Externally provisioned roles should not be persisted


When you have:

1. a UserDirectoryProvider used as the same time as the default internal user/role provider, and
2. you have a user created in Opencast that also exists in the external provider, and
3. the external provider allocates additional roles to the user,

then Opencast persists those external roles in the internal database (mh_user_role and mh_role), which is undesireable as the external roles should be exclusively under the control of the external provider.


Corné Oosthuizen
August 26, 2016, 2:01 AM

Hi ,

It looks like the SakaiUserProviderInstance is returning the correct roles and marking them as not persistent (persistable is false).

2016-08-25 17:40:10,503 | DEBUG | (SakaiUserProviderInstance:268) - Returning JaxbRoles: [d7436006-d774-437a-a815-d8cdf6711cdc_Instructor:mh_default_org:false, 6225d2ce-70c2-46bf-0050-1dd32c9b9471_Learner:mh_default_org:false, 7d1a0d1b-4287-45ef-b507-a04fd5b66da7_Learner:mh_default_org:false, a0dac228-3811-4166-8f6d-7c82dc477c2c_Instructor:mh_default_org:false, 922248af-9892-4539-0001-172b35ae4981_Learner:mh_default_org:false, f78dbac9-6f73-4fb0-8067-c2ff5f75c78d_Learner:mh_default_org:false, 4a3218ce-0107-45cf-87c3-c69496070e55_Learner:mh_default_org:false, ROLE_USER:mh_default_org:false, 8f0ed5a8-a3f5-4d11-b52c-0c095a25901d_Learner:mh_default_org:false, 259a03e7-e7b9-4e17-9ca7-18064ed6d431_Instructor:mh_default_org:false]

public final class JaxbRole implements Role {

public String toString() {
return new StringBuilder(name).append(":").append(organization).append(":").append(persistable).toString();

On saving the persistence flag is not set.

2016-08-25 17:40:25,375 | DEBUG | (UserDirectoryPersistenceUtil:74) - saveRoles: d7436006-d774-437a-a815-d8cdf6711cdc_Instructor true

for (Role role : roles) {
logger.debug("saveRoles: " + role.getName() + " " + role.isPersistable().toString());
if (role.isPersistable() == Boolean.TRUE) {

The description on save is also not the one as defined in code.

for (String r : sakaiRoles) {
roles.add(new JaxbRole(r, jaxbOrganization, "Sakai site", Boolean.FALSE));

Somewhere the class is not set correclty or the values are not transferred. I'm wondering where to start looking?


Greg Logan
August 26, 2016, 2:36 AM

Hey Corné, are you starting from a fresh DB, or a cleaned DB? Once the roles have been persisted they won't be removed by these changes - so you either need to start fresh or clean them out of the DB first.

Greg Logan
August 26, 2016, 5:52 AM

Trying to test against the Sakai QA box, I get the following exception:

2016-08-25 13:50:42,047 | INFO | (SakaiUserProviderInstance:223) - In loadUserFromSakai, currently processing user : test
2016-08-25 13:50:42,548 | WARN | (SakaiUserProviderInstance:379) - error getting userId: java.io.IOException: Server returned HTTP response code: 403 for URL: https://qa11-mysql.nightly.sakaiproject.org/direct/user/test.xml?__auth=basic

Not sure what I'm doing wrong, since I can log in with the same credentials via the web interface, and opening the link in the browser works fine...

My config looks like this:

  1. Sakai UserDirectoryProvider configuration

  1. The organization for this provider

  1. The URL and login details for the Sakai server

  1. The maximum number of users to cache

  1. The maximum number of minutes to cache a user

Corné Oosthuizen
September 26, 2016, 10:07 PM

Hi Greg,

Add a user that exists in Sakai - creates the user and does not save the other roles


  • Cannot add additional internal roles to the user (ie. ROLE_ADMIN).

b) Create a new user

  • Add roles as part of the new user create steps > User not created and

2016-09-26 13:56:03,891 | WARN | (LogUtils:365) - Application {http://endpoint.adminui.opencastproject.org/}UsersEndpoint has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: org.json.simple.JSONObject cannot be cast to java.lang.String

  • Create a user without roles and trying to add internal roles afterwards doesn't save the added roles.

Greg Logan
September 30, 2016, 12:34 PM

1) Add user that exists in Sakai, creates user but does not save other roles

I think this is the previous behaviour, but I want to be sure: By default new users in Opencast don't get any roles (not even ROLE_USER, oddly), so they would not get any Sakai roles. The Sakai roles aren't an option (see MH-11717, I'm working on it) in the role select, but the Opencast roles are. If I add those roles things seem to work fine for me post minor changeset that I'm about to push.

2) Cannot add additional internal roles to the user

See above, I can add roles both during creation and as a post-creation modification, although update has always worked for me.

Does the changeset resolve your testing issues?

Fixed and reviewed


Greg Logan


Stephen Marquard

Tags (folksonomy)



Fix versions

Affects versions