Idm privilege refactoring (#49)

* Idm app: refactoring group type usage (like role_admin) to privileges in idm + (simple) ui for managing them

* Privilege refactoring

* Privilege refactoring

modules/flowable-common-rest/pom.xml

@@ -102,10 +102,10 @@
             <artifactId>flowable-engine-common-api</artifactId>
         </dependency>
 
-        <!-- servlet -->
+       <!-- Servlet -->
         <dependency>
             <groupId>javax.servlet</groupId>
-            <artifactId>servlet-api</artifactId>
+            <artifactId>javax.servlet-api</artifactId>
             <scope>provided</scope>
         </dependency>
 

modules/flowable-cxf/pom.xml

@@ -160,7 +160,7 @@
     </dependency>
     <dependency>
       <groupId>javax.servlet</groupId>
-      <artifactId>servlet-api</artifactId>
+      <artifactId>javax.servlet-api</artifactId>
       <scope>provided</scope>
     </dependency>
       <dependency>

modules/flowable-idm-api/src/main/java/org/activiti/idm/api/IdmIdentityService.java

@@ -186,21 +186,50 @@ public interface IdmIdentityService {
   void deleteUserInfo(String userId, String key);
   
   /**
-   * Creates a new {@link Capability} with the provided name and user or group id.
-   * @param userId Needs to be non-null when groupId is null.
-   * @param groupId Needs to be non-null when userId is null.
-   * @throws ActivitiIllegalArgumentException if both capabilityName is null or if both userId/groupId are null.  
+   * Creates a new {@link Privilege} with the provided name.
+   * @throws ActivitiIllegalArgumentException if privilegeName is null. 
    */
-  Capability createCapability(String capabilityName, String userId, String groupId);
+  Privilege createPrivilege(String privilegeName);
   
   /**
-   * Deletes the capability with the given id.
+   * Assigns a privilege to a user.
    */
-  void deleteCapability(String capabilityId);
+  void addUserPrivilegeMapping(String privilegeId, String userId);
   
   /**
-   * Creates a {@link CapabilityQuery} that allows to programmatically query capabilities. 
+   * Removes a privilege for a user.
    */
-  CapabilityQuery createCapabilityQuery();
+  void deleteUserPrivilegeMapping(String privilegeId, String userId);
+  
+  /**
+   * Assigns a privilege to a group.
+   */
+  void addGroupPrivilegeMapping(String privilegeId, String groupId);
+  
+  /**
+   * Delete a privilege for a group.
+   */
+  void deleteGroupPrivilegeMapping(String privilegeId, String groupId);
+  
+  /**
+   * Deletes the privilege with the given id.
+   * Note that this also removes all user/group mappings for this privilege.
+   */
+  void deletePrivilege(String privilegeId);
+  
+  /**
+   * Returns all {@link User} instances that have a particular privilege. 
+   */
+  List<User> getUsersWithPrivilege(String privilegeId);
+  
+  /**
+   * Returns all {@link Group} instances that have a particular privilege. 
+   */
+  List<Group> getGroupsWithPrivilege(String privilegeId);
+  
+  /**
+   * Creates a {@link PrivilegeQuery} that allows to programmatically query privileges. 
+   */
+  PrivilegeQuery createPrivilegeQuery();
   
 }

modules/flowable-idm-api/src/main/java/org/activiti/idm/api/Capability.java → modules/flowable-idm-api/src/main/java/org/activiti/idm/api/Privilege.java

@@ -17,14 +17,10 @@ import java.io.Serializable;
 /**
  * @author Joram Barrez
  */
-public interface Capability extends Serializable {
+public interface Privilege extends Serializable {
   
   String getId();
   
-  String getCapabilityName();
-  
-  String getUserId();
-  
-  String getGroupId();
+  String getName();
   
 }

modules/flowable-idm-api/src/main/java/org/activiti/idm/api/CapabilityQuery.java → modules/flowable-idm-api/src/main/java/org/activiti/idm/api/PrivilegeQuery.java

@@ -18,25 +18,25 @@ import java.util.List;
 import org.activiti.engine.common.api.query.Query;
 
 /**
- * Allows programmatic querying of {@link Capability}
+ * Allows programmatic querying of {@link Privilege}
  * 
  * @author Joram Barrez
  */
-public interface CapabilityQuery extends Query<CapabilityQuery, Capability> {
+public interface PrivilegeQuery extends Query<PrivilegeQuery, Privilege> {
   
-  /** Only select {@link Capability}s with the given id/ */
-  CapabilityQuery capabilityId(String id);
+  /** Only select {@link Privilege}s with the given id/ */
+  PrivilegeQuery privilegeId(String id);
   
-  /** Only select {@link Capability}s with the given name */
-  CapabilityQuery capabilityName(String capabilityName);
+  /** Only select {@link Privilege}s with the given name */
+  PrivilegeQuery privilegeName(String name);
   
-  /** Only select {@link Capability}s with the given user id. */
-  CapabilityQuery userId(String userId);
+  /** Only select {@link Privilege}s with the given user id. */
+  PrivilegeQuery userId(String userId);
   
-  /** Only select {@link Capability}s with the given group id. */
-  CapabilityQuery groupId(String groupId);
+  /** Only select {@link Privilege}s with the given group id. */
+  PrivilegeQuery groupId(String groupId);
   
-  /** Only select {@link Capability}s with the given group ids. */
-  CapabilityQuery groupIds(List<String> groupIds);
+  /** Only select {@link Privilege}s with the given group ids. */
+  PrivilegeQuery groupIds(List<String> groupIds);
 
 }

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/IdmEngineConfiguration.java

@@ -57,8 +57,10 @@ import org.activiti.idm.engine.impl.interceptor.LogInterceptor;
 import org.activiti.idm.engine.impl.interceptor.TransactionContextInterceptor;
 import org.activiti.idm.engine.impl.persistence.entity.ByteArrayEntityManager;
 import org.activiti.idm.engine.impl.persistence.entity.ByteArrayEntityManagerImpl;
-import org.activiti.idm.engine.impl.persistence.entity.CapabilityEntityManager;
-import org.activiti.idm.engine.impl.persistence.entity.CapabilityEntityManagerImpl;
+import org.activiti.idm.engine.impl.persistence.entity.PrivilegeEntityManager;
+import org.activiti.idm.engine.impl.persistence.entity.PrivilegeEntityManagerImpl;
+import org.activiti.idm.engine.impl.persistence.entity.PrivilegeMappingEntityManager;
+import org.activiti.idm.engine.impl.persistence.entity.PrivilegeMappingEntityManagerImpl;
 import org.activiti.idm.engine.impl.persistence.entity.GroupEntityManager;
 import org.activiti.idm.engine.impl.persistence.entity.GroupEntityManagerImpl;
 import org.activiti.idm.engine.impl.persistence.entity.IdentityInfoEntityManager;
@@ -74,7 +76,8 @@ import org.activiti.idm.engine.impl.persistence.entity.TokenEntityManagerImpl;
 import org.activiti.idm.engine.impl.persistence.entity.UserEntityManager;
 import org.activiti.idm.engine.impl.persistence.entity.UserEntityManagerImpl;
 import org.activiti.idm.engine.impl.persistence.entity.data.ByteArrayDataManager;
-import org.activiti.idm.engine.impl.persistence.entity.data.CapabilityDataManager;
+import org.activiti.idm.engine.impl.persistence.entity.data.PrivilegeDataManager;
+import org.activiti.idm.engine.impl.persistence.entity.data.PrivilegeMappingDataManager;
 import org.activiti.idm.engine.impl.persistence.entity.data.GroupDataManager;
 import org.activiti.idm.engine.impl.persistence.entity.data.IdentityInfoDataManager;
 import org.activiti.idm.engine.impl.persistence.entity.data.MembershipDataManager;
@@ -82,7 +85,8 @@ import org.activiti.idm.engine.impl.persistence.entity.data.PropertyDataManager;
 import org.activiti.idm.engine.impl.persistence.entity.data.TokenDataManager;
 import org.activiti.idm.engine.impl.persistence.entity.data.UserDataManager;
 import org.activiti.idm.engine.impl.persistence.entity.data.impl.MybatisByteArrayDataManager;
-import org.activiti.idm.engine.impl.persistence.entity.data.impl.MybatisCapabilityDataManager;
+import org.activiti.idm.engine.impl.persistence.entity.data.impl.MybatisPrivilegeDataManager;
+import org.activiti.idm.engine.impl.persistence.entity.data.impl.MybatisPrivilegeMappingDataManager;
 import org.activiti.idm.engine.impl.persistence.entity.data.impl.MybatisGroupDataManager;
 import org.activiti.idm.engine.impl.persistence.entity.data.impl.MybatisIdentityInfoDataManager;
 import org.activiti.idm.engine.impl.persistence.entity.data.impl.MybatisMembershipDataManager;
@@ -132,7 +136,8 @@ public class IdmEngineConfiguration extends AbstractEngineConfiguration {
   protected PropertyDataManager propertyDataManager;
   protected TokenDataManager tokenDataManager;
   protected UserDataManager userDataManager;
-  protected CapabilityDataManager capabilityDataManager;
+  protected PrivilegeDataManager privilegeDataManager;
+  protected PrivilegeMappingDataManager privilegeMappingDataManager;
 
   // ENTITY MANAGERS /////////////////////////////////////////////////
   protected ByteArrayEntityManager byteArrayEntityManager;
@@ -143,7 +148,8 @@ public class IdmEngineConfiguration extends AbstractEngineConfiguration {
   protected TableDataManager tableDataManager;
   protected TokenEntityManager tokenEntityManager;
   protected UserEntityManager userEntityManager;
-  protected CapabilityEntityManager capabilityEntityManager;
+  protected PrivilegeEntityManager privilegeEntityManager;
+  protected PrivilegeMappingEntityManager privilegeMappingEntityManager;
 
   protected CommandContextFactory commandContextFactory;
   protected TransactionContextFactory<TransactionListener, CommandContext> transactionContextFactory;
@@ -250,8 +256,11 @@ public class IdmEngineConfiguration extends AbstractEngineConfiguration {
     if (userDataManager == null) {
     	userDataManager = new MybatisUserDataManager(this);
     }
-    if (capabilityDataManager == null) {
-      capabilityDataManager = new MybatisCapabilityDataManager(this);
+    if (privilegeDataManager == null) {
+      privilegeDataManager = new MybatisPrivilegeDataManager(this);
+    }
+    if (privilegeMappingDataManager == null) {
+      privilegeMappingDataManager = new MybatisPrivilegeMappingDataManager(getIdmEngineConfiguration());
     }
   }
 
@@ -280,8 +289,11 @@ public class IdmEngineConfiguration extends AbstractEngineConfiguration {
     if (userEntityManager == null) {
       userEntityManager = new UserEntityManagerImpl(this, userDataManager);
     }
-    if (capabilityEntityManager == null) {
-      capabilityEntityManager = new CapabilityEntityManagerImpl(this, capabilityDataManager);
+    if (privilegeEntityManager == null) {
+      privilegeEntityManager = new PrivilegeEntityManagerImpl(this, privilegeDataManager);
+    }
+    if (privilegeMappingEntityManager == null) {
+      privilegeMappingEntityManager = new PrivilegeMappingEntityManagerImpl(this, privilegeMappingDataManager);
     }
   }
   
