if I create a new group of resource from the base example, then Alice is not able to access to resources contains on this new group but only the group itself

p, alice, data1,   read
p, bob, data2, write
p, data2_admin, data2, read
p, data2_admin, data2, write
g, alice, data2_admin
g, data3, datagroup
p, data2_admin, datagroup, read

if I request like this

{
	"user":"alice",
	"resource":"data3",
	"action":"read"
}

then the answer is : NO , expected is : YES

proof :

• alice belongs to data2_admin
• data3 belongs to datagroup
• permission is given READ for group of user data2_admin on group of resource datagroup
  by transitivity alice should be able to READ data3

Running example from the chapter Scaling the model for complex and large number of ABAC rules
end-up with exception:
com.googlecode.aviator.exception.ExpressionRuntimeException: Could not find function named 'eval'

Could you please advise how to enable the eval() method in jCasbin?

Hi,

I'm not able to enforce a policy that is working on Casbin Editor with jCasbin.

I have this conf:

[request_definition]
r = sub, obj, act, artifact

[policy_definition]
p = sub, obj, act, artifact

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && keyMatch(r.act, p.act) && regexMatch(r.artifact, p.artifact)

This policy file:

p, group_app1_manager, schema, promote, .*APP1
p, group_app1_manager, schema, get, .*APP1
p, group_app1_manager, schema, create, .*APP1
p, group_app1_manager, schema, get, .*APP1
p, group_app1_manager, topic, create, .*APP1

p, group_app1_viewer, topic, list, .*APP1
p, group_app1_viewer, topic, get, .*APP1
p, group_app1_viewer, schema, get, .*APP1
p, group_app1_viewer, schema, list, .*APP1

p, group_dsp_admin, *, *, .*

g, admin, group_dsp_admin
g, viewer, group_app1_viewer
g, manager, group_app1_manager

My code:

    @Test
    public void givenViewerUser_ThenList_MustAllow() {
        assertTrue(enforcer.enforce("viewer", "schema", "list", "europe-west1-APP1-SALES-BY-LOCATION-value"));
    }

My application log:

16:28:36.360 [main] INFO  org.casbin.jcasbin - Model:
16:28:36.361 [main] INFO  org.casbin.jcasbin - p.p: sub, obj, act, artifact
16:28:36.361 [main] INFO  org.casbin.jcasbin - r.r: sub, obj, act, artifact
16:28:36.361 [main] INFO  org.casbin.jcasbin - e.e: some(where (p_eft == allow))
16:28:36.361 [main] INFO  org.casbin.jcasbin - g.g: _, _
16:28:36.361 [main] INFO  org.casbin.jcasbin - m.m: g(r_sub, p_sub) && keyMatch(r_act, p_act) && regexMatch(r_artifact, p_artifact)
16:28:36.370 [main] INFO  org.casbin.jcasbin - Policy:
16:28:36.370 [main] INFO  org.casbin.jcasbin - p: sub, obj, act, artifact: [[group_app1_manager, schema, promote, .*APP1], [group_app1_manager, schema, get, .*APP1], [group_app1_manager, schema, create, .*APP1], [group_app1_manager, schema, get, .*APP1], [group_app1_manager, topic, create, .*APP1], [group_app1_viewer, topic, list, .*APP1], [group_app1_viewer, topic, get, .*APP1], [group_app1_viewer, schema, get, .*APP1], [group_app1_viewer, schema, list, .*APP1], [group_dsp_admin, *, *, .*]]
16:28:36.370 [main] INFO  org.casbin.jcasbin - g: _, _: [[admin, group_dsp_admin], [viewer, group_app1_viewer], [manager, group_app1_manager]]
16:28:36.371 [main] INFO  org.casbin.jcasbin - Role links for: g
16:28:36.371 [main] INFO  org.casbin.jcasbin - viewer < group_app1_viewer
16:28:36.371 [main] INFO  org.casbin.jcasbin - group_app1_viewer < 
16:28:36.371 [main] INFO  org.casbin.jcasbin - manager < group_app1_manager
16:28:36.371 [main] INFO  org.casbin.jcasbin - group_dsp_admin < 
16:28:36.371 [main] INFO  org.casbin.jcasbin - group_app1_manager < 
16:28:36.371 [main] INFO  org.casbin.jcasbin - admin < group_dsp_admin
16:28:36.454 [main] INFO  org.casbin.jcasbin - Request: viewer, schema, list, europe-west1-APP1-SALES-BY-LOCATION-value ---> false

Any ideas?

