Eclipse Community Forums: EMF » [CDO] Best practices for managing users

Help

Home

Home » Modeling » EMF » [CDO] Best practices for managing users

Show: Today's Messages :: Show Polls :: Message Navigator

[CDO] Best practices for managing users [message #1828172]

Wed, 03 June 2020 08:51

Robert Schulk

Messages: 144
Registered: July 2015

Senior Member

We are administrating users directly within our application (and not via the Eclipse IDE). So a client with admin privileges can add/remove users.

Now, what we do is very simple:
* Open the realm in a transaction
* Add a user by calling realm.addUser
* Remove a user by calling realm.removeUser

The user removal seems wrong to me. because we need to always catch a NoPermissionException. The exception states, that the password is inaccessible.

There exists the class SecurityManager, but as far as I can see, it is only meant for server-side usage?

Report message to a moderator

Re: [CDO] Best practices for managing users [message #1834223 is a reply to message #1828172]

Thu, 05 November 2020 09:56

Eike Stepper

Messages: 6682
Registered: July 2009

Senior Member

The occurs because of this code in SecurityManager:

    @Override
    public CDOPermission getPermission(CDORevision revision, CDOBranchPoint securityContext, ISession session)
    {
      String userID = session.getUserID();
      if (SYSTEM_USER_ID.equals(userID))
      {
        return CDOPermission.WRITE;
      }

      if (revision.getEClass() == SecurityPackage.Literals.USER_PASSWORD)
      {
        return CDOPermission.NONE;
      }

     ...

The SecurityManager is only accessible to (trusted) code in the server instance. The special handling of the UserPassword object is because the object-level CDO protocol does not support to encrypt specific object values. But the session-level protocol includes a sub protocol for secure key exchange (see org.eclipse.net4j.util.security.DiffieHellman). You can initiate this protocol by calling either of these methods:

1) org.eclipse.emf.cdo.session.CDOSession.changeCredentials();
2) org.eclipse.emf.spi.cdo.InternalCDOSession.resetCredentials(String userID);

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper

Report message to a moderator

Re: [CDO] Best practices for managing users [message #1834267 is a reply to message #1834223]

Fri, 06 November 2020 09:51

Robert Schulk

Messages: 144
Registered: July 2015

Senior Member

We use these methods to change a user's password, which works fine.
But I am not sure how this can help during user removals.

Do I need to set the user's password to null before removing the user?

Report message to a moderator

Re: [CDO] Best practices for managing users [message #1834303 is a reply to message #1834267]

Fri, 06 November 2020 17:44

Eike Stepper

Messages: 6682
Registered: July 2009

Senior Member

Now I see what you mean. See how a stack trace would have helped my slow mind! :P

I suggest you submit abugzilla and I'll resolve the issue for you...

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper

Report message to a moderator