Migrating security and multitenancy to the lastet version

Hi
I have a fairly large project that was originally developed in platform v 6.x but migrated to the newest version after the release of v 7.0. It was working fine.

After there are some changes in security (e.g. all denials feature) and v 7.2 of the multitenancy add-on, I have migrated it to the lastest and having some issues.

Here is what I did to migrate:

1. Migrated security following this thread in the forum

2. Migrated multitenancy following these instructions in GitHub

Here are the problems I am getting after the migration:

1. When I create a role within the process of creating a tenant, here is what you see - a black row is already select by default as you see in the Roles table below.

image2066×1556 255 KB

I can add a new role but can’t edit this blank row, getting the following exception

java.lang.IllegalArgumentException: entity is null
at com.haulmont.bali.util.Preconditions.checkNotNullArgument(Preconditions.java:102)
at com.haulmont.cuba.core.global.EntityStates.isNew(EntityStates.java:69)
at com.haulmont.cuba.core.global.PersistenceHelper.isNew(PersistenceHelper.java:37)
at com.haulmont.cuba.gui.components.AbstractEditor.setItem(AbstractEditor.java:151)
at com.haulmont.cuba.gui.components.AbstractEditor.setEntityToEdit(AbstractEditor.java:451)
at com.haulmont.cuba.web.sys.WebScreens.openEditor(WebScreens.java:1188)
at com.haulmont.cuba.gui.components.HasWindowManager.openEditor(HasWindowManager.java:188)
at com.haulmont.cuba.gui.app.security.user.edit.UserEditor$EditRoleAction.actionPerform(UserEditor.java:683)
at com.haulmont.cuba.web.gui.components.WebButton.buttonClicked(WebButton.java:67)
at com.haulmont.cuba.web.widgets.CubaButton.fireClick(CubaButton.java:76)
at com.vaadin.ui.Button$1.click(Button.java:57)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.vaadin.server.ServerRpcManager.applyInvocation(ServerRpcManager.java:153)
at com.vaadin.server.ServerRpcManager.applyInvocation(ServerRpcManager.java:115)
at com.vaadin.server.communication.ServerRpcHandler.handleInvocation(ServerRpcHandler.java:431)
at com.vaadin.server.communication.ServerRpcHandler.handleInvocations(ServerRpcHandler.java:396)
at com.vaadin.server.communication.ServerRpcHandler.handleRpc(ServerRpcHandler.java:260)
at com.vaadin.server.communication.UidlRequestHandler.synchronizedHandleRequest(UidlRequestHandler.java:82)
at com.vaadin.server.SynchronizedRequestHandler.handleRequest(SynchronizedRequestHandler.java:40)
at com.vaadin.server.VaadinService.handleRequest(VaadinService.java:1578)
at com.vaadin.server.VaadinServlet.service(VaadinServlet.java:425)
at com.haulmont.cuba.web.sys.CubaApplicationServlet.serviceAppRequest(CubaApplicationServlet.java:329)
at com.haulmont.cuba.web.sys.CubaApplicationServlet.service(CubaApplicationServlet.java:215)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:108)
at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74)
at com.haulmont.cuba.web.sys.CubaHttpFilter.doFilter(CubaHttpFilter.java:93)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.haulmont.cuba.web.sys.singleapp.SingleAppWebContextLoader$SetClassLoaderFilter.doFilter(SingleAppWebContextLoader.java:257)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1591)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)

When I click on “Add roles” followed by chosing to creating a new role, the title of the window looks confusing as it shows “New User”.

image2010×1548 149 KB

After creating the tenant, when i go to view the new admin user of the tenant from my global access (Admin), I see the group field in the UI is empty and two blank rows in the Roles Table as you see in the image.

image1752×1220 223 KB

2. When I go to the database here noticed that the role I created during tenant creation for the tenant admin, the SYS_TENANT_ID field is empty, not sure if this is expected.

image2646×122 8.16 KB

I am stuck here as i couldn’t log in using the tenant admin user.

Here is some fields from the sec_user table. (I already had extended the user before implementing multitenenc, therefore DTYPE contains different value to address that):

image1838×282 26.4 KB

3. My ExtUser entity was extended to TenantUser but now noticed that it is deprecated. This might be one of the root causes, what do I extend my ExtUser to?

    @Listeners("erp_ExtUserListener")
    @Extends(User.class)
    @Entity(name = "erp$ExtUser")
    public class ExtUser extends TenantUser {
        private static final long serialVersionUID = -6070967633499943157L;
   

Thanks for any help to resolve this.

If you executed the below query
select * from sec_user_role;

you will find that you have by default two user-roles both are not linked to any role this two user-roles are
1- system-full-access
2- system-minimal

by default if you created any user this user will be granted system-minimal by default which is not linked to any role so it is showing blank inside roles table

If you tried to edit blank role you are getting entity is null this is bug inside Cuba Platform hope that it will be fixed on any upcoming release

If you want to override any thing related to platform default you have the option to extend all the screens and edit them freely , I did the same by overriding all default application screens and having flexibility to do what i want

below is the screen shot from my application which I'm overriding all administration and settings screens

@abd.ibrahim.allam
Do you know the youtrack number for the related bugs in CUBA that you mentioned?

No , you can write the same with the stack trace on the form and one of the team will refer to it.

Thanks. I would appreciate CUBA team have a look at what I have posted for the next steps.

I have removed my user Entity and screen extension and implemented an alternative solution to manage specific needs. The post may be considered closed.