Since GateIn 3.8 administrator can temporarily revoke access of a particular user account and mark it as disabled.
Behaviors
User marked as "disabled" cannot authenticate into portal. Attempt to reset the credentials of a disabled user will fail.
Additionally such users won't be listed in many places in the UI - like in user select forms related to security. Those will still appear in the organization management portlet. Administrator can filter and list enabled and disabled users only.
Backwards compatibility
Introducing this feature required storing additional information about user - "enabled" attribute. When migrating from previous GateIn versions this attribute won't be set. For backward compatibility and to avoid migration this feature can be turned off by using "filterDisabledUsersInQueries" configuration switch. It is available in idm-configuration.xml file that can be located in the following path: gatein.ear/portal.war/WEB-INF/conf/organization/idm-configuration.xml
<!--
When this option is set to true:
If use fresh user-database or existed user-database of GateIn 3.7 or above, it will work fine with disable-user feature.
If use existed user-database of GateIn 3.6 or below, Some method introduced by disable-user feature will not
return existed-user because it is impossible to select user has not an attribute by query with PLIDM,
so you need to migrate data before use disable-user feature.
When this option is set to false:
All method return collection user of UserHandler interface will ignore param 'enabledOnly'.
They will always return both enable and disabled user
If you setup a fresh user-database or use existed user-database of GateIn 3.7 or above,
it's recommended to switch this option to true to use disable-user feature
If you has existed user-database of Gatein 3.6 or below, it's recommended to migrate data and set this option to true to use disable-user
feature or set this option to false.
-->
<field name="filterDisabledUsersInQueries">
<boolean>true</boolean>
</field>
When this option is set to false, the query for a list of user always return BOTH enabled and disabled users. By default, it is configured as true
Migration
Like mentioned in previous paragraph this feature requires additional user attribute. This is needed especially to filter users without sacrifying performance. While new installations will contain all needed data, additional migration step is needed when upgrading previous deployments.
Dedicated script is provided that help to migrate the legacy data. Please find more detailed instructions here (applying for Tomcat bundle).
Example usage
Those instructions apply for GateIn packaged with EAP.
$ cd <gatein-eap-bundle-path>/bin
picketlink.config_file_path=picketlink-idm-config.xml
picketlink.realmName=idm_realm_portal
hibernate.config_path=migration.hibernate.cfg.xml
hibernate.connection.driver_class=org.h2.Driver
hibernate.connection.url=jdbc:h2:file:<GATEIN-INSTALLATION-DIR>/standalone/data/gatein/portal/jdbcidm_portal;DB_CLOSE_DELAY=-1
hibernate.connection.username=sa
hibernate.connection.password=sa
hibernate.dialect=org.hibernate.dialect.H2Dialect
enable_user_from=0
batch=100
Make sure you put proper values for all "hibernate.connection.*" properties that will match your used databased. In case of the default H2 alter the "hibernate.connection.url" property and replace "<GATEIN-INSTALLATION-DIR>" placeholder with proper value.
-
From the root of gatein installation directory please run following command:
$ ./ portal-disabledusers-migration.sh
This script will iterate over all user entries within your database and add "enabled" attribute with value "true" for each of them.