How to override the default security ACL to make it case-insensitive to the username ?
We have a messy AD where not all email addresses are in lower case. Some are capitalized and some are not. Because of this, a user may login with USer@acme.com or user@acme.com . I see in the ACLS table that the permissions are stored both ways, depending on how the user was logged in at the time the documents were created.
So, because of this, sometimes a user doesn't have access to basic functionality like edit it's own profile or access the personal workspace.
Since Nuxeo 5.4.2, you can force the id case of the directory entries to “lower” or “upper” in the LDAPDirectory configuration with: <idCase>lower</idCase>
for instance. The default value for that parameter is “unchanged”.
That should fix your issue without having to mess with the ACL system. Nuxeo principal ids are must be unique, not only for the ACL system but also for looking up documents by creator id for instance.
If you already have bad production data in the SQLDirectory you will need to write a migration SQL script(s) for your SQLDirectory to merge entries with ids with various cases that were potentially created before using <idCase>lower</idCase>
on the LDAPDirectory.
In the SQL directory there are indeed only lower case usernames (emails), but if I try to login with same email in Upper case, the SQL directory doesn't load the record from the table.
I believe that is because the loading from directories is based on the username entered in the login screen.
In the mean time you can contribute your own implementation to the UserManagerService by deriving the default implementation and overriding the getPrincipal method to force the lowercase on the id at that level. That should solve your issues.
Thanks.
makePrincipal
is useless since the user entry is already fetched from the user directory when this method is called. Override getPrincipal
as I said previously insteadIt worked like this :
@Override
public NuxeoPrincipal getPrincipal(String username, DocumentModel context)
throws ClientException {
if (username == null) {
return null;
}
return super.getPrincipal(username.toLowerCase(), context);
}