Thanks a lot!

As we know only request is permissible to have object and object to be associated with functions in matcher definition.

Currently I want to create the Intimefunction in which I want to provide limited time admin access or privilege access to certain users.

I have created the function and added the same using enforcer.addFunction(name, function(instance)).

Do I not require to input any policies according to the limited access, Actually it may become mixture of RBAC and ABAC.
I want to know how to enforce the above criteria, how to pass the enforcing on the parameters or on what condition I need to check

Hi, I need to use casbin with jsf for my project. Is there any taglib available for jsf which can be used for role based page display ?

I've written a function but now how should add it to function map?

public class InCollectionFunc extends AbstractFunction {
    public InCollectionFunc() {
    }

    public AviatorObject call(Map<String, Object> env, AviatorObject arg1, AviatorObject arg2, AviatorObject arg3) {
        String value = FunctionUtils.getStringValue(arg1, env);
        String collection = FunctionUtils.getStringValue(arg3, env);
        return AviatorBoolean.valueOf(isInCollection(value, collection));
    }

    private boolean isInCollection(String value,String collection) {
        System.out.println("value:" + value + " isIn collection:" + collection);
        return true;
    }

    public String getName() {
        return getNameStatic();
    }

    public static String getNameStatic() {
        return "isIn";
    }
}

enforcer = new Enforcer("erole.conf", "policy.csv");
enforcer.addFunction(InCollectionFunc.getNameStatic(),new InCollectionFunc());

I'm using Casbin on the backend which uses java.. so i need to store my policies in a Serverless DB so that i dont have to worry about scalability/maintainence using Casbin DB adapter

We already used semantic-release in Go and Nodejs, see Node-Casbin: casbin/node-casbin#153 (comment)

I think we should also integrate it into Java. It will auto-release to GitHub Releases and Maven via plugin: https://github.com/conveyal/maven-semantic-release

Can anyone work on it?

Use case is that I have a program that takes a model and a policy path and to test it I'd like to be able to do something like

Model m = newModel();
m.addDef("r", "r", "sub, obj, act");
m.addDef("p", "p", "sub, obj, act");
m.addDef("g", "g", "_, _");
m.addDef("e", "e", "some(where (p.eft == allow))");
m.addDef("m", "m", "g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act");

Enforcer e = new Enforcer(m);

e.addPermissionForUser("alice", "data1", "read");
Path modelURI = e.persistModel();
Path policyURI = e.persistPolicy();

assertTrue(new myProgram(modelURI, policyURI).isAuth("alice", "read"))

now enforcer only can put object...,Can it be parsed into an array than put in enforcer

In Java world, Apache Shiro and Spring Security are very popular security frameworks. We need to find ways to wrap jCasbin into a middleware of the above both, so Shiro and Spring users can use jCasbin without much migration efforts.

Hello I am a jcasbin user. I thank you for the great project. I am using maven.

• What I noticed is the jar that comes from maven is called jcasbin-1.2.0. the current version is 1.4.0 this must be a mistake right?

• also the exceptions are not included in the jar

• FileAdapter with Inputstream is not included as well in the maven version, which is very useful

call Enforcer::loadPolicy() and Enforcer::enforce() concurrently may lead to wrong result

HI there,
I have a requirement in our business to get user's permission list for specified object, it seems that current verion API can't support it, please assess if could be added in your furture version, that would be highly appreciate if scheduled release date could be provided, thanks!

FunctionMap is out-of-date, please add missing built-in functions keyMatch3 and keyMatch4.

Thanks! ^^

Hi
I want to use ABAC authorization for one of my application but I don't how to define roles and policies.
Let me describe the scenario:
1-Subject: There roles(Operator, Manager, Reviewer) and each User has a Branch.
2- Resource: There are several Object (Order, Document,..), and each Object has a Branch.
3- Actions: There are some actions such as Create, Edit, View, Confirm, Reject.

Some policies:
1- All User can View to objects if object.branch in user.branch
2- All user can do actions on objects during wroking time (8:30 - 17:00)
3- Manager can View to objects whenever they want.
4- User with name X has Branch A,B.
5- Manager can do Confirm and Reject.
6- Operator can do View and Create
7- Reviewer can only view objects if object. status= confirmed.