@@ -702,12 +714,21 @@ public class IdmEngineConfiguration extends AbstractEngineConfiguration {
     return this;
   }
   
-  public CapabilityDataManager getCapabilityDataManager() {
-    return capabilityDataManager;
+  public PrivilegeDataManager getPrivilegeDataManager() {
+    return privilegeDataManager;
+  }
+
+  public IdmEngineConfiguration setPrivilegeDataManager(PrivilegeDataManager privilegeDataManager) {
+    this.privilegeDataManager = privilegeDataManager;
+    return this;
+  }
+  
+  public PrivilegeMappingDataManager getPrivilegeMappingDataManager() {
+    return privilegeMappingDataManager;
   }
 
-  public IdmEngineConfiguration setCapabilityDataManager(CapabilityDataManager capabilityDataManager) {
-    this.capabilityDataManager = capabilityDataManager;
+  public IdmEngineConfiguration setPrivilegeMappingDataManager(PrivilegeMappingDataManager privilegeMappingDataManager) {
+    this.privilegeMappingDataManager = privilegeMappingDataManager;
     return this;
   }
 
@@ -774,12 +795,21 @@ public class IdmEngineConfiguration extends AbstractEngineConfiguration {
     return this;
   }
   
-  public CapabilityEntityManager getCapabilityEntityManager() {
-    return capabilityEntityManager;
+  public PrivilegeEntityManager getPrivilegeEntityManager() {
+    return privilegeEntityManager;
+  }
+
+  public IdmEngineConfiguration setPrivilegeEntityManager(PrivilegeEntityManager privilegeEntityManager) {
+    this.privilegeEntityManager = privilegeEntityManager;
+    return this;
+  }
+  
+  public PrivilegeMappingEntityManager getPrivilegeMappingEntityManager() {
+    return privilegeMappingEntityManager;
   }
 
-  public IdmEngineConfiguration setCapabilityEntityManager(CapabilityEntityManager capabilityEntityManager) {
-    this.capabilityEntityManager = capabilityEntityManager;
+  public IdmEngineConfiguration setPrivilegeMappingEntityManager(PrivilegeMappingEntityManager privilegeMappingEntityManager) {
+    this.privilegeMappingEntityManager = privilegeMappingEntityManager;
     return this;
   }
 

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/IdmIdentityServiceImpl.java

@@ -14,8 +14,8 @@ package org.activiti.idm.engine.impl;
 
 import java.util.List;
 
-import org.activiti.idm.api.Capability;
-import org.activiti.idm.api.CapabilityQuery;
+import org.activiti.idm.api.Privilege;
+import org.activiti.idm.api.PrivilegeQuery;
 import org.activiti.idm.api.Group;
 import org.activiti.idm.api.GroupQuery;
 import org.activiti.idm.api.IdmIdentityService;
@@ -27,9 +27,10 @@ import org.activiti.idm.api.Token;
 import org.activiti.idm.api.TokenQuery;
 import org.activiti.idm.api.User;
 import org.activiti.idm.api.UserQuery;
+import org.activiti.idm.engine.impl.cmd.AddPrivilegeMappingCmd;
 import org.activiti.idm.engine.impl.cmd.CheckPassword;
-import org.activiti.idm.engine.impl.cmd.CreateCapabilityCmd;
-import org.activiti.idm.engine.impl.cmd.CreateCapabilityQueryCmd;
+import org.activiti.idm.engine.impl.cmd.CreatePrivilegeCmd;
+import org.activiti.idm.engine.impl.cmd.CreatePrivilegeQueryCmd;
 import org.activiti.idm.engine.impl.cmd.CreateGroupCmd;
 import org.activiti.idm.engine.impl.cmd.CreateGroupQueryCmd;
 import org.activiti.idm.engine.impl.cmd.CreateMembershipCmd;
@@ -37,15 +38,18 @@ import org.activiti.idm.engine.impl.cmd.CreateTokenCmd;
 import org.activiti.idm.engine.impl.cmd.CreateTokenQueryCmd;
 import org.activiti.idm.engine.impl.cmd.CreateUserCmd;
 import org.activiti.idm.engine.impl.cmd.CreateUserQueryCmd;
-import org.activiti.idm.engine.impl.cmd.DeleteCapabilityCmd;
+import org.activiti.idm.engine.impl.cmd.DeletePrivilegeCmd;
+import org.activiti.idm.engine.impl.cmd.DeletePrivilegeMappingCmd;
 import org.activiti.idm.engine.impl.cmd.DeleteGroupCmd;
 import org.activiti.idm.engine.impl.cmd.DeleteMembershipCmd;
 import org.activiti.idm.engine.impl.cmd.DeleteTokenCmd;
 import org.activiti.idm.engine.impl.cmd.DeleteUserCmd;
 import org.activiti.idm.engine.impl.cmd.DeleteUserInfoCmd;
+import org.activiti.idm.engine.impl.cmd.GetGroupsWithPrivilegeCmd;
 import org.activiti.idm.engine.impl.cmd.GetUserInfoCmd;
 import org.activiti.idm.engine.impl.cmd.GetUserInfoKeysCmd;
 import org.activiti.idm.engine.impl.cmd.GetUserPictureCmd;
+import org.activiti.idm.engine.impl.cmd.GetUsersWithPrivilegeCmd;
 import org.activiti.idm.engine.impl.cmd.SaveGroupCmd;
 import org.activiti.idm.engine.impl.cmd.SaveTokenCmd;
 import org.activiti.idm.engine.impl.cmd.SaveUserCmd;
@@ -157,18 +161,48 @@ public class IdmIdentityServiceImpl extends ServiceImpl implements IdmIdentitySe
   }
 
   @Override
-  public Capability createCapability(String capabilityName, String userId, String groupId) {
-    return commandExecutor.execute(new CreateCapabilityCmd(capabilityName, userId, groupId));
+  public Privilege createPrivilege(String name) {
+    return commandExecutor.execute(new CreatePrivilegeCmd(name));
   }
-
+  
+  @Override
+  public void addUserPrivilegeMapping(String privilegeId, String userId) {
+    commandExecutor.execute(new AddPrivilegeMappingCmd(privilegeId, userId, null));
+  }
+  
+  @Override
+  public void deleteUserPrivilegeMapping(String privilegeId, String userId) {
+    commandExecutor.execute(new DeletePrivilegeMappingCmd(privilegeId, userId, null));
+  }
+  
+  @Override
+  public void addGroupPrivilegeMapping(String privilegeId, String groupId) {
+    commandExecutor.execute(new AddPrivilegeMappingCmd(privilegeId, null, groupId));
+  }
+  
   @Override
-  public void deleteCapability(String capabilityId) {
-    commandExecutor.execute(new DeleteCapabilityCmd(capabilityId));
+  public void deleteGroupPrivilegeMapping(String privilegeId, String groupId) {
+    commandExecutor.execute(new DeletePrivilegeMappingCmd(privilegeId, null, groupId));
+  }
+  
+  @Override
+  public void deletePrivilege(String id) {
+    commandExecutor.execute(new DeletePrivilegeCmd(id));
   }
 
   @Override
-  public CapabilityQuery createCapabilityQuery() {
-    return commandExecutor.execute(new CreateCapabilityQueryCmd());
+  public PrivilegeQuery createPrivilegeQuery() {
+    return commandExecutor.execute(new CreatePrivilegeQueryCmd());
+  }
+  
+  @Override
+  public List<Group> getGroupsWithPrivilege(String name) {
+    return commandExecutor.execute(new GetGroupsWithPrivilegeCmd(name));
+  }
+  
+  @Override
+  public List<User> getUsersWithPrivilege(String name) {
+    return commandExecutor.execute(new GetUsersWithPrivilegeCmd(name));
   }
   
 }

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/CapabilityQueryImpl.java → modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/PrivilegeQueryImpl.java

@@ -16,61 +16,61 @@ package org.activiti.idm.engine.impl;
 import java.util.List;
 
 import org.activiti.engine.common.impl.Page;
-import org.activiti.idm.api.Capability;
-import org.activiti.idm.api.CapabilityQuery;
+import org.activiti.idm.api.Privilege;
+import org.activiti.idm.api.PrivilegeQuery;
 import org.activiti.idm.engine.impl.interceptor.CommandContext;
 import org.activiti.idm.engine.impl.interceptor.CommandExecutor;
 
 /**
  * @author Joram Barrez
  */
-public class CapabilityQueryImpl extends AbstractQuery<CapabilityQuery, Capability> implements CapabilityQuery {
+public class PrivilegeQueryImpl extends AbstractQuery<PrivilegeQuery, Privilege> implements PrivilegeQuery {
 
   private static final long serialVersionUID = 1L;
   
   protected String id;
-  protected String capabilityName;
+  protected String name;
   protected String userId;
   protected String groupId;
   protected List<String> groupIds;
 
-  public CapabilityQueryImpl() {
+  public PrivilegeQueryImpl() {
   }
 
-  public CapabilityQueryImpl(CommandContext commandContext) {
+  public PrivilegeQueryImpl(CommandContext commandContext) {
     super(commandContext);
   }
 
-  public CapabilityQueryImpl(CommandExecutor commandExecutor) {
+  public PrivilegeQueryImpl(CommandExecutor commandExecutor) {
     super(commandExecutor);
   }
   
   @Override
-  public CapabilityQuery capabilityId(String id) {
+  public PrivilegeQuery privilegeId(String id) {
     this.id = id;
     return this;
   }
 
   @Override
-  public CapabilityQuery capabilityName(String capabilityName) {
-    this.capabilityName = capabilityName;
+  public PrivilegeQuery privilegeName(String name) {
+    this.name = name;
     return this;
   }
 
   @Override
-  public CapabilityQuery userId(String userId) {
+  public PrivilegeQuery userId(String userId) {
     this.userId = userId;
     return this;
   }
 
   @Override
-  public CapabilityQuery groupId(String groupId) {
+  public PrivilegeQuery groupId(String groupId) {
     this.groupId = groupId;
     return this;
   }
   
   @Override
-  public CapabilityQuery groupIds(List<String> groupIds) {
+  public PrivilegeQuery groupIds(List<String> groupIds) {
     this.groupIds = groupIds;
     return this;
   }
@@ -83,12 +83,12 @@ public class CapabilityQueryImpl extends AbstractQuery<CapabilityQuery, Capabili
     this.id = id;
   }
 
-  public String getCapabilityName() {
-    return capabilityName;
+  public String getName() {
+    return name;
   }
 
-  public void setCapabilityName(String capabilityName) {
-    this.capabilityName = capabilityName;
+  public void setName(String name) {
+    this.name = name;
   }
 
   public String getUserId() {
@@ -117,12 +117,12 @@ public class CapabilityQueryImpl extends AbstractQuery<CapabilityQuery, Capabili
 
   @Override
   public long executeCount(CommandContext commandContext) {
-    return commandContext.getCapabilityEntityManager().findCapabilityCountByQueryCriteria(this);
+    return commandContext.getPrivilegeEntityManager().findPrivilegeCountByQueryCriteria(this);
   }
 
