[midPoint] Role Catalog
Wojciech Staszewski
wojciech.staszewski at diagnostyka.pl
Wed Jan 18 20:42:44 CET 2017
A log entry is created when End User tries to access Role Catalog (below).
I'm so desperate that I'm reading source code right now, thought I'm not a developer and I understand nothing out of it.
It must be so simple, I don't believe that it's not...
2017-01-18 20:34:39,702 [] [https-openssl-apr-443-exec-1] ERROR (com.evolveum.midpoint.web.page.self.PageAssignmentShoppingKart): Error getting system configuration: Access denied
com.evolveum.midpoint.util.exception.AuthorizationException: Access denied
at com.evolveum.midpoint.model.impl.controller.SchemaTransformer.applySchemasAndSecurityPhase(SchemaTransformer.java:237) ~[model-impl-3.5.jar:na]
at com.evolveum.midpoint.model.impl.controller.SchemaTransformer.applySchemasAndSecurity(SchemaTransformer.java:199) ~[model-impl-3.5.jar:na]
at com.evolveum.midpoint.model.impl.controller.ModelController.getObject(ModelController.java:257) ~[model-impl-3.5.jar:na]
at sun.reflect.GeneratedMethodAccessor498.invoke(Unknown Source) ~[na:na]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_112]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_112]
at org.apache.wicket.proxy.LazyInitProxyFactory$JdkHandler.invoke(LazyInitProxyFactory.java:507) ~[wicket-ioc-7.3.0.jar:7.3.0]
at com.sun.proxy.$Proxy160.getObject(Unknown Source) ~[na:na]
at com.evolveum.midpoint.web.page.self.PageAssignmentShoppingKart.getRoleCatalogOid(PageAssignmentShoppingKart.java:81) [classes/:na]
at com.evolveum.midpoint.web.page.self.PageAssignmentShoppingKart.initLayout(PageAssignmentShoppingKart.java:66) [classes/:na]
at com.evolveum.midpoint.web.page.self.PageAssignmentShoppingKart.<init>(PageAssignmentShoppingKart.java:59) [classes/:na]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) [na:1.8.0_112]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) [na:1.8.0_112]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) [na:1.8.0_112]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) [na:1.8.0_112]
at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:175) [wicket-core-7.3.0.jar:7.3.0]
at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:67) [wicket-core-7.3.0.jar:7.3.0]
at org.apache.wicket.DefaultMapperContext.newPageInstance(DefaultMapperContext.java:102) [wicket-core-7.3.0.jar:7.3.0]
at org.apache.wicket.core.request.handler.PageProvider.resolvePageInstance(PageProvider.java:271) [wicket-core-7.3.0.jar:7.3.0]
at org.apache.wicket.core.request.handler.PageProvider.getPageInstance(PageProvider.java:169) [wicket-core-7.3.0.jar:7.3.0]
at org.apache.wicket.request.handler.render.PageRenderer.getPage(PageRenderer.java:78) [wicket-core-7.3.0.jar:7.3.0]
at org.apache.wicket.request.handler.render.WebPageRenderer.isPageStateless(WebPageRenderer.java:287) [wicket-core-7.3.0.jar:7.3.0]
at org.apache.wicket.request.handler.render.WebPageRenderer.shouldRenderPageAndWriteResponse(WebPageRenderer.java:329) [wicket-core-7.3.0.jar:7.3.0]
at org.apache.wicket.request.handler.render.WebPageRenderer.respond(WebPageRenderer.java:193) [wicket-core-7.3.0.jar:7.3.0]
at org.apache.wicket.core.request.handler.RenderPageRequestHandler.respond(RenderPageRequestHandler.java:175) [wicket-core-7.3.0.jar:7.3.0]
at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:895) [wicket-core-7.3.0.jar:7.3.0]
at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64) [wicket-request-7.3.0.jar:7.3.0]
at org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:265) [wicket-core-7.3.0.jar:7.3.0]
at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:222) [wicket-core-7.3.0.jar:7.3.0]
at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:293) [wicket-core-7.3.0.jar:7.3.0]
at org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:261) [wicket-core-7.3.0.jar:7.3.0]
at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203) [wicket-core-7.3.0.jar:7.3.0]
at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284) [wicket-core-7.3.0.jar:7.3.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [catalina.jar:8.5.8]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [catalina.jar:8.5.8]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:115) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:112) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.5.RELEASE.jar:4.2.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:206) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:121) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.5.RELEASE.jar:4.2.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:134) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:106) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) [spring-security-web-4.1.0.RELEASE.jar:4.1.0.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-4.2.5.RELEASE.jar:4.2.5.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) [spring-web-4.2.5.RELEASE.jar:4.2.5.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [catalina.jar:8.5.8]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [catalina.jar:8.5.8]
at com.evolveum.midpoint.web.util.MidPointProfilingServletFilter.doFilter(MidPointProfilingServletFilter.java:86) [classes/:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [catalina.jar:8.5.8]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [catalina.jar:8.5.8]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) [catalina.jar:8.5.8]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108) [catalina.jar:8.5.8]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) [catalina.jar:8.5.8]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [catalina.jar:8.5.8]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [catalina.jar:8.5.8]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620) [catalina.jar:8.5.8]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.8]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349) [catalina.jar:8.5.8]
at org.apache.coyote.http2.StreamProcessor.service(StreamProcessor.java:219) [tomcat-coyote.jar:8.5.8]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote.jar:8.5.8]
at org.apache.coyote.http2.StreamProcessor.run(StreamProcessor.java:63) [tomcat-coyote.jar:8.5.8]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_112]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_112]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.8]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_112]
Dnia środa, 18 stycznia 2017 09:30:09 CET Wojciech Staszewski pisze:
> Does anybody know what to do to enable role catalog for "end user"? What to add into "end user" role?
