5 Replies Latest reply on Mar 11, 2014 1:44 PM by anil.saldhana

    Granting Permissions with JPA (NPE)


      Hello everybody!


      I've managed to get PicketLink working rather well with a ton of custom pieces (Custom authenticator, credentials, users, etc.) The last thing I'm trying to figure out is how to grant permissions. So far, I've tried granting permissions to my custom user class and a specific user. The granting looks like:


      permissionManager.grantPermission(user, CustomUsers.class, "TEST"); and permissionManager.grantPermission(user, user2, "TEST");


      The custom user class header looks as follows:


      @IdentityManaged({ CustomUsers.class })



          @AllowedOperation(value = "CREATE", mask = 1, classOperation = true),

          @AllowedOperation(value = "READ", mask = 2),

          @AllowedOperation(value = "UPDATE", mask = 4),

          @AllowedOperation(value = "DELETE", mask = 8)



      public class CustomUsersEntity extends IdentityTypeEntity



      The CustomUserPermissionHandler.class is pretty simple and follows the example from the documentation. The problem is that when I go to grant the permissions, I get a null pointer caused by the PermissionEntityMapper in the JPAIdentityStore (There are none!). I also found the annotation @PermissionManaged which is not mentioned in the documentation. Am I missing something?

        • 1. Re: Granting Permissions with JPA (NPE)

          You shouldn't need the @PermissionsHandledBy annotation as PicketLink provides built-in support for entity bean permissions already.  You will need an entity annotated with @PermissionManaged to store your permission records (I'll make a note that we need to cover this in the reference docs) - check out the following class for an example:



          1 of 1 people found this helpful
          • 2. Re: Granting Permissions with JPA (NPE)

            Thank you for the speedy response and perfect example! That almost seemed to do it! I got an error without the @PermissionsHandledBy annotation stating that the resource class needed one, so I simply left it. I'm no longer receiving the NPE, however identity.hasPermission is returning false incorrectly.  This is what the conditions looked like:

            Current identity id = [27e4119c-195e-4abc-ad54-8454438103d9], Assignee id = [27e4119c-195e-4abc-ad54-8454438103d9], ResourceClass = [com.test.picketlink.model.CustomUser], resourceIdentifier = [59589dfc-83f3-49be-aa44-02be06579d2a], currentResource = [59589dfc-83f3-49be-aa44-02be06579d2a], Operation = [CREATE]


            So it seems like it should be returning true. After doing some debugging, it seems it's returning false because there are no "PermissionVoter"s. Any idea why?

            • 3. Re: Granting Permissions with JPA (NPE)

              Hmm, you'll probably need to add a producer method for the PersistentPermissionVoter.  We should probably provide this in the base module of PicketLink itself.  For now, adding the following producer method somewhere in one of your beans *should* work:


              @Produces @ApplicationScoped

              public PermissionVoter producePermissionVoter(PartitionManager partitionManager) {

                 return new PersistentPermissionVoter(partitionManager);


              • 4. Re: Granting Permissions with JPA (NPE)

                Thank you! That did the trick!

                • 5. Re: Granting Permissions with JPA (NPE)

                  Hi Michael - I am very glad that your use cases are working with PicketLink.


                  Have you considered:

                  a) Contributing a short tutorial on your use case. The community will find it very useful in the future.

                  b) Becoming a contributor to PicketLink.  I am sure you will find areas to contribute yourself.