   @Override
-  public List<Capability> executeList(CommandContext commandContext, Page page) {
-    return commandContext.getCapabilityEntityManager().findCapabilityByQueryCriteria(this, page);
+  public List<Privilege> executeList(CommandContext commandContext, Page page) {
+    return commandContext.getPrivilegeEntityManager().findPrivilegeByQueryCriteria(this, page);
   }
 
 }

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/cmd/AddPrivilegeMappingCmd.java

+/* Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.activiti.idm.engine.impl.cmd;
+
+import java.io.Serializable;
+
+import org.activiti.idm.engine.impl.interceptor.Command;
+import org.activiti.idm.engine.impl.interceptor.CommandContext;
+import org.activiti.idm.engine.impl.persistence.entity.PrivilegeMappingEntity;
+import org.activiti.idm.engine.impl.persistence.entity.PrivilegeMappingEntityManager;
+
+public class AddPrivilegeMappingCmd implements Command<Void>, Serializable {
+
+  private static final long serialVersionUID = 1L;
+
+  protected String privilegeId;
+  protected String userId;
+  protected String groupId;
+
+  public AddPrivilegeMappingCmd(String privilegeId, String userId, String groupId) {
+    this.privilegeId = privilegeId;
+    this.userId = userId;
+    this.groupId = groupId;
+  }
+
+  public Void execute(CommandContext commandContext) {
+    PrivilegeMappingEntityManager privilegeMappingEntityManager = commandContext.gePrivilegeMappingEntityManager();
+    PrivilegeMappingEntity entity = privilegeMappingEntityManager.create();
+    entity.setPrivilegeId(privilegeId);
+    if (userId != null) {
+      entity.setUserId(userId);
+    } else if (groupId != null) {
+      entity.setGroupId(groupId);
+    }
+    privilegeMappingEntityManager.insert(entity);
+    
+    return null;
+  }
+}

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/cmd/CreateCapabilityCmd.java → modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/cmd/CreatePrivilegeCmd.java

@@ -16,42 +16,36 @@ package org.activiti.idm.engine.impl.cmd;
 import java.io.Serializable;
 
 import org.activiti.engine.common.api.ActivitiIllegalArgumentException;
-import org.activiti.idm.api.Capability;
-import org.activiti.idm.api.User;
+import org.activiti.idm.api.Privilege;
 import org.activiti.idm.engine.impl.interceptor.Command;
 import org.activiti.idm.engine.impl.interceptor.CommandContext;
-import org.activiti.idm.engine.impl.persistence.entity.CapabilityEntity;
+import org.activiti.idm.engine.impl.persistence.entity.PrivilegeEntity;
 
 /**
  * @author Joram Barrez
  */
-public class CreateCapabilityCmd implements Command<Capability>, Serializable {
+public class CreatePrivilegeCmd implements Command<Privilege>, Serializable {
 
   private static final long serialVersionUID = 1L;
 
   protected String name;
-  protected String userId;
-  protected String groupId;
 
-  public CreateCapabilityCmd(String name, String userId, String groupId) {
+  public CreatePrivilegeCmd(String name) {
     if (name == null) {
-      throw new ActivitiIllegalArgumentException("Capability name is null");
+      throw new ActivitiIllegalArgumentException("Privilege name is null");
     }
-    if (userId == null && groupId == null) {
-      throw new ActivitiIllegalArgumentException("both userId and groupId are null");
-    }
-    
     this.name = name;
-    this.userId = userId;
-    this.groupId = groupId;
   }
 
-  public Capability execute(CommandContext commandContext) {
-    CapabilityEntity capabilityEntity = commandContext.getCapabilityEntityManager().create();
-    capabilityEntity.setCapabilityName(name);
-    capabilityEntity.setUserId(userId);
-    capabilityEntity.setGroupId(groupId);
-    commandContext.getCapabilityEntityManager().insert(capabilityEntity);
-    return capabilityEntity;
+  public Privilege execute(CommandContext commandContext) {
+    long count = commandContext.getPrivilegeEntityManager().createNewPrivilegeQuery().privilegeName(name).count();
+    if (count > 0) {
+      throw new ActivitiIllegalArgumentException("Provided privilege name already exists");
+    }
+    
+    PrivilegeEntity entity = commandContext.getPrivilegeEntityManager().create();
+    entity.setName(name);
+    commandContext.getPrivilegeEntityManager().insert(entity);
+    return entity;
   }
 }

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/cmd/CreateCapabilityQueryCmd.java → modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/cmd/CreatePrivilegeQueryCmd.java

@@ -15,18 +15,18 @@ package org.activiti.idm.engine.impl.cmd;
 
 import java.io.Serializable;
 
-import org.activiti.idm.api.CapabilityQuery;
+import org.activiti.idm.api.PrivilegeQuery;
 import org.activiti.idm.engine.impl.interceptor.Command;
 import org.activiti.idm.engine.impl.interceptor.CommandContext;
 
 /**
  * @author Joram Barrez
  */
-public class CreateCapabilityQueryCmd implements Command<CapabilityQuery>, Serializable {
+public class CreatePrivilegeQueryCmd implements Command<PrivilegeQuery>, Serializable {
 
   private static final long serialVersionUID = 1L;
 
-  public CapabilityQuery execute(CommandContext commandContext) {
-    return commandContext.getCapabilityEntityManager().createNewCapabilityQuery();
+  public PrivilegeQuery execute(CommandContext commandContext) {
+    return commandContext.getPrivilegeEntityManager().createNewPrivilegeQuery();
   }
 }

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/cmd/DeleteCapabilityCmd.java → modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/cmd/DeletePrivilegeCmd.java

@@ -22,13 +22,13 @@ import org.activiti.idm.engine.impl.interceptor.CommandContext;
 /**
  * @author Joram Barrez
  */
-public class DeleteCapabilityCmd implements Command<Void>, Serializable {
+public class DeletePrivilegeCmd implements Command<Void>, Serializable {
 
   private static final long serialVersionUID = 1L;
 
   protected String id;
 
-  public DeleteCapabilityCmd(String id) {
+  public DeletePrivilegeCmd(String id) {
     if (id == null) {
       throw new ActivitiIllegalArgumentException("id is null");
     }
@@ -37,7 +37,8 @@ public class DeleteCapabilityCmd implements Command<Void>, Serializable {
   }
 
   public Void execute(CommandContext commandContext) {
-    commandContext.getCapabilityEntityManager().delete(id);
+    commandContext.gePrivilegeMappingEntityManager().deleteByPrivilegeId(id);
+    commandContext.getPrivilegeEntityManager().delete(id);
     return null;
   }
 }

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/cmd/DeletePrivilegeMappingCmd.java

+/* Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.activiti.idm.engine.impl.cmd;
+
+import java.io.Serializable;
+
+import org.activiti.idm.engine.impl.interceptor.Command;
+import org.activiti.idm.engine.impl.interceptor.CommandContext;
+import org.activiti.idm.engine.impl.persistence.entity.PrivilegeMappingEntityManager;
+
+public class DeletePrivilegeMappingCmd implements Command<Void>, Serializable {
+
+  private static final long serialVersionUID = 1L;
+
+  protected String privilegeId;
+  protected String userId;
+  protected String groupId;
+
+  public DeletePrivilegeMappingCmd(String privilegeId, String userId, String groupId) {
+    this.privilegeId = privilegeId;
+    this.userId = userId;
+    this.groupId = groupId;
+  }
+
+  public Void execute(CommandContext commandContext) {
+    PrivilegeMappingEntityManager privilegeMappingEntityManager = commandContext.gePrivilegeMappingEntityManager();
+    if (userId != null) {
+      privilegeMappingEntityManager.deleteByPrivilegeIdAndUserId(privilegeId, userId);
+    } else if (groupId != null) {
+      privilegeMappingEntityManager.deleteByPrivilegeIdAndGroupId(privilegeId, groupId);
+    }
+    
+    return null;
+  }
+}

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/cmd/GetGroupsWithPrivilegeCmd.java

+/* Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.activiti.idm.engine.impl.cmd;
+
+import java.io.Serializable;
+import java.util.List;
+
+import org.activiti.engine.common.api.ActivitiIllegalArgumentException;
+import org.activiti.idm.api.Group;
+import org.activiti.idm.engine.impl.interceptor.Command;
+import org.activiti.idm.engine.impl.interceptor.CommandContext;
+
+/**
+ * @author Joram Barrez
+ */
+public class GetGroupsWithPrivilegeCmd implements Command<List<Group>>, Serializable {
+
+  private static final long serialVersionUID = 1L;
+
+  protected String name;
+
+  public GetGroupsWithPrivilegeCmd(String name) {
+    if(name == null) {
+      throw new ActivitiIllegalArgumentException("name is null");
+    }
+    this.name = name;
+  }
+
+  public List<Group> execute(CommandContext commandContext) {
+    return commandContext.getGroupEntityManager().findGroupsByPrivilegeId(name);
+  }
+  
+}

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/cmd/GetUsersWithPrivilegeCmd.java

+/* Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.activiti.idm.engine.impl.cmd;
+
+import java.io.Serializable;
+import java.util.List;
+
+import org.activiti.engine.common.api.ActivitiIllegalArgumentException;
+import org.activiti.idm.api.User;
+import org.activiti.idm.engine.impl.interceptor.Command;
+import org.activiti.idm.engine.impl.interceptor.CommandContext;
+
+/**
+ * @author Joram Barrez
+ */
+public class GetUsersWithPrivilegeCmd implements Command<List<User>>, Serializable {
+
+  private static final long serialVersionUID = 1L;
+
+  protected String name;
+
+  public GetUsersWithPrivilegeCmd(String name) {
+    if(name == null) {
+      throw new ActivitiIllegalArgumentException("name is null");
+    }
+    this.name = name;
+  }
+
+  public List<User> execute(CommandContext commandContext) {
+    return commandContext.getUserEntityManager().findUsersByPrivilegeId(name);
+  }
+}

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/interceptor/CommandContext.java

@@ -19,10 +19,11 @@ import org.activiti.engine.common.impl.interceptor.BaseCommandContextCloseListen
 import org.activiti.idm.engine.IdmEngineConfiguration;
 import org.activiti.idm.engine.impl.db.DbSqlSession;
 import org.activiti.idm.engine.impl.persistence.entity.ByteArrayEntityManager;
-import org.activiti.idm.engine.impl.persistence.entity.CapabilityEntityManager;
 import org.activiti.idm.engine.impl.persistence.entity.GroupEntityManager;
 import org.activiti.idm.engine.impl.persistence.entity.IdentityInfoEntityManager;
 import org.activiti.idm.engine.impl.persistence.entity.MembershipEntityManager;
+import org.activiti.idm.engine.impl.persistence.entity.PrivilegeEntityManager;
+import org.activiti.idm.engine.impl.persistence.entity.PrivilegeMappingEntityManager;
 import org.activiti.idm.engine.impl.persistence.entity.PropertyEntityManager;
 import org.activiti.idm.engine.impl.persistence.entity.TableDataManager;
 import org.activiti.idm.engine.impl.persistence.entity.TokenEntityManager;
@@ -86,8 +87,12 @@ public class CommandContext extends AbstractCommandContext {
     return idmEngineConfiguration.getUserEntityManager();
   }
   