> At the moment role catalog is available only for admin.
>
> I have read this https://wiki.evolveum.com/display/midPoint/GUI+Authorizations
> but there is nothing related to roleCatalog.
> End User role contains already read access to "OrgType" and "RoleType", but the RoleCatalog is still unaccessible.
>
> Thanks!
> Regards,
> Wojciech Staszewski
> www.skygge.com
>
> W dniu 16.01.2017 o 09:26, Wojciech Staszewski pisze:
> > Hello!
> >
> > I added section mentioned by Kateryna Honchar (thank you!) into end user role and now the cog menu is visible for end user in SelfService.
> > But I have no idea what I need to add in the end user role to enable Role Catalog view. I tried to search the documentation but I found nothing.
> > I tried also add new authorization section with "RoleCatalog" type but it doesn't work. This is some kind of blindfold work without documentation :(.
> > Someone knows?
> >
> > Thanks, Regards,
> > Wojciech Staszewski
> > www.skygge.com
> >
> > W dniu 15.01.2017 o 22:58, Wojciech Staszewski pisze:
> >> It doesn't work for end user. :(
> >>
> >> I see role catalog (I have Superuser role).
> >> Common user (with MidPoint End user role) can't see it.
> >> And the cog icon with "unassign" option is invisible for end user as well.
> >> ...
> >> Regards,
> >> WS
> >> www.skygge.com
> >>
> >> Dnia niedziela, 15 stycznia 2017 20:55:23 CET Wojciech Staszewski pisze:
> >>> Thanks, now it works!
> >>>
> >>> Regards,
> >>> WS
> >>> www.skygge.com
> >>>
> >>> Dnia niedziela, 15 stycznia 2017 20:06:07 CET Martin Lízner - AMI Praha a.s. pisze:
> >>>> Hi, you point system configuration to your org root. M.
> >>>>
> >>>> <roleManagement>
> >>>> <roleCatalogRef oid="c5914a4c-fb27-48ee-8e10-b1f5af3981fb"
> >>>> type="c:OrgType"/>
> >>>> </roleManagement>
> >>>>
> >>>> Martin Lízner
> >>>> solution architect
> >>>>
> >>>> gsm: [+420] 737 745 571
> >>>> e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>
> >>>>
> >>>>
> >>>> AMI Praha a.s.
> >>>> Pláničkova 11
> >>>> 162 00 Praha 6
> >>>> tel.: [+420] 274 783 239
> >>>> web: www.ami.cz
> >>>>
> >>>>
> >>>>
> >>>> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
> >>>>
> >>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> >>>> společnost AMI Praha a.s.
> >>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> >>>> písemnou formu.
> >>>>
> >>>>
> >>>> 2017-01-15 19:59 GMT+01:00 Wojciech Staszewski <
> >>>> wojciech.staszewski at diagnostyka.pl>:
> >>>>
> >>>>> Hello!
> >>>>>
> >>>>> I configured "Role catalog" basing on the example provided by Evolveum.
> >>>>> New organizational tree was created with categories and roles within these
> >>>>> categories.
> >>>>> But I cannot find any example how to connect this catalog to system
> >>>>> configuration XML, so I got error in SelfService:
> >>>>> "Role catalog is not configured in the system configuration xml".
> >>>>>
> >>>>> How to configure "system configuration xml" to enable Role catalog?
> >>>>>
> >>>>> Thanks
> >>>>> Wojciech Staszewski
> >>>>> www.skygge.com
> >>>>> _______________________________________________
> >>>>> midPoint mailing list
> >>>>> midPoint at lists.evolveum.com
> >>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
> >>>>>
> >>>>
> >>>
> >>> _______________________________________________
> >>> midPoint mailing list
> >>> midPoint at lists.evolveum.com
> >>> http://lists.evolveum.com/mailman/listinfo/midpoint
> >>>
> >>
> >>
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> >
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
--
Wojciech Staszewski
Administrator Systemów Sieciowych
tel. kom: 663 680 236
www.diagnostyka.pl
Diagnostyka Sp. z o. o.
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
NIP: 675-12-65-009; REGON: 356366975
Kapitał zakładowy: 33 756 500 zł.
Pomyśl o środowisku zanim wydrukujesz ten e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170118/b750c4ca/attachment.htm>
More information about the midPoint
mailing list