Would you please help me how to define these scenario?

I want to secure a REST-Api with jcasbin. But i dont get the right place to start.

Is this the right practice?

URL: /api/v1/user/10

public Result showUser(int id){
       User user = UserService.getUser(id);
       if(isAllowed(session.get(userID), 10, GET)){
              return success;
       }else{
              return error;
       }
}

private boolean isAllowed(String userId, String data, String action){
       enforcer.addPolicy(userId, data, action);
       return enforcer.enforce(userId, data, action);
}

config-file:

[request_definition]
r = acc, obj, act

[policy_definition]
p = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.acc== p.acc && r.obj == p.obj && r.act == p.act

I'm asking this because of:

I can not set policys in advance, because i dont know all users
I can not set policiys in advance, because i dont know the id of the resource
I can not set policiys in advance, because i dont know the Action of the request
Maybe im stupid but i dont get it ................ in german it is called "auf dem Schlauch stehen" (stand on the hose)

Could you show me a short REST-Example in Java where i could start? Is my example useable? I dont think so, because of the enforcer.addPolicy(userId, data, action); call ....

Extracting slf4j conversation from #33

I am trying to get benchmark for SyncedEnforcer and found that increasing threadPool size won't increase the qps for enforce because write lock is used when function syncedEnforcer.enforce() is called. However, in golang version, they use read lock instead. Does that mean the golang benchmark for SyncedEnforcer would be much higher than jcasbin? I'm curious why a write lock is needed in enforce phase since no policy is changed.

when I maven package my springboot project as a fatjar, then i run commed java -jar, here are some exception stack messages below.

Caused by: org.casbin.jcasbin.exception.CasbinConfigException: file:\C:\Users\lenovo\Desktop\pgcm-1.0-SNAPSHOT-exec.jar!\BOOT-INF\classes!\casbin\rbac_model.conf (文件名、目录名或卷标语法不正确。)
        at org.casbin.jcasbin.config.Config.parse(Config.java:92) ~[jcasbin-1.4.0.jar!/:na]
        at org.casbin.jcasbin.config.Config.newConfig(Config.java:49) ~[jcasbin-1.4.0.jar!/:na]
        at org.casbin.jcasbin.model.Model.loadModel(Model.java:108) ~[jcasbin-1.4.0.jar!/:na]
        at org.casbin.spring.boot.autoconfigure.CasbinAutoConfiguration.enforcer(CasbinAutoConfiguration.java:100) ~[casbin-spring-boot-starter-0.0.8.jar!/:na]

and here is org.casbin.jcasbin.config.Config.parse method below

private void parse(String fname) {
        lock.lock();
        try (FileInputStream fis = new FileInputStream(fname)) {
            BufferedReader buf = new BufferedReader(new InputStreamReader(fis));
            parseBuffer(buf);
        } catch (IOException e) {
            throw new CasbinConfigException(e.getMessage(), e.getCause());
        } finally {
            lock.unlock();
        }
    }

then I found a question inStackOverflow, https://stackoverflow.com/questions/25869428/classpath-resource-not-found-when-running-as-jar

I don't know this is a bug or not, and how to do my problem, hope u can reply me soon.

when I invocke enforcer.deletePermission(perm) while I have no permission assigned to anyone(no this perm record), it throws the following exception:
CasbinAdapterException: Remove filtered policy error, remove 0 rows, expect least 1 rows

I'm using the default model(no conf file).

    mEnforcer = new Enforcer("excomple/permission_model.conf", "excomple/permission_policy.csv");

Error:
java.io.FileNotFoundException: \excomple\permission_model.conf (系统找不到指定的路径。)

If appending '\' at the end of Line, an ExpressionSyntaxErrorException occurs

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act, eft

[role_definition]
g = _, _,; user group
g2 = _, _, _ ; group role
g3 = _, _, _ ; resource group

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = (g(r.sub, p.sub) || g2(r.sub, p.sub, r.dom)) && (keyMatch(r.obj, p.obj) || g3(r.obj, p.obj, r.dom)) \
    && (p.dom == 'public' || r.dom == p.dom) && keyMatch(r.act, p.act)