-  public CapabilityEntityManager getCapabilityEntityManager() {
-    return idmEngineConfiguration.getCapabilityEntityManager();
+  public PrivilegeEntityManager getPrivilegeEntityManager() {
+    return idmEngineConfiguration.getPrivilegeEntityManager();
+  }
+  
+  public PrivilegeMappingEntityManager gePrivilegeMappingEntityManager() {
+    return idmEngineConfiguration.getPrivilegeMappingEntityManager();
   }
   
   public TableDataManager getTableDataManager() {

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/GroupEntityManager.java

@@ -43,4 +43,6 @@ public interface GroupEntityManager extends EntityManager<GroupEntity> {
 
   boolean isNewGroup(Group group);
 
+  List<Group> findGroupsByPrivilegeId(String privilegeId);
+  
 }

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/GroupEntityManagerImpl.java

@@ -94,6 +94,11 @@ public class GroupEntityManagerImpl extends AbstractEntityManager<GroupEntity> i
   public boolean isNewGroup(Group group) {
     return ((GroupEntity) group).getRevision() == 0;
   }
+  
+  @Override
+  public List<Group> findGroupsByPrivilegeId(String privilegeId) {
+    return groupDataManager.findGroupsByPrivilegeId(privilegeId);
+  }
 
   public GroupDataManager getGroupDataManager() {
     return groupDataManager;

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/PrivilegeEntity.java

+/* Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.activiti.idm.engine.impl.persistence.entity;
+
+import org.activiti.engine.common.impl.persistence.entity.Entity;
+import org.activiti.idm.api.Privilege;
+
+/**
+ * @author Joram Barrez
+ */
+public interface PrivilegeEntity extends Entity, Privilege {
+  
+  void setName(String name);
+  
+}

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/PrivilegeEntityImpl.java

+/* Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.activiti.idm.engine.impl.persistence.entity;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.activiti.engine.common.impl.persistence.entity.AbstractEntity;
+
+public class PrivilegeEntityImpl extends AbstractEntity implements PrivilegeEntity {
+
+  protected String name;
+  
+  @Override
+  public Object getPersistentState() {
+    Map<String, String> state = new HashMap<String, String>();
+    state.put("id", id);
+    state.put("name", name);
+    return state;
+  }
+  
+  public String getName() {
+    return name;
+  }
+  public void setName(String name) {
+    this.name = name;
+  }
+  
+}

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/CapabilityEntityManager.java → modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/PrivilegeEntityManager.java

@@ -17,23 +17,23 @@ import java.util.Map;
 
 import org.activiti.engine.common.impl.Page;
 import org.activiti.engine.common.impl.persistence.entity.EntityManager;
-import org.activiti.idm.api.Capability;
-import org.activiti.idm.api.CapabilityQuery;
-import org.activiti.idm.engine.impl.CapabilityQueryImpl;
+import org.activiti.idm.api.Privilege;
+import org.activiti.idm.api.PrivilegeQuery;
+import org.activiti.idm.engine.impl.PrivilegeQueryImpl;
 
 /**
  * @author Joram Barrez
  */
-public interface CapabilityEntityManager extends EntityManager<CapabilityEntity> {
+public interface PrivilegeEntityManager extends EntityManager<PrivilegeEntity> {
   
-  CapabilityQuery createNewCapabilityQuery();
+  PrivilegeQuery createNewPrivilegeQuery();
   
-  List<Capability> findCapabilityByQueryCriteria(CapabilityQueryImpl query , Page page);
+  List<Privilege> findPrivilegeByQueryCriteria(PrivilegeQueryImpl query , Page page);
 
-  long findCapabilityCountByQueryCriteria(CapabilityQueryImpl query);
+  long findPrivilegeCountByQueryCriteria(PrivilegeQueryImpl query);
 
-  List<Capability> findCapabilityByNativeQuery(Map<String, Object> parameterMap, int firstResult, int maxResults);
+  List<Privilege> findPrivilegeByNativeQuery(Map<String, Object> parameterMap, int firstResult, int maxResults);
 
-  long findCapabilityCountByNativeQuery(Map<String, Object> parameterMap);
+  long findPrivilegeCountByNativeQuery(Map<String, Object> parameterMap);
 
 }

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/CapabilityEntityManagerImpl.java → modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/PrivilegeEntityManagerImpl.java

@@ -17,52 +17,52 @@ import java.util.Map;
 
 import org.activiti.engine.common.impl.Page;
 import org.activiti.engine.common.impl.persistence.entity.data.DataManager;
-import org.activiti.idm.api.Capability;
-import org.activiti.idm.api.CapabilityQuery;
+import org.activiti.idm.api.Privilege;
+import org.activiti.idm.api.PrivilegeQuery;
 import org.activiti.idm.engine.IdmEngineConfiguration;
-import org.activiti.idm.engine.impl.CapabilityQueryImpl;
-import org.activiti.idm.engine.impl.persistence.entity.data.CapabilityDataManager;
+import org.activiti.idm.engine.impl.PrivilegeQueryImpl;
+import org.activiti.idm.engine.impl.persistence.entity.data.PrivilegeDataManager;
 
 /**
  * @author Joram Barrez
  */
-public class CapabilityEntityManagerImpl extends AbstractEntityManager<CapabilityEntity> implements CapabilityEntityManager {
+public class PrivilegeEntityManagerImpl extends AbstractEntityManager<PrivilegeEntity> implements PrivilegeEntityManager {
 
-  protected CapabilityDataManager capabilityDataManager;
+  protected PrivilegeDataManager privilegeDataManager;
   
-  public CapabilityEntityManagerImpl(IdmEngineConfiguration idmEngineConfiguration, CapabilityDataManager capabilityDataManager) {
+  public PrivilegeEntityManagerImpl(IdmEngineConfiguration idmEngineConfiguration, PrivilegeDataManager privilegeDataManager) {
     super(idmEngineConfiguration);
-    this.capabilityDataManager = capabilityDataManager;
+    this.privilegeDataManager = privilegeDataManager;
   }
 
   @Override
-  protected DataManager<CapabilityEntity> getDataManager() {
-    return capabilityDataManager;
+  protected DataManager<PrivilegeEntity> getDataManager() {
+    return privilegeDataManager;
   }
   
   @Override
-  public CapabilityQuery createNewCapabilityQuery() {
-    return new CapabilityQueryImpl(getCommandExecutor());
+  public PrivilegeQuery createNewPrivilegeQuery() {
+    return new PrivilegeQueryImpl(getCommandExecutor());
   }
 
   @Override
-  public List<Capability> findCapabilityByQueryCriteria(CapabilityQueryImpl query, Page page) {
-    return capabilityDataManager.findCapabilityByQueryCriteria(query, page);
+  public List<Privilege> findPrivilegeByQueryCriteria(PrivilegeQueryImpl query, Page page) {
+    return privilegeDataManager.findPrivilegeByQueryCriteria(query, page);
   }
 
   @Override
-  public long findCapabilityCountByQueryCriteria(CapabilityQueryImpl query) {
-    return capabilityDataManager.findCapabilityCountByQueryCriteria(query);
+  public long findPrivilegeCountByQueryCriteria(PrivilegeQueryImpl query) {
+    return privilegeDataManager.findPrivilegeCountByQueryCriteria(query);
   }
 
   @Override
-  public List<Capability> findCapabilityByNativeQuery(Map<String, Object> parameterMap, int firstResult, int maxResults) {
-    return capabilityDataManager.findCapabilityByNativeQuery(parameterMap, firstResult, maxResults);
+  public List<Privilege> findPrivilegeByNativeQuery(Map<String, Object> parameterMap, int firstResult, int maxResults) {
+    return privilegeDataManager.findPrivilegeByNativeQuery(parameterMap, firstResult, maxResults);
   }
 
   @Override
-  public long findCapabilityCountByNativeQuery(Map<String, Object> parameterMap) {
-    return capabilityDataManager.findCapabilityCountByNativeQuery(parameterMap);
+  public long findPrivilegeCountByNativeQuery(Map<String, Object> parameterMap) {
+    return privilegeDataManager.findPrivilegeCountByNativeQuery(parameterMap);
   }
 
 }

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/CapabilityEntity.java → modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/PrivilegeMappingEntity.java

@@ -13,16 +13,12 @@
 package org.activiti.idm.engine.impl.persistence.entity;
 
 import org.activiti.engine.common.impl.persistence.entity.Entity;
-import org.activiti.idm.api.Capability;
 
-/**
- * @author Joram Barrez
- */
-public interface CapabilityEntity extends Entity, Capability {
-  
-  String getCapabilityName();
+public interface PrivilegeMappingEntity extends Entity {
+
+  String getPrivilegeId();
   
-  void setCapabilityName(String capability);
+  void setPrivilegeId(String privilegeId);
   
   String getUserId();
   

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/CapabilityEntityImpl.java → modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/PrivilegeMappingEntityImpl.java

@@ -17,26 +17,27 @@ import java.util.Map;
 
 import org.activiti.engine.common.impl.persistence.entity.AbstractEntity;
 
-public class CapabilityEntityImpl extends AbstractEntity implements CapabilityEntity {
+public class PrivilegeMappingEntityImpl extends AbstractEntity implements PrivilegeMappingEntity {
 
-  protected String capabilityName;
+  protected String privilegeId;
   protected String userId;
   protected String groupId;
   
   @Override
   public Object getPersistentState() {
     Map<String, String> state = new HashMap<String, String>();
-    state.put("capabilityname", capabilityName);
+    state.put("id", id);
+    state.put("privilegeId", privilegeId);
     state.put("userId", userId);
     state.put("groupId", groupId);
     return state;
   }
   
-  public String getCapabilityName() {
-    return capabilityName;
+  public String getPrivilegeId() {
+    return privilegeId;
   }
-  public void setCapabilityName(String capabilityName) {
-    this.capabilityName = capabilityName;
+  public void setPrivilegeId(String privilegeId) {
+    this.privilegeId = privilegeId;
   }
   public String getUserId() {
     return userId;

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/PrivilegeMappingEntityManager.java

+/* Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.activiti.idm.engine.impl.persistence.entity;
+
+import org.activiti.engine.common.impl.persistence.entity.EntityManager;
+
+public interface PrivilegeMappingEntityManager extends EntityManager<PrivilegeMappingEntity> {
+  
+  void deleteByPrivilegeId(String privilegeId);
+  
+  void deleteByPrivilegeIdAndUserId(String privilegeId, String userId);
+  
+  void deleteByPrivilegeIdAndGroupId(String privilegeId, String groupId);
+  
+}

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/PrivilegeMappingEntityManagerImpl.java

