The default naming strategy of hibernate is the EJB3NamingStrategy. The strategy maps camel case attributes like userName to the column name username. When switching to Spring Boot, the default naming strategy is set by Boot to ImprovedNamingStrategy. This leads to problems with the column names of camel case entity attributes which are not annotated with @Column and a set name parameter (e.g. @column(name = "username") ). I think we should use the ImprovedNamingStrategy before migrate to Spring Boot and add flyway migrations for postgres and mysql to use underscores for mixed case names.

Like already did for the 2.x branch, we should improve the handling of parallel request.

As discussed in osiam/osiam#29, we should write some REST-API docs using spring-restdocs to get a clear impression on it's capabilities. The resource-server should be a good place to start, I think.

This repo should contain stuff so that a Docker image can be build. It should be possible to build it as a trusted image on the Hub and also for local testing during development. This can be achieved in the following way:

The install script that runs during the build process checks if there is a locally-built war file in the target folder and uses this. Otherwise it installs Maven, etc. and builds the war itself or downloads it from the central/Sonatype snapshots or something else.

The OsiamController and the underlying SCIMExtensionProvisioning service layer isn't tested!

If a user will be created with an address and the postalCode is not set, the postalCode will be include as 'null' String in the json output of the user.

Moved from Jira:

It looks like, that the types of a User GroupRef is not set probably.
Also the indirect Group refs. of a User are not set at all.
At least this should be checked if it is working.

This repo should contain stuff so that a Debian package can be build. It's still open whether we should use vanilla Debian packaging scripts and stuff, or maybe use the excellent pkg-maven-plugin. I would recommend the pkg-maven-plugin.

Moved from Jira:

When using = instead of eq in the string filter with the OsiamConnector, the filter string will be cut and no exception fired.

Right filter string:
"userName eq "user1" and name.formatted eq "formatted1""
-> both constraints will be used

Wrong filter strings:
"userName eg "user1" and name.formatted = "formatted1""
-> just uses the first constraint, the second will be cut

"userName = "user1" and name.formatted = "formatted1""
-> exception fired: org.osiam.client.exception.ConflictException: no viable alternative at input 'userName"user1"'

As a pre step to a fully standalone application in form of a Spring Boot fat jar, we should migrate the resource-server after the configuration migration to a fat war which is deployable like before. This was already done in the self-administration and we made good experience with the split into small migration steps. Next stop: fat jar!

Moved from osiam/server#247

@sschum:

It seams that is a bug in the filter mechanism. Even if I use the "not" filter, the result is not that what I would expect!

For example:

1. I want to search all users that are NOT included in a given group. Than I want to use the following filter: not(groups eq "<groupId>")
2. I want to search all groups in which is the user NOT a member. Than I want to use the following filter: not(members eq "<userId>")

In the following I have create a little JUnit-Test-File. In there the use-cases demonstrated.
EDIT: here is the gist-link: https://gist.github.com/sschum/ad6a09a2e70ae95ad1ce

@dacrome:

I will check this bug. Thanks for sharing!

...and please post your example code next time in a gist and copy the link here :) or you open a PR to the integration-tests of OSIAM for easy verify :) thank you!

Using properties files is not really an optimal way to configure this application. As discussed here, we decided to switch to YAML.

After #21 has been solved, we can move on and finally switch to a standalone, runnable .jar deployment. This does not contain switching to YAML files, which will be done in a separate step.

Moved from Jira:

the schema in the ScimSearchResult ist at the moment e.g.

[urn:scim:schemas:core:2.0:User]

But according to
http://tools.ietf.org/html/draft-ietf-scim-api-02#section-3.2.2
it should be like
["urn:scim:schemas:core:2.0:ListResponse"]

This is the umbrella issue for the transition of this component to a Spring Boot standalone application with an executable fat JAR. See also osiam/osiam#5 for the initial reasons and discussion.

Tasks that have to be done:

• Change Hibernate naming strategy (#11)
• Switch from XML to Java configuration (Issue: #20 / PR: #50)
• Introduce Spring Boot, but keep WAR deployment (#21 / PR: #53)
• Switch to YAML configration (#44)
• Switch to standalone application (#45)

Please, maintain this list, if you add new issues or close existing ones.

