;
@@ -77,7 +78,9 @@ public class PrivilegeUsersService {
UserRep::getFirstname, //
UserRep::getLastname, //
userRep -> userRep.getUserState().name(), //
- UserRep::getRoles)).search(users);
+ UserRep::getRoles)) //
+ .search(users) //
+ .orderBy(comparing(r -> r.getUsername().toLowerCase()));
PrivilegeElementToJsonVisitor visitor = new PrivilegeElementToJsonVisitor();
JsonObject root = toJson(queryData, users.size(), result, t -> t.accept(visitor));
@@ -93,13 +96,15 @@ public class PrivilegeUsersService {
Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
PrivilegeHandler privilegeHandler = getPrivilegeHandler();
- UserRep queryRep = new PrivilegeElementFromJsonVisitor().userRepFromJson(query);
- List users = privilegeHandler.queryUsers(cert, queryRep);
+ PrivilegeElementToJsonVisitor visitor = new PrivilegeElementToJsonVisitor();
+
+ UserRep queryRep = new PrivilegeElementFromJsonVisitor().userRepFromJson(query);
+ JsonArray usersArr = privilegeHandler.queryUsers(cert, queryRep).stream() //
+ .sorted(comparing(r -> r.getUsername().toLowerCase())) //
+ .collect(JsonArray::new, //
+ (array, user) -> array.add(user.accept(visitor)), //
+ JsonArray::addAll);
- JsonArray usersArr = new JsonArray();
- for (UserRep userRep : users) {
- usersArr.add(userRep.accept(new PrivilegeElementToJsonVisitor()));
- }
return Response.ok(usersArr.toString(), MediaType.APPLICATION_JSON).build();
}
diff --git a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddOrReplacePrivilegeOnRoleService.java b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddOrReplacePrivilegeOnRoleService.java
index a2ba0c1f7..9e51debd2 100644
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddOrReplacePrivilegeOnRoleService.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddOrReplacePrivilegeOnRoleService.java
@@ -59,14 +59,4 @@ public class PrivilegeAddOrReplacePrivilegeOnRoleService
return new PrivilegeRoleResult(role);
}
-
- @Override
- public String getPrivilegeName() {
- return StrolchPrivilegeConstants.PRIVILEGE_MODIFY_ROLE;
- }
-
- @Override
- public String getPrivilegeValue() {
- return null;
- }
}
diff --git a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddRoleService.java b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddRoleService.java
index 98b140cf9..d27ceac84 100644
--- a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddRoleService.java
+++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddRoleService.java
@@ -57,14 +57,4 @@ public class PrivilegeAddRoleService extends AbstractService
-
- Persist
- Reload
- GetPolicies
-
-
-
- true
-
-
- true
-
-
- true
-
-
- true
-
-
-
- true
+
+ li.strolch.service.privilege.users.PrivilegeUpdateUserService
+ li.strolch.service.privilege.users.PrivilegeUpdateUserRolesService
+ li.strolch.service.privilege.users.PrivilegeSetUserPasswordService
+ li.strolch.service.privilege.users.PrivilegeSetUserLocaleService
+ li.strolch.service.privilege.users.PrivilegeRemoveUserService
+ li.strolch.service.privilege.users.PrivilegeRemoveRoleFromUserService
+ li.strolch.service.privilege.users.PrivilegeAddUserService
+ li.strolch.service.privilege.users.PrivilegeAddRoleToUserService
+ li.strolch.service.privilege.roles.PrivilegeUpdateRoleService
+ li.strolch.service.privilege.roles.PrivilegeRemoveRoleService
+ li.strolch.service.privilege.roles.PrivilegeRemovePrivilegeFromRoleService
+ li.strolch.service.privilege.roles.PrivilegeAddRoleService
+ li.strolch.service.privilege.roles.PrivilegeAddOrReplacePrivilegeOnRoleService
true
@@ -132,24 +125,52 @@
true
-
+
true
-
- true
-
-
+
true
true
-
- ENABLED
- DISABLED
- SYSTEM
+
+ Reload
+ GetPolicies
+ Persist
+ GetCertificates
+ PersistSessions
-
+
+ true
+
+
+ SYSTEM
+ DISABLED
+ ENABLED
+
+
+ true
+
+
+ true
+
+
+ true
+
+
+ true
+
+
+ true
+
+
+ true
+
+
+ true
+
+
true