+/* Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.activiti.idm.engine.impl.persistence.entity;
+
+import org.activiti.engine.common.impl.persistence.entity.data.DataManager;
+import org.activiti.idm.engine.IdmEngineConfiguration;
+import org.activiti.idm.engine.impl.persistence.entity.data.PrivilegeMappingDataManager;
+
+public class PrivilegeMappingEntityManagerImpl extends AbstractEntityManager<PrivilegeMappingEntity> implements PrivilegeMappingEntityManager {
+
+  protected PrivilegeMappingDataManager privilegeMappingDataManager;
+  
+  public PrivilegeMappingEntityManagerImpl(IdmEngineConfiguration idmEngineConfiguration, PrivilegeMappingDataManager privilegeMappingDataManager) {
+    super(idmEngineConfiguration);
+    this.privilegeMappingDataManager = privilegeMappingDataManager;
+  }
+
+  @Override
+  protected DataManager<PrivilegeMappingEntity> getDataManager() {
+    return privilegeMappingDataManager;
+  }
+  
+  @Override
+  public void deleteByPrivilegeId(String privilegeId) {
+    privilegeMappingDataManager.deleteByPrivilegeId(privilegeId);
+  }
+  
+  @Override
+  public void deleteByPrivilegeIdAndUserId(String privilegeId, String userId) {
+    privilegeMappingDataManager.deleteByPrivilegeIdAndUserId(privilegeId, userId);
+  }
+  
+  @Override
+  public void deleteByPrivilegeIdAndGroupId(String privilegeId, String groupId) {
+    privilegeMappingDataManager.deleteByPrivilegeIdAndGroupId(privilegeId, groupId);
+  }
+  
+}

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/TableDataManagerImpl.java

@@ -27,8 +27,8 @@ import org.activiti.engine.common.api.ActivitiException;
 import org.activiti.engine.common.api.management.TableMetaData;
 import org.activiti.engine.common.api.management.TablePage;
 import org.activiti.engine.common.impl.persistence.entity.Entity;
-import org.activiti.idm.api.Capability;
 import org.activiti.idm.api.Group;
+import org.activiti.idm.api.Privilege;
 import org.activiti.idm.api.Token;
 import org.activiti.idm.api.User;
 import org.activiti.idm.engine.IdmEngineConfiguration;
@@ -62,7 +62,7 @@ public class TableDataManagerImpl extends AbstractManager implements TableDataMa
     entityToTableNameMap.put(UserEntity.class, "ACT_ID_USER");
     entityToTableNameMap.put(IdentityInfoEntity.class, "ACT_ID_INFO");
     entityToTableNameMap.put(TokenEntity.class, "ACT_ID_TOKEN");
-    entityToTableNameMap.put(CapabilityEntity.class, "ACT_ID_CAPABILITY");
+    entityToTableNameMap.put(PrivilegeEntity.class, "ACT_ID_PRIV");
     
     // general
     entityToTableNameMap.put(PropertyEntity.class, "ACT_ID_PROPERTY");
@@ -71,7 +71,7 @@ public class TableDataManagerImpl extends AbstractManager implements TableDataMa
     apiTypeToTableNameMap.put(Group.class, "ACT_ID_GROUP");
     apiTypeToTableNameMap.put(User.class, "ACT_ID_USER");
     apiTypeToTableNameMap.put(Token.class, "ACT_ID_TOKEN");
-    apiTypeToTableNameMap.put(Capability.class, "ACT_ID_CAPABILITY");
+    apiTypeToTableNameMap.put(Privilege.class, "ACT_ID_PRIV");
   }
   
   protected DbSqlSession getDbSqlSession() {

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/UserEntityManager.java

@@ -18,7 +18,6 @@ import java.util.Map;
 
 import org.activiti.engine.common.impl.Page;
 import org.activiti.engine.common.impl.persistence.entity.EntityManager;
-import org.activiti.idm.api.Group;
 import org.activiti.idm.api.Picture;
 import org.activiti.idm.api.User;
 import org.activiti.idm.api.UserQuery;
@@ -37,8 +36,6 @@ public interface UserEntityManager extends EntityManager<UserEntity> {
 
   long findUserCountByQueryCriteria(UserQueryImpl query);
 
-  List<Group> findGroupsByUser(String userId);
-
   UserQuery createNewUserQuery();
 
   Boolean checkPassword(String userId, String password);
@@ -54,5 +51,7 @@ public interface UserEntityManager extends EntityManager<UserEntity> {
   void setUserPicture(User user, Picture picture);
   
   void deletePicture(User user);
+  
+  List<User> findUsersByPrivilegeId(String privilegeId);
 
 }

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/UserEntityManagerImpl.java

@@ -18,7 +18,6 @@ import java.util.Map;
 
 import org.activiti.engine.common.impl.Page;
 import org.activiti.engine.common.impl.persistence.entity.data.DataManager;
-import org.activiti.idm.api.Group;
 import org.activiti.idm.api.Picture;
 import org.activiti.idm.api.User;
 import org.activiti.idm.api.UserQuery;
@@ -93,10 +92,6 @@ public class UserEntityManagerImpl extends AbstractEntityManager<UserEntity> imp
     return userDataManager.findUserCountByQueryCriteria(query);
   }
 
-  public List<Group> findGroupsByUser(String userId) {
-    return userDataManager.findGroupsByUser(userId);
-  }
-
   public UserQuery createNewUserQuery() {
     return new UserQueryImpl(getCommandExecutor());
   }
@@ -139,6 +134,11 @@ public class UserEntityManagerImpl extends AbstractEntityManager<UserEntity> imp
     userEntity.setPicture(picture);
     userDataManager.update(userEntity);
   }
+  
+  @Override
+  public List<User> findUsersByPrivilegeId(String name) {
+    return userDataManager.findUsersByPrivilegeId(name);
+  }
 
   public UserDataManager getUserDataManager() {
     return userDataManager;

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/data/GroupDataManager.java

@@ -31,6 +31,8 @@ public interface GroupDataManager extends DataManager<GroupEntity> {
   long findGroupCountByQueryCriteria(GroupQueryImpl query);
 
   List<Group> findGroupsByUser(String userId);
+  
+  List<Group> findGroupsByPrivilegeId(String privilegeId);
 
   List<Group> findGroupsByNativeQuery(Map<String, Object> parameterMap, int firstResult, int maxResults);
 

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/data/CapabilityDataManager.java → modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/data/PrivilegeDataManager.java

@@ -17,21 +17,21 @@ import java.util.Map;
 
 import org.activiti.engine.common.impl.Page;
 import org.activiti.engine.common.impl.persistence.entity.data.DataManager;
-import org.activiti.idm.api.Capability;
-import org.activiti.idm.engine.impl.CapabilityQueryImpl;
-import org.activiti.idm.engine.impl.persistence.entity.CapabilityEntity;
+import org.activiti.idm.api.Privilege;
+import org.activiti.idm.engine.impl.PrivilegeQueryImpl;
+import org.activiti.idm.engine.impl.persistence.entity.PrivilegeEntity;
 
 /**
  * @author Joram Barrez
  */
-public interface CapabilityDataManager extends DataManager<CapabilityEntity> {
+public interface PrivilegeDataManager extends DataManager<PrivilegeEntity> {
   
-  List<Capability> findCapabilityByQueryCriteria(CapabilityQueryImpl query , Page page);
+  List<Privilege> findPrivilegeByQueryCriteria(PrivilegeQueryImpl query , Page page);
 
-  long findCapabilityCountByQueryCriteria(CapabilityQueryImpl query);
+  long findPrivilegeCountByQueryCriteria(PrivilegeQueryImpl query);
 
-  List<Capability> findCapabilityByNativeQuery(Map<String, Object> parameterMap, int firstResult, int maxResults);
+  List<Privilege> findPrivilegeByNativeQuery(Map<String, Object> parameterMap, int firstResult, int maxResults);
 
-  long findCapabilityCountByNativeQuery(Map<String, Object> parameterMap);
+  long findPrivilegeCountByNativeQuery(Map<String, Object> parameterMap);
 
 }

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/data/PrivilegeMappingDataManager.java

+/* Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.activiti.idm.engine.impl.persistence.entity.data;
+
+import org.activiti.engine.common.impl.persistence.entity.data.DataManager;
+import org.activiti.idm.engine.impl.persistence.entity.PrivilegeMappingEntity;
+
+public interface PrivilegeMappingDataManager extends DataManager<PrivilegeMappingEntity> {
+  
+  void deleteByPrivilegeId(String privilegeId);
+  
+  void deleteByPrivilegeIdAndUserId(String privilegeId, String userId);
+  
+  void deleteByPrivilegeIdAndGroupId(String privilegeId, String groupId);
+
+}

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/data/UserDataManager.java

@@ -17,7 +17,6 @@ import java.util.Map;
 
 import org.activiti.engine.common.impl.Page;
 import org.activiti.engine.common.impl.persistence.entity.data.DataManager;
-import org.activiti.idm.api.Group;
 import org.activiti.idm.api.User;
 import org.activiti.idm.engine.impl.UserQueryImpl;
 import org.activiti.idm.engine.impl.persistence.entity.UserEntity;
@@ -31,7 +30,7 @@ public interface UserDataManager extends DataManager<UserEntity> {
 
   long findUserCountByQueryCriteria(UserQueryImpl query);
  
-  List<Group> findGroupsByUser(String userId);
+  List<User> findUsersByPrivilegeId(String privilegeId);
   
   List<User> findUsersByNativeQuery(Map<String, Object> parameterMap, int firstResult, int maxResults);
 

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/data/impl/MybatisGroupDataManager.java

@@ -56,6 +56,12 @@ public class MybatisGroupDataManager extends AbstractDataManager<GroupEntity> im
   public List<Group> findGroupsByUser(String userId) {
     return getDbSqlSession().selectList("selectGroupsByUserId", userId);
   }
+  
+  @Override
+  @SuppressWarnings("unchecked")
+  public List<Group> findGroupsByPrivilegeId(String privilegeId) {
+    return getDbSqlSession().selectList("selectGroupsWithPrivilegeId", privilegeId);
+  }
 
   @SuppressWarnings("unchecked")
   public List<Group> findGroupsByNativeQuery(Map<String, Object> parameterMap, int firstResult, int maxResults) {

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/data/impl/MybatisCapabilityDataManager.java → modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/data/impl/MybatisPrivilegeDataManager.java

@@ -16,53 +16,53 @@ import java.util.List;
 import java.util.Map;
 
 import org.activiti.engine.common.impl.Page;
-import org.activiti.idm.api.Capability;
+import org.activiti.idm.api.Privilege;
 import org.activiti.idm.engine.IdmEngineConfiguration;
-import org.activiti.idm.engine.impl.CapabilityQueryImpl;
-import org.activiti.idm.engine.impl.persistence.entity.CapabilityEntity;
-import org.activiti.idm.engine.impl.persistence.entity.CapabilityEntityImpl;
+import org.activiti.idm.engine.impl.PrivilegeQueryImpl;
+import org.activiti.idm.engine.impl.persistence.entity.PrivilegeEntity;
+import org.activiti.idm.engine.impl.persistence.entity.PrivilegeEntityImpl;
 import org.activiti.idm.engine.impl.persistence.entity.data.AbstractDataManager;
-import org.activiti.idm.engine.impl.persistence.entity.data.CapabilityDataManager;
+import org.activiti.idm.engine.impl.persistence.entity.data.PrivilegeDataManager;
 
 /**
  * @author Joram Barrez
  */
-public class MybatisCapabilityDataManager extends AbstractDataManager<CapabilityEntity> implements CapabilityDataManager {
+public class MybatisPrivilegeDataManager extends AbstractDataManager<PrivilegeEntity> implements PrivilegeDataManager {
 
