| Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
devel:documentation:architecture:dev:filters [2020/04/17 07:37]
tomiskar |
devel:documentation:architecture:dev:filters [2020/06/11 20:11] (current)
tomiskar [Filters] |
| {{indexmenu_n>80}} | {{indexmenu_n>80}} |
| |
| <note important>Expand the introduction</note> | [[https://docs.oracle.com/javaee/6/tutorial/doc/gjivm.html|JPA criteria API]] is used for search entities from underlying database. JPA [[https://github.com/bcvsolutions/CzechIdMng/blob/develop/Realization/backend/core/core-api/src/main/java/eu/bcvsolutions/idm/core/api/service/AbstractReadDtoService.java#L419|predicate]] has to be constructed for all supported filter properties. Predicate can be constructed two ways: |
| | * by service - predicates are constructed in ''[[https://github.com/bcvsolutions/CzechIdMng/blob/develop/Realization/backend/core/core-api/src/main/java/eu/bcvsolutions/idm/core/api/service/AbstractReadDtoService.java#L326|AbstractReadDtoService#toPredicates]]'' method. This predicates are statically implemented and not overidable. |
| | * **By registered filter builders** - A mechanism for dynamic registry and composing of filters has been developed in the application for searching the data in IdM (identities, roles, tree structure components, etc.). A new filter can be registered for existing REST services in any module. Filter builder can be registered by custom module and can override filter builder from other module (e.g. filter in custom module can override core filter behavior). |
| |
| A mechanism for dynamic registry and composing of filters has been developed in the application for searching the data in IdM (identities, roles, tree structure components, etc.). A new filter can be registered for existing REST services in any module. Filter can be used by [[..:..:security:dev:authorization#base_authorization_evaluators|authoritazation policy evaluator]] for securing data access. | <note important> |
| | When no filter implementation is found for given filter property, then ''FilterNotSupportedException'' will be thrown. Filter builders (predicates) and all added filter properties have to be registered (constructed). Check for filter property is properly implemented is evaluated two ways: |
| | * By registered filter builders - filter key is used. |
| | * By filter definition (dto), if filter predicate is defined directly in service. Filter dto can define properties as fields or constants (see ''DataFilter'' generalization). **Make sure all properties are defined in filter dto if services predicate is used** - is required for check filter is supported. |
| | |
| | Check for filter property is properly implemented can be turned off by [[..:..:..application_configuration:dev:backend#entity_filters|configuration]] (e.g. before filter registration will be fixed). |
| | </note> |
| | |
| | <note tip>All supported filters can be found in [[#filter_agenda|agenda]] (menu Setting-> Modules -> Filters).</note> |
| | |
| | Filter can be used by [[..:..:security:dev:authorization#base_authorization_evaluators|authoritazation policy evaluator]] for securing data access. |
| | |
| | ===== Filter builder ===== |
| |
| The filter (''FilterBuilder'') is registered with the given key (''FilterKey''): | The filter (''FilterBuilder'') is registered with the given key (''FilterKey''): |
| |
| Finding managers of the entity by the IR, tree structures and set guarantees. The manager is the identity which has its IR on an organizational structure component superordinate to a structure component of the subordinate's IR. The manager (guarantee) can also be configured directly to the IR. | Finding managers of the entity by the IR, tree structures and set guarantees. The manager is the identity which has its IR on an organizational structure component superordinate to a structure component of the subordinate's IR. The manager (guarantee) can also be configured directly to the IR. |
| |
| <note important>Only valid or future valid contract can define managers and subordinates. Ended contract in the past cannot define managers or subordinates. On the other hand, contract state (e.g. manually disabled contract) still can define managers or subordinates - when contract is disabled by manager, then manager still can enable contract again.</note> | |
| |
| Filter parameters | Filter parameters |
| * ''managersByContract'' - an additional parameter; if it is entered, the managers are being searched for only by the given IR | * ''managersByContract'' - an additional parameter; if it is entered, the managers are being searched for only by the given IR |
| * ''includeGuarantees'' - True => it is being searched for managers by tree structures and managers (guarantee) configured directly to the IR. False => only managers by tree structures. | * ''includeGuarantees'' - True => it is being searched for managers by tree structures and managers (guarantee) configured directly to the IR. False => only managers by tree structures. |
| | * ''validContractManagers'' - an additional parameter; valid now or in future contracts. True => managers of contracts ended in the past will not be returned. False => managers of contracts ended in the past will be returned. All managers otherwise. |
| |
| Configuration: | Configuration: |
| ## managers by standard tree structure (manager will be found by contract on parent node) | ## managers by standard tree structure (manager will be found by contract on parent node) |
| idm.sec.core.filter.IdmIdentity.managersFor.impl=defaultManagersFilter | idm.sec.core.filter.IdmIdentity.managersFor.impl=defaultManagersFilter |
| | </code> |
| | |
| | ==== DefaultManagerContractBySubordinateContractFilter ==== |
| | |
| | @since 10.4.0 |
| | |