Caused by: com.googlecode.aviator.exception.ExpressionSyntaxErrorException: Syntax error:Unexpect token '\' at 100, current token: [type='Char',lexeme='\',index=100]. Parsing expression: `(g(r_sub, p_sub) || g2(r_sub, p_sub, r_dom)) && (keyMatch(r_obj, p_obj) || g3(r_obj, p_obj, r_dom)) \^^`
	at com.googlecode.aviator.parser.ExpressionParser.reportSyntaxError(ExpressionParser.java:765)
	at com.googlecode.aviator.parser.ExpressionParser.parse(ExpressionParser.java:791)
	at com.googlecode.aviator.AviatorEvaluatorInstance.innerCompile(AviatorEvaluatorInstance.java:673)
	at com.googlecode.aviator.AviatorEvaluatorInstance.access$000(AviatorEvaluatorInstance.java:109)
	at com.googlecode.aviator.AviatorEvaluatorInstance$2.call(AviatorEvaluatorInstance.java:641)
	at com.googlecode.aviator.AviatorEvaluatorInstance$2.call(AviatorEvaluatorInstance.java:638)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at com.googlecode.aviator.AviatorEvaluatorInstance.compile(AviatorEvaluatorInstance.java:648)

Failure in the savePolicy function can lead to a complete loss of all data because savePolicy doesn't use transactions AND:

1. First drops the table
2. Recreates the table.
3. Executes a batch of inserts to save the policy.

If 1 succeed and a failure occurs anytime after it can lead to a partial or complete data loss.

It'd be much safer if it:

1. Started a transaction
2. Deleted everything in the table (not drop table, mysql doesn't support DML transactions)
3. Inserted the new policy.
4. Committed the transaction.

I actually don't see any usage of transactions in this Adapter, which is worrisome, but maybe I'm missing something?

Giving this model (user groups, resource groups and tenants enabled), and this policies :

Model:
2019-04-02 09:52:12.053  INFO 28508 --- [           main] org.casbin.jcasbin                       : p.p: sub, obj, act, dom
2019-04-02 09:52:12.053  INFO 28508 --- [           main] org.casbin.jcasbin                       : r.r: sub, obj, act, dom
2019-04-02 09:52:12.053  INFO 28508 --- [           main] org.casbin.jcasbin                       : e.e: some(where (p_eft == allow))
2019-04-02 09:52:12.053  INFO 28508 --- [           main] org.casbin.jcasbin                       : g.g: _, _, _
2019-04-02 09:52:12.053  INFO 28508 --- [           main] org.casbin.jcasbin                       : g.g2: _, _, _
2019-04-02 09:52:12.053  INFO 28508 --- [           main] org.casbin.jcasbin                       : m.m: g(r_sub, p_sub) && r_dom == p_dom && g2(r_obj, p_obj) && r_act == p_act
2019-04-02 09:52:12.062  INFO 28508 --- [           main] org.casbin.jcasbin                       : Policy:
2019-04-02 09:52:12.063  INFO 28508 --- [           main] org.casbin.jcasbin                       : p: sub, obj, act, dom: [[alice, data1, read, domain1], [bob, data2, write, domain1], [data2_admin, data2, read, domain1], [data2_admin, data2, write, domain1], [data2_admin, datagroup, read, domain1]]
2019-04-02 09:52:12.063  INFO 28508 --- [           main] org.casbin.jcasbin                       : g: _, _, _: [[alice, data2_admin, domain1]]
2019-04-02 09:52:12.063  INFO 28508 --- [           main] org.casbin.jcasbin                       : g2: _, _, _: [[data3, datagroup, domain1]]
2019-04-02 09:52:12.063  INFO 28508 --- [           main] org.casbin.jcasbin                       : Role links for: g
2019-04-02 09:52:12.063  INFO 28508 --- [           main] org.casbin.jcasbin                       : domain1::data2_admin < 
2019-04-02 09:52:12.063  INFO 28508 --- [           main] org.casbin.jcasbin                       : domain1::alice < domain1::data2_admin
2019-04-02 09:52:12.063  INFO 28508 --- [           main] org.casbin.jcasbin                       : Role links for: g2
2019-04-02 09:52:12.063  INFO 28508 --- [           main] org.casbin.jcasbin                       : domain1::data2_admin < 
2019-04-02 09:52:12.064  INFO 28508 --- [           main] org.casbin.jcasbin                       : domain1::data3 < domain1::datagroup
2019-04-02 09:52:12.064  INFO 28508 --- [           main] org.casbin.jcasbin                       : domain1::alice < domain1::data2_admin
2019-04-02 09:52:12.064  INFO 28508 --- [           main] org.casbin.jcasbin                       : domain1::datagroup < 

when asking if alice can read data3 on domain 1, it says no. alice belongs to group data2_admin and data3 belongs to datagroup. a policy says that data2_admin can read on datagroup on domain 1 ... so ? why it does not work ?