-  public MybatisCapabilityDataManager(IdmEngineConfiguration idmEngineConfiguration) {
+  public MybatisPrivilegeDataManager(IdmEngineConfiguration idmEngineConfiguration) {
     super(idmEngineConfiguration);
   }
 
   @Override
-  public CapabilityEntity create() {
-    return new CapabilityEntityImpl();
+  public PrivilegeEntity create() {
+    return new PrivilegeEntityImpl();
   }
 
   @Override
-  public Class<? extends CapabilityEntity> getManagedEntityClass() {
-    return CapabilityEntityImpl.class;
+  public Class<? extends PrivilegeEntity> getManagedEntityClass() {
+    return PrivilegeEntityImpl.class;
   }
 
   @Override
   @SuppressWarnings("unchecked")
-  public List<Capability> findCapabilityByQueryCriteria(CapabilityQueryImpl query, Page page) {
-    return getDbSqlSession().selectList("selectCapabilityByQueryCriteria", query, page);
+  public List<Privilege> findPrivilegeByQueryCriteria(PrivilegeQueryImpl query, Page page) {
+    return getDbSqlSession().selectList("selectPrivilegeByQueryCriteria", query, page);
   }
 
   @Override
-  public long findCapabilityCountByQueryCriteria(CapabilityQueryImpl query) {
-    return (Long) getDbSqlSession().selectOne("selectCapabilityCountByQueryCriteria", query);
+  public long findPrivilegeCountByQueryCriteria(PrivilegeQueryImpl query) {
+    return (Long) getDbSqlSession().selectOne("selectPrivilegeCountByQueryCriteria", query);
   }
 
   @Override
   @SuppressWarnings("unchecked")
-  public List<Capability> findCapabilityByNativeQuery(Map<String, Object> parameterMap, int firstResult, int maxResults) {
-    return getDbSqlSession().selectListWithRawParameter("selectCapabilityByNativeQuery", parameterMap, firstResult, maxResults);
+  public List<Privilege> findPrivilegeByNativeQuery(Map<String, Object> parameterMap, int firstResult, int maxResults) {
+    return getDbSqlSession().selectListWithRawParameter("selectPrivilegeByNativeQuery", parameterMap, firstResult, maxResults);
   }
 
   @Override
-  public long findCapabilityCountByNativeQuery(Map<String, Object> parameterMap) {
-    return (Long) getDbSqlSession().selectOne("selectCapabilityCountByNativeQuery", parameterMap);
+  public long findPrivilegeCountByNativeQuery(Map<String, Object> parameterMap) {
+    return (Long) getDbSqlSession().selectOne("selectPrivilegeCountByNativeQuery", parameterMap);
   }
 
 }

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/data/impl/MybatisPrivilegeMappingDataManager.java

+/* Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.activiti.idm.engine.impl.persistence.entity.data.impl;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.activiti.idm.engine.IdmEngineConfiguration;
+import org.activiti.idm.engine.impl.persistence.entity.PrivilegeMappingEntity;
+import org.activiti.idm.engine.impl.persistence.entity.PrivilegeMappingEntityImpl;
+import org.activiti.idm.engine.impl.persistence.entity.data.AbstractDataManager;
+import org.activiti.idm.engine.impl.persistence.entity.data.PrivilegeMappingDataManager;
+
+public class MybatisPrivilegeMappingDataManager extends AbstractDataManager<PrivilegeMappingEntity> implements PrivilegeMappingDataManager {
+
+  public MybatisPrivilegeMappingDataManager(IdmEngineConfiguration idmEngineConfiguration) {
+    super(idmEngineConfiguration);
+  }
+
+  @Override
+  public PrivilegeMappingEntity create() {
+    return new PrivilegeMappingEntityImpl();
+  }
+
+  @Override
+  public Class<? extends PrivilegeMappingEntity> getManagedEntityClass() {
+    return PrivilegeMappingEntityImpl.class;
+  }
+  
+  @Override
+  public void deleteByPrivilegeId(String privilegeId) {
+    getDbSqlSession().delete("deleteByPrivilegeId", privilegeId);
+  }
+  
+  @Override
+  public void deleteByPrivilegeIdAndUserId(String privilegeId, String userId) {
+    Map<String, String> params = new HashMap<String, String>();
+    params.put("privilegeId", privilegeId);
+    params.put("userId", userId);
+    getDbSqlSession().delete("deleteByPrivilegeIdAndUserId", params);
+  }
+  
+  @Override
+  public void deleteByPrivilegeIdAndGroupId(String privilegeId, String groupId) {
+    Map<String, String> params = new HashMap<String, String>();
+    params.put("privilegeId", privilegeId);
+    params.put("groupId", groupId);
+    getDbSqlSession().delete("deleteByPrivilegeIdAndGroupId", params);
+  }
+
+}

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/impl/persistence/entity/data/impl/MybatisUserDataManager.java

@@ -16,7 +16,6 @@ import java.util.List;
 import java.util.Map;
 
 import org.activiti.engine.common.impl.Page;
-import org.activiti.idm.api.Group;
 import org.activiti.idm.api.User;
 import org.activiti.idm.engine.IdmEngineConfiguration;
 import org.activiti.idm.engine.impl.UserQueryImpl;
@@ -53,9 +52,10 @@ public class MybatisUserDataManager extends AbstractDataManager<UserEntity> impl
     return (Long) getDbSqlSession().selectOne("selectUserCountByQueryCriteria", query);
   }
 
+  @Override
   @SuppressWarnings("unchecked")
-  public List<Group> findGroupsByUser(String userId) {
-    return getDbSqlSession().selectList("selectGroupsByUserId", userId);
+  public List<User> findUsersByPrivilegeId(String privilegeId) {
+    return getDbSqlSession().selectList("selectUsersWithPrivilegeId", privilegeId);
   }
 
   @SuppressWarnings("unchecked")

modules/flowable-idm-engine/src/main/java/org/activiti/idm/engine/test/PluggableActivitiIdmTestCase.java

@@ -16,8 +16,8 @@ package org.activiti.idm.engine.test;
 import java.util.List;
 
 import org.activiti.engine.common.api.ActivitiException;
-import org.activiti.idm.api.Capability;
 import org.activiti.idm.api.Group;
+import org.activiti.idm.api.Privilege;
 import org.activiti.idm.api.User;
 import org.activiti.idm.engine.IdmEngine;
 import org.activiti.idm.engine.IdmEngines;
@@ -66,10 +66,10 @@ public abstract class PluggableActivitiIdmTestCase extends AbstractActivitiIdmTe
   
   protected void clearAllUsersAndGroups() {
     
-    // Capabilities
-    List<Capability> capabilities = idmIdentityService.createCapabilityQuery().list();
-    for (Capability capability : capabilities) {
-      idmIdentityService.deleteCapability(capability.getId());
+    // Privileges
+    List<Privilege> privileges = idmIdentityService.createPrivilegeQuery().list();
+    for (Privilege privilege : privileges) {
+      idmIdentityService.deletePrivilege(privilege.getId());
     }
     
     // Groups

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/create/activiti.db2.create.identity.sql

@@ -68,11 +68,17 @@ create table ACT_ID_TOKEN (
     primary key (ID_)
 );
 
-create table ACT_ID_CAPABILITY (
+create table ACT_ID_PRIV (
     ID_ varchar(64) not null,
+    NAME_ varchar(255),
+    primary key (ID_)
+);
+
+create table ACT_ID_PRIV_MAPPING (
+    ID_ varchar(64) not null,
+    PRIV_ID_ varchar(64) not null,
     USER_ID_ varchar(255),
     GROUP_ID_ varchar(255),
-    CAPABILITY_NAME_ varchar(255),
     primary key (ID_)
 );
 
@@ -86,4 +92,11 @@ alter table ACT_ID_MEMBERSHIP
     foreign key (USER_ID_) 
     references ACT_ID_USER (ID_);
     
-create index ACT_IDX_CAP_NAME on ACT_ID_CAPABILITY(CAPABILITY_NAME_);    
+alter table ACT_ID_PRIV_MAPPING 
+    add constraint ACT_FK_PRIV_MAPPING 
+    foreign key (PRIV_ID_) 
+    references ACT_ID_PRIV (ID_);
+    
+create index ACT_IDX_PRIV_USER on ACT_ID_PRIV_MAPPING(USER_ID_);
+create index ACT_IDX_PRIV_GROUP on ACT_ID_PRIV_MAPPING(GROUP_ID_);    
+  

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/create/activiti.h2.create.identity.sql

@@ -68,11 +68,17 @@ create table ACT_ID_TOKEN (
     primary key (ID_)
 );
 
-create table ACT_ID_CAPABILITY (
+create table ACT_ID_PRIV (
     ID_ varchar(64) not null,
+    NAME_ varchar(255),
+    primary key (ID_)
+);
+
+create table ACT_ID_PRIV_MAPPING (
+    ID_ varchar(64) not null,
+    PRIV_ID_ varchar(64) not null,
     USER_ID_ varchar(255),
     GROUP_ID_ varchar(255),
-    CAPABILITY_NAME_ varchar(255),
     primary key (ID_)
 );
 
@@ -86,4 +92,10 @@ alter table ACT_ID_MEMBERSHIP
     foreign key (USER_ID_)
     references ACT_ID_USER;
     
-create index ACT_IDX_CAP_NAME on ACT_ID_CAPABILITY(CAPABILITY_NAME_);
+alter table ACT_ID_PRIV_MAPPING 
+    add constraint ACT_FK_PRIV_MAPPING 
+    foreign key (PRIV_ID_) 
+    references ACT_ID_PRIV;
+    
+create index ACT_IDX_PRIV_USER on ACT_ID_PRIV_MAPPING(USER_ID_);
+create index ACT_IDX_PRIV_GROUP on ACT_ID_PRIV_MAPPING(GROUP_ID_);    

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/create/activiti.hsql.create.identity.sql

@@ -68,11 +68,17 @@ create table ACT_ID_TOKEN (
     primary key (ID_)
 );
 
-create table ACT_ID_CAPABILITY (
+create table ACT_ID_PRIV (
     ID_ varchar(64) not null,
+    NAME_ varchar(255),
+    primary key (ID_)
+);
+
+create table ACT_ID_PRIV_MAPPING (
+    ID_ varchar(64) not null,
+    PRIV_ID_ varchar(64) not null,
     USER_ID_ varchar(255),
     GROUP_ID_ varchar(255),
-    CAPABILITY_NAME_ varchar(255),
     primary key (ID_)
 );
 
@@ -86,4 +92,10 @@ add constraint ACT_FK_MEMB_USER
 foreign key (USER_ID_)
 references ACT_ID_USER;
 
-create index ACT_IDX_CAP_NAME on ACT_ID_CAPABILITY(CAPABILITY_NAME_);
+alter table ACT_ID_PRIV_MAPPING 
+    add constraint ACT_FK_PRIV_MAPPING 
+    foreign key (PRIV_ID_) 
+    references ACT_ID_PRIV;
+    
+create index ACT_IDX_PRIV_USER on ACT_ID_PRIV_MAPPING(USER_ID_);
+create index ACT_IDX_PRIV_GROUP on ACT_ID_PRIV_MAPPING(GROUP_ID_);   