| | Find managers' contracts by subordinate contract. Finding managers' contracts by tree structures and set guarantees. The manager contract is on an organizational structure component superordinate to a structure component of the subordinate's contract. The manager (guarantee) can also be configured directly to the subordinate contract. |
| | |
| | Filter parameters |
| | |
| | * ''managersByContract'' - a key parameter; uuid of the subordinate contract for which the searched are managers' contracts |
| | * ''includeGuarantees'' - True => it is being searched for managers' contracts by tree structures and by direct guarantees. False => only managers' contracts by tree structures. |
| | * ''validContractManagers'' - an additional parameter; valid now or in future contracts. True => manager contracts of subordinate contract ended in the past will not be returned. False => manager contracts of subordinate contract ended in the past will be returned. All managers' contracts otherwise. |
| | |
| | Configuration: |
| | |
| | <code properties> |
| | ## contract filters |
| | ## managers by standard tree structure (manager will be found by contract on parent node) |
| | idm.sec.core.filter.IdmIdentityContract.managersByContract.impl=default-manager-contract-by-subordinate-contract-filter |
| </code> | </code> |
| |
| |
| Finding subordinates of the entity by the IR, tree structures and set guarantees. The subordinate is the identity which has its IR on an organizational structure component subordinate to a structure component of the manager's IR. The guarantee can also be configured directly to the IR. | Finding subordinates of the entity by the IR, tree structures and set guarantees. The subordinate is the identity which has its IR on an organizational structure component subordinate to a structure component of the manager's IR. The guarantee can also be configured directly to the IR. |
| |
| <note important>Only valid or future valid contract can define managers and subordinates. Ended contract in the past cannot define managers or subordinates. On the other hand, contract state (e.g. manually disabled contract) still can define managers or subordinates - when contract is disabled by manager, then manager still can enable contract again.</note> | |
| |
| Filter parameters | Filter parameters |
| |
| Finding subordinate contracts of the manager by the IR, tree structures and set guarantees. The subordinate contract is the contract which has its IR on an organizational structure component subordinate to a structure component of the manager's IR. The guarantee can also be configured directly to the IR. | Finding subordinate contracts of the manager by the IR, tree structures and set guarantees. The subordinate contract is the contract which has its IR on an organizational structure component subordinate to a structure component of the manager's IR. The guarantee can also be configured directly to the IR. |
| |
| <note important>Only valid or future valid contract can define managers and subordinates. Ended contract in the past cannot define managers or subordinates. On the other hand, contract state (e.g. manually disabled contract) still can define managers or subordinates - when contract is disabled by manager, then manager still can enable contract again.</note> | |
| |
| Filter parameters | Filter parameters |
| |
| Finding managers of the entity by the set guarantees. The manager (guarantee) has to be configured directly to the IR. | Finding managers of the entity by the set guarantees. The manager (guarantee) has to be configured directly to the IR. |
| |
| <note important>Only valid or future valid contract can define managers and subordinates. Ended contract in the past cannot define managers or subordinates. On the other hand, contract state (e.g. manually disabled contract) still can define managers or subordinates - when contract is disabled by manager, then manager still can enable contract again.</note> | |
| |
| Filter parameters | Filter parameters |
| * ''managersByTreeType'' - if it is entered, the filter is disabled (=> returns no data ~ ''disjunction'') | * ''managersByTreeType'' - if it is entered, the filter is disabled (=> returns no data ~ ''disjunction'') |
| * ''includeGuarantees'' - has to be true => it is being searched for managers configured directly to the IR. False => returns no data ~ ''disjunction''. | * ''includeGuarantees'' - has to be true => it is being searched for managers configured directly to the IR. False => returns no data ~ ''disjunction''. |
| | * ''validContractManagers'' - an additional parameter; valid now or in future contracts. True => managers of contracts ended in the past will not be returned. False => managers of contracts ended in the past will be returned. All managers otherwise. |
| Configuration: | Configuration: |
| |
| ## identity filters | ## identity filters |
| idm.sec.core.filter.IdmIdentity.managersFor.impl=guaranteeManagersFilter | idm.sec.core.filter.IdmIdentity.managersFor.impl=guaranteeManagersFilter |
| | |
| | </code> |
| | |
| | ==== GuaranteeContractBySubordinateContractFilter ==== |
| | |
| | @since 10.4.0 |
| | |
| | Finding managers' contracts by the given subordinate contract. The manager (guarantee) has to be configured directly to the IR. All managers' contracts are returned. |
| | |
| | Filter parameters |
| | |
| | * ''managersByContract'' - a key parameter; uuid of the subordinate contract for which the searched are managers' contracts |
| | * ''validContractManagers'' - an additional parameter; valid now or in future contracts. True => managers of contracts ended in the past will not be returned. False => managers of contracts ended in the past will be returned. All managers otherwise. |
| | Configuration: |
| | |