2019-04-02 09:56:03.406  INFO 28508 --- [nio-8080-exec-6] org.casbin.jcasbin                       : Request: alice, data3, read, domain1 ---> false

ps : this example was working when not using tenant feature
pps : btw, I don not understand why logs are showing users and user groups on g2 group here Role links for: g2 ... that should concern only resources and group resources
pps : these are parameters coming from debug : {r_sub=alice, p_act=read, p_dom=domain1, r_act=read, r_dom=domain1, p_sub=data2_admin, r_obj=data3, p_obj=datagroup} where result from expression gives false

r: alice, data3, read, domain1
p: data2_admin, datagroup, read, domain1

This should be a design issue with getRolesForUser.
When user does not assign role, it should return empty list instead of null.
Similarly, the same should be true for getUsersForRole, getRolesForUserInDomain, etc.

It doesn't reach the condition , when I instanciate the Enforcer I immediatly entre the exception , please help

When I try to release this repo into Maven with the following command,

mvn clean deploy -P sonatype-oss-release -Darguments="gpg.passphrase=xxxxxx"

I encountered the javadoc errors. It seems that our javadocs are in wrong format.

[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  01:35 min
[INFO] Finished at: 2020-09-29T22:55:43+08:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-javadoc-plugin:2.7:jar (attach-javadocs) on project jcasbin: MavenReportException: Error while creati
ng archive:
[ERROR] Exit code: 1 - F:\github_repos\jcasbin\src\main\java\org\casbin\jcasbin\main\InternalEnforcer.java:104: warning: no @param for op
[ERROR]     public void buildIncrementalRoleLinks(Model.PolicyOperations op, String ptype, List<List<String>> rules) {
[ERROR]                 ^
[ERROR] F:\github_repos\jcasbin\src\main\java\org\casbin\jcasbin\main\InternalEnforcer.java:104: warning: no @param for ptype
[ERROR]     public void buildIncrementalRoleLinks(Model.PolicyOperations op, String ptype, List<List<String>> rules) {
[ERROR]                 ^
[ERROR] F:\github_repos\jcasbin\src\main\java\org\casbin\jcasbin\main\InternalEnforcer.java:104: warning: no @param for rules
[ERROR]     public void buildIncrementalRoleLinks(Model.PolicyOperations op, String ptype, List<List<String>> rules) {
[ERROR]                 ^
[ERROR] F:\github_repos\jcasbin\src\main\java\org\casbin\jcasbin\model\Policy.java:251: error: bad use of '>'
[ERROR]      * @return succeeds(effects.size() > 0) or not.
[ERROR]                                        ^
[ERROR] F:\github_repos\jcasbin\src\main\java\org\casbin\jcasbin\rbac\DefaultRoleManager.java:59: error: @param name not found
[ERROR]      * @param domainMatchingPredicate a matcher for supporting domain pattern in g
[ERROR]               ^
[ERROR] F:\github_repos\jcasbin\src\main\java\org\casbin\jcasbin\rbac\DefaultRoleManager.java:61: warning: no @param for domainMatchingFunc
[ERROR]     public DefaultRoleManager(int maxHierarchyLevel, final BiPredicate<String, String> matchingFunc,
[ERROR]            ^
[ERROR] F:\github_repos\jcasbin\src\main\java\org\casbin\jcasbin\util\BuiltInFunctions.java:131: warning: no @param for key1
[ERROR]     public static boolean keyMatch4(String key1, String key2) {
[ERROR]                           ^
[ERROR] F:\github_repos\jcasbin\src\main\java\org\casbin\jcasbin\util\BuiltInFunctions.java:131: warning: no @param for key2
[ERROR]     public static boolean keyMatch4(String key1, String key2) {
[ERROR]                           ^
[ERROR] F:\github_repos\jcasbin\src\main\java\org\casbin\jcasbin\util\BuiltInFunctions.java:131: warning: no @return
[ERROR]     public static boolean keyMatch4(String key1, String key2) {
[ERROR]                           ^
[ERROR]
[ERROR] Command line was: "C:\Program Files\Java\jdk1.8.0_261\jre\..\bin\javadoc.exe" @options @packages
[ERROR]
[ERROR] Refer to the generated Javadoc files in 'F:\github_repos\jcasbin\target\apidocs' dir.
[ERROR]
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

@tldyl can you fix it so I can release new versions?

