Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-29839

AbstractUserMapper should create Transaction if needed

    Details

      Description

      Context

      In the context of a SAML Authentication, we can create/update the User and the associated profile during the login.
      This is typically achieved via AbstractUserMapper.getOrCreateAndUpdateNuxeoPrincipal, if the mapping class or script provides profile information, we will try to create it:

       if (userModel != null && profileAttributes.size() > 0 && update) {
                 ...
                  new UnrestrictedSessionRunner(repoName) {
                          @Override
                          public void run() {
                              DocumentModel profile = UPS.getUserProfileDocument(login, session);
                              updateProfile(session, profileAttributes, profile);
                          }
                      }.runUnrestricted();
                  ...
              }
      

      The problem is that depending on what URL is used as a callback, the transaction may not have been started by the RequestControllerFilter and as a consequence try to use the CoreSession will raise an error

      Cannot create a CoreSession outside a transaction
      

      Error

      2020-11-05T23:13:45,841 ERROR [http-nio-0.0.0.0-8080-exec-10] [org.nuxeo.ecm.platform.web.common.exceptionhandling.DefaultNuxeoExceptionHandler] org.nuxeo.ecm.core.api.NuxeoException: Cannot create a CoreSession outside a transac
      tion
              at org.nuxeo.ecm.core.api.local.LocalSession.<init>(LocalSession.java:66)
              at org.nuxeo.ecm.core.api.CoreSessionServiceImpl.createCoreSession(CoreSessionServiceImpl.java:35)
              at org.nuxeo.ecm.core.api.CoreInstance.getCoreSession(CoreInstance.java:100)
              at org.nuxeo.ecm.core.api.CoreInstance.getCoreSession(CoreInstance.java:49)
              at org.nuxeo.ecm.core.api.UnrestrictedSessionRunner.runUnrestricted(UnrestrictedSessionRunner.java:122)
              at org.nuxeo.usermapper.extension.AbstractUserMapper.getOrCreateAndUpdateNuxeoPrincipal(AbstractUserMapper.java:122)
              at org.nuxeo.usermapper.service.UserMapperComponent.getOrCreateAndUpdateNuxeoPrincipal(UserMapperComponent.java:110)
              at org.nuxeo.ecm.platform.auth.saml.user.UserMapperBasedResolver.findOrCreateNuxeoUser(UserMapperBasedResolver.java:67)
              at org.nuxeo.ecm.platform.auth.saml.SAMLAuthenticationProvider.lambda$handleRetrieveIdentity$0(SAMLAuthenticationProvider.java:458)
              at org.nuxeo.runtime.api.Framework.loginAndDo(Framework.java:285)
              at org.nuxeo.runtime.api.Framework.doPrivileged(Framework.java:272)
              at org.nuxeo.ecm.platform.auth.saml.SAMLAuthenticationProvider.handleRetrieveIdentity(SAMLAuthenticationProvider.java:458)
              at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.handleRetrieveIdentity(NuxeoAuthenticationFilter.java:1012)
              at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doFilterInternal(NuxeoAuthenticationFilter.java:441)
              at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doFilter(NuxeoAuthenticationFilter.java:336)
              ...
      

      Solution

      Update the code in AbstractUserMapper to hand the transaction.

      We could use this has an opportunity to remove the usage of UnrestrictedSessionRunner and use something like:

      
       TransactionHelper.runInTransaction(() -> {
                      CoreInstance.doPrivileged(session, (CoreSession unrestrictedSession) -> {
                          updateProfile(unrestrictedSession);
                      });
                  });
      

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 30 minutes
                30m

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.