| | <code properties> |
| | ## contract filters |
| | idm.sec.core.filter.IdmIdentityContract.managersByContract.impl=guarantee-contract-by-subordinate-contract-filter |
| |
| </code> | </code> |
| |
| Finding subordinates by directly configured managers to the IR. | Finding subordinates by directly configured managers to the IR. |
| |
| <note important>Only valid or future valid contract can define managers and subordinates. Ended contract in the past cannot define managers or subordinates. On the other hand, contract state (e.g. manually disabled contract) still can define managers or subordinates - when contract is disabled by manager, then manager still can enable contract again.</note> | |
| |
| Filter parameters | Filter parameters |
| |
| Finding subordinate contracts by directly configured managers to the IR. | Finding subordinate contracts by directly configured managers to the IR. |
| |
| <note important>Only valid or future valid contract can define managers and subordinates. Ended contract in the past cannot define managers or subordinates. On the other hand, contract state (e.g. manually disabled contract) still can define managers or subordinates - when contract is disabled by manager, then manager still can enable contract again.</note> | |
| |
| Filter parameters | Filter parameters |
| ==== EavCodeManagersFilter ==== | ==== EavCodeManagersFilter ==== |
| |
| The second option for finding managers in the same way as ''DefaultSubordinatesFilter'' with a difference that the superordinate component is not being searched for by tree structure but by the value of an extended (eav) tree component parameter - a code of a different component is stated in the tree component, where there are managers (having IR on the given component) defined. | The second option for finding managers in the same way as ''DefaultManagersFilter'' with a difference that the superordinate component is not being searched for by tree structure but by the value of an extended (eav) tree component parameter - a code of a different component is stated in the tree component, where there are managers (having IR on the given component) defined. |
| | |
| <note important>Only valid or future valid contract can define managers and subordinates. Ended contract in the past cannot define managers or subordinates. On the other hand, contract state (e.g. manually disabled contract) still can define managers or subordinates - when contract is disabled by manager, then manager still can enable contract again.</note> | |
| |
| <code properties> | <code properties> |
| # extended attribute persistent type, 'shortTextValue' is prefered (indexed column by default), but 'stringValue' is used as default for compatibility reasons | # extended attribute persistent type, 'shortTextValue' is prefered (indexed column by default), but 'stringValue' is used as default for compatibility reasons |
| idm.sec.core.filter.IdmIdentity.managersFor.persistentType=shortTextValue | idm.sec.core.filter.IdmIdentity.managersFor.persistentType=shortTextValue |
| | </code> |
| | |
| | ==== EavCodeManagerContractBySubordinateContractFilter ==== |
| | |
| | @since 10.4.0 |
| | |
| | The second option for finding managers' contracts in the same way as ''DefaultManagerContractBySubordinateContractFilter'' with a difference that the manager contract is not being searched for by tree structure but by the value of an extended (eav) tree component parameter - a code of a extended attribute is stated in the tree component, where there are managers (having contract on the given component) defined. |
| | |
| | <code properties> |
| | ## contract filters |
| | ## managers by relation in eav attribute (manager will be found by code in eav on parent node) |
| | idm.sec.core.filter.IdmIdentityContract.managersByContract.impl=eav-code-manager-contract-by-subordinate-contract-filter |
| | # extended form definition code |
| | idm.sec.core.filter.IdmIdentityContract.managersByContract.formDefinition=default |
| | # extended attribute code - value contains superior node code |
| | idm.sec.core.filter.IdmIdentityContract.managersByContract.formAttribute=parentCode |
| | # extended attribute persistent type, 'shortTextValue' is prefered (indexed column by default), but 'stringValue' is used as default for compatibility reasons |
| | idm.sec.core.filter.IdmIdentityContract.managersByContract.persistentType=shortTextValue |
| </code> | </code> |
| |
| |
| The second option for finding subordinate contracts in the same way as ''DefaultContractByManagerFilter'' with a difference that the superordinate component is not being searched for by tree structure but by the value of an extended (eav) tree component parameter - a code of a different component is stated in the tree component, where there are managers (having IR on the given component) defined. Otherwise the functions and parameters are identical. | The second option for finding subordinate contracts in the same way as ''DefaultContractByManagerFilter'' with a difference that the superordinate component is not being searched for by tree structure but by the value of an extended (eav) tree component parameter - a code of a different component is stated in the tree component, where there are managers (having IR on the given component) defined. Otherwise the functions and parameters are identical. |
| |
| <note important>Only valid or future valid contract can define managers and subordinates. Ended contract in the past cannot define managers or subordinates. On the other hand, contract state (e.g. manually disabled contract) still can define managers or subordinates - when contract is disabled by manager, then manager still can enable contract again.</note> | |
| |
| <code properties> | <code properties> |