Is it possible to save whole model in databse. (Currently the Adaptor implementations (File & JDBC) only save g,p section of model into database.)

org.casbin.jcasbin.main.InternalEnforcer.java
//
When the added policy exists, it will cause repeated additions in the storage.
thanks.

My project needs to use DB like MySQL to store Casbin policy, when will the MySQL adapter be available?

Hi,

I want to use the abac part of jcasbin to secure my restful endpoints.

I want to be able to define groups and write a matcher that will combine group permissions and user permissions

p, alice, data1, read
p, bob, data2, write
p, data2_admin, data2, read
p, data2_admin, data2, write
g, alice, data2_admin

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = (g(r.sub, p.sub) || r.sub == r.obj.owner) && r.obj == p.obj && r.act == p.act

is this correct syntax?

thanks!

HI there,
I have a requirement in our business to validate the permission for inputed multiple objects and filter the objects which current user don't have permission to access, it seems that current verion API can't support it, please assess if can be added in your furture version, if this could not be in your scope, batch api for permission validation is also ok,that would be highly appreciate if scheduled release date could be provided, thanks!

I find that each methods of adapter returns void .

In Casbin, How to check whether the adapter can be updated successfully?

If no has ACK, will cause data loss.

if I delete a user it does not delete it but it removes him from all groups
if i can enforce , permissions remain so i can still get a positive access answer using this user

Java: https://github.com/casbin/jcasbin/blob/master/src/main/java/org/casbin/jcasbin/main/SyncedEnforcer.java

Golang: https://github.com/casbin/casbin/blob/master/enforcer_synced.go

Functions like LoadPolicy() are missing. Can anyone add the missing functions?

Given the different styles of supported models and the fact that the data source might be unknown/out of our control it would be useful to be able to determine the number of parameters required for a call to `enforcer#enforce(...)#.

Or at least fail with something better than Method threw 'java.lang.ArrayIndexOutOfBoundsException' exception.

e.g.

enforcer.enforce("alice","data1","read")

would thrown an exception for

p, admin, domain1, data1, read
p, admin, domain1, data1, write
p, admin, domain2, data2, read
p, admin, domain2, data2, write

g, alice, admin, domain1
g, bob, admin, domain2

but would succeed for

p, alice, data1, read
p, bob, data2, write
p, data_group_admin, data_group, write

g, alice, data_group_admin
g2, data1, data_group
g2, data2, data_group

I thought I could guess it from enforcer.getAllActions() but in the 1st case this returns
actions:[data1, data1, data2, data2]
while in the 2nd it (correctly) returns
actions:[read, write, write]

I think this particular scenario would be solvable with enforcer.getAllDomains() but is not very scalable as a solution for future changes.

In my use case of jcasbin, I have many calls of CoreEnforcer.enforce and this becomes a performance bottleneck. The root cause seems to be in these lines:

        AviatorEvaluatorInstance eval = AviatorEvaluator.newInstance();
[...]
        String expString = model.model.get("m").get("m").value;
        Expression expression = eval.compile(expString);

The compiled expression is very likely to be the same each time and it is parsed and recompiled each time. Shouldn't we instanciate AviatorEvaluatorInstance only once and use eval.compile(expString, true) to get a cached expression?

Member functions of Policy class do not check if the key ptype exists in the map, so when I tried to call enforcer.addPolicy() or enforcer.getPolicy() after init enforcer with empty policy, NullPointerException was throw. Is it a design issue? Ptype's existence should be checked and if it does not exist, empty list should be returned, not NullPointerException.