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/create/activiti.mssql.create.identity.sql

@@ -68,22 +68,34 @@ create table ACT_ID_TOKEN (
     primary key (ID_)
 );
 
-create table ACT_ID_CAPABILITY (
+create table ACT_ID_PRIV (
     ID_ nvarchar(64) not null,
+    NAME_ nvarchar(255),
+    primary key (ID_)
+);
+
+create table ACT_ID_PRIV_MAPPING (
+    ID_ nvarchar(64) not null,
+    PRIV_ID_ nvarchar(64) not null,
     USER_ID_ nvarchar(255),
     GROUP_ID_ nvarchar(255),
-    CAPABILITY_NAME_ nvarchar(255),
     primary key (ID_)
 );
 
-alter table ACT_ID_MEMBERSHIP 
-    add constraint ACT_FK_MEMB_GROUP 
-    foreign key (GROUP_ID_) 
-    references ACT_ID_GROUP (ID_);
+alter table ACT_ID_MEMBERSHIP
+    add constraint ACT_FK_MEMB_GROUP
+    foreign key (GROUP_ID_)
+    references ACT_ID_GROUP;
 
-alter table ACT_ID_MEMBERSHIP 
-    add constraint ACT_FK_MEMB_USER 
-    foreign key (USER_ID_) 
+alter table ACT_ID_MEMBERSHIP
+    add constraint ACT_FK_MEMB_USER
+    foreign key (USER_ID_)
     references ACT_ID_USER (ID_);
+
+alter table ACT_ID_PRIV_MAPPING 
+    add constraint ACT_FK_PRIV_MAPPING 
+    foreign key (PRIV_ID_) 
+    references ACT_ID_PRIV (ID_);
     
-create index ACT_IDX_CAP_NAME on ACT_ID_CAPABILITY(CAPABILITY_NAME_);    
\ No newline at end of file
+create index ACT_IDX_PRIV_USER on ACT_ID_PRIV_MAPPING(USER_ID_);
+create index ACT_IDX_PRIV_GROUP on ACT_ID_PRIV_MAPPING(GROUP_ID_);      
\ No newline at end of file

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/create/activiti.mysql.create.identity.sql

@@ -68,22 +68,34 @@ create table ACT_ID_TOKEN (
     primary key (ID_)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_bin;
 
-create table ACT_ID_CAPABILITY (
+create table ACT_ID_PRIV (
     ID_ varchar(64) not null,
+    NAME_ varchar(255),
+    primary key (ID_)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_bin;
+
+create table ACT_ID_PRIV_MAPPING (
+    ID_ varchar(64) not null,
+    PRIV_ID_ varchar(64) not null,
     USER_ID_ varchar(255),
     GROUP_ID_ varchar(255),
-    CAPABILITY_NAME_ varchar(255),
     primary key (ID_)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_bin;
 
-alter table ACT_ID_MEMBERSHIP 
-    add constraint ACT_FK_MEMB_GROUP 
-    foreign key (GROUP_ID_) 
+alter table ACT_ID_MEMBERSHIP
+    add constraint ACT_FK_MEMB_GROUP
+    foreign key (GROUP_ID_)
     references ACT_ID_GROUP (ID_);
-
-alter table ACT_ID_MEMBERSHIP 
-    add constraint ACT_FK_MEMB_USER 
-    foreign key (USER_ID_) 
+    
+alter table ACT_ID_MEMBERSHIP
+    add constraint ACT_FK_MEMB_USER
+    foreign key (USER_ID_)
     references ACT_ID_USER (ID_);
+
+alter table ACT_ID_PRIV_MAPPING 
+    add constraint ACT_FK_PRIV_MAPPING 
+    foreign key (PRIV_ID_) 
+    references ACT_ID_PRIV (ID_);
     
-create index ACT_IDX_CAP_NAME on ACT_ID_CAPABILITY(CAPABILITY_NAME_);    
+create index ACT_IDX_PRIV_USER on ACT_ID_PRIV_MAPPING(USER_ID_);
+create index ACT_IDX_PRIV_GROUP on ACT_ID_PRIV_MAPPING(GROUP_ID_);   

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/create/activiti.mysql55.create.identity.sql

@@ -68,22 +68,34 @@ create table ACT_ID_TOKEN (
     primary key (ID_)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_bin;
 
-create table ACT_ID_CAPABILITY (
+create table ACT_ID_PRIV (
     ID_ varchar(64) not null,
+    NAME_ varchar(255),
+    primary key (ID_)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_bin;
+
+create table ACT_ID_PRIV_MAPPING (
+    ID_ varchar(64) not null,
+    PRIV_ID_ varchar(64) not null,
     USER_ID_ varchar(255),
     GROUP_ID_ varchar(255),
-    CAPABILITY_NAME_ varchar(255),
     primary key (ID_)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_bin;
 
-alter table ACT_ID_MEMBERSHIP 
-    add constraint ACT_FK_MEMB_GROUP 
-    foreign key (GROUP_ID_) 
+alter table ACT_ID_MEMBERSHIP
+    add constraint ACT_FK_MEMB_GROUP
+    foreign key (GROUP_ID_)
     references ACT_ID_GROUP (ID_);
 
-alter table ACT_ID_MEMBERSHIP 
-    add constraint ACT_FK_MEMB_USER 
-    foreign key (USER_ID_) 
+alter table ACT_ID_MEMBERSHIP
+    add constraint ACT_FK_MEMB_USER
+    foreign key (USER_ID_)
     references ACT_ID_USER (ID_);
+
+alter table ACT_ID_PRIV_MAPPING 
+    add constraint ACT_FK_PRIV_MAPPING 
+    foreign key (PRIV_ID_) 
+    references ACT_ID_PRIV (ID_);
     
-create index ACT_IDX_CAP_NAME on ACT_ID_CAPABILITY(CAPABILITY_NAME_);    
+create index ACT_IDX_PRIV_USER on ACT_ID_PRIV_MAPPING(USER_ID_);
+create index ACT_IDX_PRIV_GROUP on ACT_ID_PRIV_MAPPING(GROUP_ID_);      

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/create/activiti.oracle.create.identity.sql

@@ -68,17 +68,23 @@ create table ACT_ID_TOKEN (
     primary key (ID_)
 );
 
-create table ACT_ID_CAPABILITY (
+create table ACT_ID_PRIV (
     ID_ NVARCHAR2(64) not null,
+    NAME_ NVARCHAR2(255),
+    primary key (ID_)
+);
+
+create table ACT_ID_PRIV_MAPPING (
+    ID_ NVARCHAR2(64) not null,
+    PRIV_ID_ NVARCHAR2(64) not null,
     USER_ID_ NVARCHAR2(255),
     GROUP_ID_ NVARCHAR2(255),
-    CAPABILITY_NAME_ NVARCHAR2(255),
     primary key (ID_)
 );
 
 create index ACT_IDX_MEMB_GROUP on ACT_ID_MEMBERSHIP(GROUP_ID_);
 alter table ACT_ID_MEMBERSHIP 
-    add constraint ACT_FK_MEMB_GROUP 
+    add constraint ACT_FK_MEMB_GROUP
     foreign key (GROUP_ID_) 
     references ACT_ID_GROUP (ID_);
 
@@ -87,5 +93,12 @@ alter table ACT_ID_MEMBERSHIP
     add constraint ACT_FK_MEMB_USER
     foreign key (USER_ID_) 
     references ACT_ID_USER (ID_);
+
+create index ACT_IDX_PRIV_MAPPING on ACT_ID_PRIV_MAPPING(PRIV_ID_);    
+alter table ACT_ID_PRIV_MAPPING 
+    add constraint ACT_FK_PRIV_MAPPING 
+    foreign key (PRIV_ID_) 
+    references ACT_ID_PRIV (ID_);
     
-create index ACT_IDX_CAP_NAME on ACT_ID_CAPABILITY(CAPABILITY_NAME_);
+create index ACT_IDX_PRIV_USER on ACT_ID_PRIV_MAPPING(USER_ID_);
+create index ACT_IDX_PRIV_GROUP on ACT_ID_PRIV_MAPPING(GROUP_ID_);   

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/create/activiti.postgres.create.identity.sql

@@ -68,11 +68,17 @@ create table ACT_ID_TOKEN (
     primary key (ID_)
 );
 
-create table ACT_ID_CAPABILITY (
+create table ACT_ID_PRIV (
     ID_ varchar(64) not null,
+    NAME_ varchar(255),
+    primary key (ID_)
+);
+
+create table ACT_ID_PRIV_MAPPING (
+    ID_ varchar(64) not null,
+    PRIV_ID_ varchar(64) not null,
     USER_ID_ varchar(255),
     GROUP_ID_ varchar(255),
-    CAPABILITY_NAME_ varchar(255),
     primary key (ID_)
 );
 
@@ -87,5 +93,12 @@ alter table ACT_ID_MEMBERSHIP
     add constraint ACT_FK_MEMB_USER
     foreign key (USER_ID_) 
     references ACT_ID_USER (ID_);
+
+create index ACT_IDX_PRIV_MAPPING on ACT_ID_PRIV_MAPPING(PRIV_ID_);    
+alter table ACT_ID_PRIV_MAPPING 
+    add constraint ACT_FK_PRIV_MAPPING 
+    foreign key (PRIV_ID_) 
+    references ACT_ID_PRIV (ID_);
     
-create index ACT_IDX_CAP_NAME on ACT_ID_CAPABILITY(CAPABILITY_NAME_);
+create index ACT_IDX_PRIV_USER on ACT_ID_PRIV_MAPPING(USER_ID_);
+create index ACT_IDX_PRIV_GROUP on ACT_ID_PRIV_MAPPING(GROUP_ID_);   
\ No newline at end of file

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/drop/activiti.db2.drop.identity.sql

@@ -3,6 +3,9 @@ alter table ACT_ID_MEMBERSHIP
     
 alter table ACT_ID_MEMBERSHIP 
     drop foreign key ACT_FK_MEMB_USER;
+    
+alter table ACT_ID_PRIV_MAPPING
+    drop foreign key ACT_FK_PRIV_MAPPING;    
 
 drop table ACT_ID_PROPERTY;
 drop table ACT_ID_BYTEARRAY;
@@ -11,4 +14,5 @@ drop table ACT_ID_MEMBERSHIP;
 drop table ACT_ID_GROUP;
 drop table ACT_ID_USER;
 drop table ACT_ID_TOKEN;
-drop table ACT_ID_CAPABILITY;
+drop table ACT_ID_PRIV;
+drop table ACT_ID_PRIV_MAPPING;

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/drop/activiti.h2.drop.identity.sql

@@ -5,6 +5,8 @@ drop table if exists ACT_ID_GROUP cascade constraints;
 drop table if exists ACT_ID_MEMBERSHIP cascade constraints;
 drop table if exists ACT_ID_USER cascade constraints;
 drop table if exists ACT_ID_TOKEN cascade constraints;
-drop table if exists ACT_ID_CAPABILITY cascade constraints;
+drop table if exists ACT_ID_PRIV cascade constraints;
+drop table if exists ACT_ID_PRIV_MAPPING cascade constraints;
 