The current implementation of error returns is not adhering to the SCIM 2.0 spec. This has to be fixed, if we want to be truly SCIM 2.0 compliant.

Currently it is possible to create a user with multi-valued attributes where only the sub-attribute 'primary' is set. This should not be possible, a multi-valued attribute should only be valid if at least one of the sub-attributes are set that needed for the identification of the resource.

At this time the resource server is using a custom AOP aspect to measure the time a method is running (org.osiam.resources.helper.MeasureDurationTimeOfMethods). This should be replaced with Metrics' @timed annotation.

As @mirabilos pointed out in auth-server#55 the resource server doesn't generate a meaningful log message if it refuses to validate an access token because of an unreachable auth server.

Like already discussed in the OSIAM umbrella repo, the time is right to support standalone application with Spring Boot fat jars. I already created pre steps in form of issues in this repo, to reach the goal of a standalone application without the currently ugly deployment!

We have the home grown profiling solution that is implemented as an aspect in MeasureDurationTimeOfMethods. It never was the most elegant solution to begin with and since we have introduced the most excellent metrics framework it is now time for this implementation to go. I suggest that we remove it.

In AccessTokenValidationService currently not all possible exceptions thrown by the connector are handled. I already descibed a possible solution how they could be handled.

When updating a user's email address in way that removes the email address and then adds it back again, the order of the respective statements matters. This is wrong regarding the SCIM 2.0 spec that states something like: first values that are marked for deletion have to be removed, and then new values should be added.

Steps to reproduce:

1. Create a new User with an email address

2. Create an UpdateUser and add and then delete the email address:

   Email email = user.getEmails().get(0);
   UpdateUser updateUser = new UpdateUser.Builder()
           .addEmail(email)
           .deleteEmail(email)
           .build();
   

3. Update the User

Expected result:

The User has not been changed.

Actual result:

The User's email address has been deleted

See also: osiam/connector4java-integration-tests#253

The section about Service Provider Configuration Endpoints of the SCIM Specification describes a /RessourceTypes endpoint that enables clients to discover the list of supported ResourceTypes.

Currently a combination of log4j and JUL is used.

Since #20/#50 the /Metrics endpoint does not report any data. This obviously happened because no one configured it within the new Java config. See https://github.com/ryantenney/metrics-spring#basic-usage for details.

It would be beneficiary to the overall performance if we had database connection pools.

The xml configuration should be removed and migrate to java configuration. The Spring Framework provides java configuration since version 3.1 and this can be done as a first step to Spring Boot. We already made good experience with the configuration migration in the self-administration. We should check if this step can be used to migrate Spring OAuth2 version 1.0.5.RELEASE to the latest version 2.0.7.RELEASE to take advantage of the new configuration annotations. Maybe also a bump of the Spring Security version to the latest 4.0.1.RELEASE is possible.

As discussed in osiam/osiam#12, we want to get rid of the annoying SSLRequestLoggingFilter.

Moved from Jira.

Severity: wishlist

Please add a request that returns the version of the OSIAM resource server that is actually running, including an indication that it’s the OSIAM resource server (to avoid problems like deploying resource server as osiam-auth-server.war caused by a copy/paste mistake). For this reason, please choose a harmonised request path, and make it accessible without auth.

Moved from Jira

When using getValue() on a group member you get the UUID, but you can not get the type via getType(). It always return null.

The section about Service Provider Configuration Endpoints of the SCIM Specification describes a /Schemas endpoint that enables clients to discover the list of supported Schemas.

We need properties for the connection pool (how many connection and the connection timeout) of the internal connector4java. And we need also a property for the DB-Pool-Size (hikari).

one should be able to define password constraints at configuration/deployment time. we should start with minimal length constraints and add something like character classes later on. constraints should be configurable via the main configuration file (resource-server.properties at the time of writing). also, the connector(s) have to be extended to support the new behavior (like throwing an exception or something).