See what is multi-threading: https://casbin.org/docs/en/multi-threading

See jCasbin's feature set: https://casbin.org/docs/en/overview#feature-set-for-different-languages

We can port the Go code to Java: https://github.com/casbin/casbin/blob/master/enforcer_synced.go

Hi there,
As we may have millions of policies in our business, not sure the currect framework could support such so large policies? if it will cause the OOM issue? or other perfromance issues? is there a benchmark for jcasbin? thanks.

Calling function com.se.datahub.main.CoreEnforcer.enforce(CoreEnforcer.java:345) with arguments : [alice, data3, read] ends with error below :

2019-04-19 14:24:58.543  INFO 4856 --- [io-8080-exec-10] org.casbin.jcasbin                       : Policy Rule: [alice, data1, read]
2019-04-19 14:24:58.543  INFO 4856 --- [io-8080-exec-10] org.casbin.jcasbin                       : Result: false
2019-04-19 14:24:58.543  INFO 4856 --- [io-8080-exec-10] org.casbin.jcasbin                       : Policy Rule: [bob, data2, write]
2019-04-19 14:24:58.543  INFO 4856 --- [io-8080-exec-10] org.casbin.jcasbin                       : Result: false
2019-04-19 14:24:58.543  INFO 4856 --- [io-8080-exec-10] org.casbin.jcasbin                       : Policy Rule: [data2_admin, data2, read]
2019-04-19 14:24:58.543  INFO 4856 --- [io-8080-exec-10] org.casbin.jcasbin                       : Result: false
2019-04-19 14:24:58.543  INFO 4856 --- [io-8080-exec-10] org.casbin.jcasbin                       : Policy Rule: [data2_admin, data2, write]
2019-04-19 14:24:58.543  INFO 4856 --- [io-8080-exec-10] org.casbin.jcasbin                       : Result: false
2019-04-19 14:24:58.543  INFO 4856 --- [io-8080-exec-10] org.casbin.jcasbin                       : Policy Rule: [data2_admin, datagroup, read]
2019-04-19 14:24:58.546 ERROR 4856 --- [io-8080-exec-10] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is com.googlecode.aviator.exception.ExpressionRuntimeException: Execute expression error] with root cause

java.lang.IllegalArgumentException: Wrong number of args (1) passed to: g3
	at com.googlecode.aviator.runtime.function.AbstractFunction.throwArity(AbstractFunction.java:19) ~[aviator-4.1.2.jar:na]
	at com.googlecode.aviator.runtime.function.AbstractFunction.call(AbstractFunction.java:47) ~[aviator-4.1.2.jar:na]
	at Script_1555676698541_2/1743385755.execute0(Unknown Source) ~[na:na]
	at com.googlecode.aviator.ClassExpression.execute(ClassExpression.java:72) ~[aviator-4.1.2.jar:na]
	at com.se.datahub.main.CoreEnforcer.enforce(CoreEnforcer.java:345) ~[classes/:na]
	at com.se.datahub.rest.EnforcementController.enforce(EnforcementController.java:21) ~[classes/:na]

How jcasbin connects to the database, for example: mysql, pg. Can jcasbin use an external authority table like SpringSecurity?

It is not implemented yet:

I want to fix this because we received a PR: #65

Hi.
I want to use the abac part of jcasbin. The problem is that I couldn't find where to define the attributes variables , example (r_obj.owner, r.sub.branch).

For this example that already exists:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = (g(r.sub, p.sub) || r.sub == r.obj.owner) && r.obj == p.obj && r.act == p.act

I got this: Exception in thread "main" com.googlecode.aviator.exception.ExpressionRuntimeException: Could not find variable r_obj.owner
	at com.googlecode.aviator.runtime.type.AviatorJavaType.getProperty(AviatorJavaType.java:301)
	at com.googlecode.aviator.runtime.type.AviatorJavaType.getValue(AviatorJavaType.java:251)
	at com.googlecode.aviator.runtime.type.AviatorJavaType.compare(AviatorJavaType.java:381)
	at Script_1551791355988_0/1869997857.execute0(Unknown Source)
	at com.googlecode.aviator.ClassExpression.execute(ClassExpression.java:72)
	at org.casbin.jcasbin.main.CoreEnforcer.enforce(CoreEnforcer.java:345)
	at Server.main(Server.java:131)
.....

Would you please help me!
Thanks

There will be parameters in the URL of MySQL 8. Do you want to confirm whether MySQL 8 is supported? What do you do if you support the parameters in the URL?