-drop index if exists ACT_IDX_CAP_NAME;
\ No newline at end of file
+drop index if exists ACT_IDX_PRIV_USER;
+drop index if exists ACT_IDX_PRIV_GROUP;
\ No newline at end of file

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/drop/activiti.hsql.drop.identity.sql

@@ -5,4 +5,5 @@ drop table if exists ACT_ID_GROUP cascade;
 drop table if exists ACT_ID_MEMBERSHIP cascade;
 drop table if exists ACT_ID_USER cascade;
 drop table if exists ACT_ID_TOKEN cascade;
-drop table if exists ACT_ID_CAPABILITY cascade;
+drop table if exists ACT_ID_PRIV cascade;
+drop table if exists ACT_ID_PRIV_MAPPING cascade;

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/drop/activiti.mssql.drop.identity.sql

@@ -8,4 +8,5 @@ if exists (select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_NAME = '
 if exists (select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_NAME = 'ACT_ID_GROUP') drop table ACT_ID_GROUP;
 if exists (select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_NAME = 'ACT_ID_USER') drop table ACT_ID_USER;
 if exists (select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_NAME = 'ACT_ID_TOKEN') drop table ACT_ID_TOKEN;
-if exists (select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_NAME = 'ACT_ID_CAPABILITY') drop table ACT_ID_CAPABILITY;
+if exists (select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_NAME = 'ACT_ID_PRIV') drop table ACT_ID_PRIV;
+if exists (select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_NAME = 'ACT_ID_PRIV_MAPPING') drop table ACT_ID_PRIV_MAPPING;
\ No newline at end of file

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/drop/activiti.mysql.drop.identity.sql

@@ -3,6 +3,9 @@ alter table ACT_ID_MEMBERSHIP
     
 alter table ACT_ID_MEMBERSHIP 
     drop FOREIGN KEY ACT_FK_MEMB_USER;
+    
+alter table ACT_ID_PRIV_MAPPING
+    drop FOREIGN KEY ACT_FK_PRIV_MAPPING;    
 
 drop table if exists ACT_ID_PROPERTY;
 drop table if exists ACT_ID_BYTEARRAY;
@@ -11,4 +14,5 @@ drop table if exists ACT_ID_MEMBERSHIP;
 drop table if exists ACT_ID_GROUP;
 drop table if exists ACT_ID_USER;
 drop table if exists ACT_ID_TOKEN;
-drop table if exists ACT_ID_CAPABILITY;
+drop table if exists ACT_ID_PRIV;
+drop table if exists ACT_ID_PRIV_MAPPING;

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/drop/activiti.oracle.drop.identity.sql

@@ -3,10 +3,13 @@ alter table ACT_ID_MEMBERSHIP
     
 alter table ACT_ID_MEMBERSHIP 
     drop CONSTRAINT ACT_FK_MEMB_USER;
+    
+alter table ACT_ID_PRIV_MAPPING 
+    drop CONSTRAINT ACT_FK_PRIV_MAPPING;    
 
 drop index ACT_IDX_MEMB_GROUP;
 drop index ACT_IDX_MEMB_USER;
-drop index ACT_IDX_CAP_NAME;
+drop index ACT_IDX_PRIV_NAME;
 
 drop table ACT_ID_PROPERTY;
 drop table ACT_ID_BYTEARRAY;
@@ -15,4 +18,5 @@ drop table ACT_ID_MEMBERSHIP;
 drop table ACT_ID_GROUP;
 drop table ACT_ID_USER;
 drop table ACT_ID_TOKEN;
-drop table ACT_ID_CAPABILITY;
+drop table ACT_ID_PRIV;
+drop table ACT_ID_PRIV_MAPPING;
\ No newline at end of file

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/drop/activiti.postgres.drop.identity.sql

@@ -5,4 +5,5 @@ drop table if exists ACT_ID_GROUP cascade;
 drop table if exists ACT_ID_MEMBERSHIP cascade;
 drop table if exists ACT_ID_USER cascade;
 drop table if exists ACT_ID_TOKEN cascade;
-drop table if exists ACT_ID_CAPABILITY cascade;
+drop table if exists ACT_ID_PRIV cascade;
+drop table if exists ACT_ID_PRIV_MAPPING cascade;

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/mapping/entity/Capability.xml

-<?xml version="1.0" encoding="UTF-8" ?> 
-
-<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd"> 
-  
-<mapper namespace="org.activiti.idm.engine.impl.persistence.entity.CapabilityEntityImpl">
-
-  <resultMap id="capabilityResultMap" type="org.activiti.idm.engine.impl.persistence.entity.CapabilityEntityImpl">
-    <id property="id" column="ID_" jdbcType="VARCHAR" />
-    <result property="capabilityName" column="CAPABILITY_NAME_" jdbcType="VARCHAR" />
-    <result property="userId" column="USER_ID_" jdbcType="VARCHAR" />
-    <result property="groupId" column="GROUP_ID_" jdbcType="VARCHAR" />
-  </resultMap>
-
-  <insert id="insertCapability" parameterType="org.activiti.idm.engine.impl.persistence.entity.CapabilityEntityImpl">
-    insert into ${prefix}ACT_ID_CAPABILITY (ID_, CAPABILITY_NAME_, USER_ID_, GROUP_ID_)
-    values (
-      #{id ,jdbcType=VARCHAR},
-      #{capabilityName ,jdbcType=VARCHAR},
-      #{userId ,jdbcType=VARCHAR},
-      #{groupId ,jdbcType=VARCHAR}
-    )
-  </insert>
-
-  <insert id="bulkInsertCapability" parameterType="java.util.List">
-    insert into ${prefix}ACT_ID_CAPABILITY (ID_, CAPABILITY_NAME_, USER_ID_, GROUP_ID_) VALUES 
-      <foreach collection="list" item="capability" index="index" separator=",">
-        (#{capability.id ,jdbcType=VARCHAR},
-         #{capability.capabilityName ,jdbcType=VARCHAR},
-         #{capability.userId ,jdbcType=VARCHAR},
-         #{capability.groupId ,jdbcType=VARCHAR})
-      </foreach>
-  </insert>
-
-  <insert id="bulkInsertCapability" databaseId="oracle" parameterType="java.util.List">
-    INSERT ALL 
-      <foreach collection="list" item="capability" index="index">
-        insert into ${prefix}ACT_ID_CAPABILITY (ID_, CAPABILITY_NAME_, USER_ID_, GROUP_ID_) VALUES 
-        (#{capability.id ,jdbcType=VARCHAR},
-         #{capability.capabilityName ,jdbcType=VARCHAR},
-         #{capability.userId ,jdbcType=VARCHAR},
-         #{capability.groupId ,jdbcType=VARCHAR})
-      </foreach>
-    SELECT * FROM dual
-  </insert>
-
-  <delete id="deleteCapability" parameterType="org.activiti.idm.engine.impl.persistence.entity.CapabilityEntityImpl">
-    delete from ${prefix}ACT_ID_CAPABILITY where ID_ = #{id}
-  </delete>
-
-  <select id="selectCapability" parameterType="string" resultMap="capabilityResultMap">
-    select * from ${prefix}ACT_ID_CAPABILITY where ID_ = #{id,jdbcType=VARCHAR}
-  </select>
-  
-  <select id="selectCapabilityByQueryCriteria" parameterType="org.activiti.idm.engine.impl.CapabilityQueryImpl" resultMap="capabilityResultMap">
-    ${limitBefore}
-    select RES.* ${limitBetween}
-    <include refid="selectCapabilityByQueryCriteriaSql" />
-    ${orderBy}
-    ${limitAfter}
-  </select>
-  
-   <select id="selectCapabilityCountByQueryCriteria" parameterType="org.activiti.idm.engine.impl.CapabilityQueryImpl" resultType="long">
-    select count(RES.ID_)
-    <include refid="selectCapabilityByQueryCriteriaSql" />
-  </select>
-  
-  <sql id="selectCapabilityByQueryCriteriaSql">
-    from ${prefix}ACT_ID_CAPABILITY RES 
-    <where>
-      <if test="id != null">
-        RES.ID_ = #{id}
-      </if>
-      <if test="capabilityName != null">
-        and RES.CAPABILITY_NAME_ = #{capabilityName}
-      </if>
-      <if test="userId != null">
-        and RES.USER_ID_ = #{userId}
-      </if>
-      <if test="groupId != null">
-        and RES.GROUP_ID_ = #{groupId}
-      </if>
-      <if test="groupIds != null">
-        and RES.GROUP_ID_ IN
-        <foreach item="id" index="index" collection="groupIds" 
-                 open="(" separator="," close=")">
-          #{id}
-        </foreach>
-      </if>
-    </where>
-  </sql>
-
-  <select id="selectCapabilityByNativeQuery" parameterType="java.util.Map" resultMap="capabilityResultMap">
-    <include refid="org.activiti.idm.engine.db.common.selectByNativeQuery"/>
-  </select>
-
-  <select id="selectCapabilityCountByNativeQuery" parameterType="java.util.Map" resultType="long">
-    ${sql}
-  </select>
-  
-</mapper>
\ No newline at end of file

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/mapping/entity/Group.xml

@@ -148,4 +148,12 @@
     ${sql}
   </select>
   
+  <select id="selectGroupsWithPrivilegeId" parameterType="string" resultMap="groupResultMap">
+    select RES.* from ${prefix}ACT_ID_GROUP RES
+    inner join ${prefix}ACT_ID_PRIV_MAPPING MAPPING on MAPPING.GROUP_ID_ = RES.ID_
+    inner join ${prefix}ACT_ID_PRIV PRIV on PRIV.ID_ = MAPPING.PRIV_ID_
+    where PRIV.ID_ = #{parameter}
+    order by RES.NAME_
+  </select>
+  
 </mapper>
\ No newline at end of file

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/mapping/entity/Privilege.xml

+<?xml version="1.0" encoding="UTF-8" ?> 
+
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd"> 
+  
+<mapper namespace="org.activiti.idm.engine.impl.persistence.entity.PrivilegeEntityImpl">
+
+  <resultMap id="privilegeResultMap" type="org.activiti.idm.engine.impl.persistence.entity.PrivilegeEntityImpl">
+    <id property="id" column="ID_" jdbcType="VARCHAR" />
+    <result property="name" column="NAME_" jdbcType="VARCHAR" />
+  </resultMap>
+
+  <insert id="insertPrivilege" parameterType="org.activiti.idm.engine.impl.persistence.entity.PrivilegeEntityImpl">
+    insert into ${prefix}ACT_ID_PRIV (ID_, NAME_)
+    values (
+      #{id ,jdbcType=VARCHAR},
+      #{name ,jdbcType=VARCHAR}
+    )
+  </insert>
+
+  <insert id="bulkInsertPrivilege" parameterType="java.util.List">
+    insert into ${prefix}ACT_ID_PRIV (ID_, NAME_) VALUES 
+      <foreach collection="list" item="privilege" index="index" separator=",">
+        (#{privilege.id ,jdbcType=VARCHAR},
+         #{privilege.name ,jdbcType=VARCHAR}
+      </foreach>
+  </insert>
+
+  <insert id="bulkInsertPrivilege" databaseId="oracle" parameterType="java.util.List">
+    INSERT ALL 
+      <foreach collection="list" item="privilege" index="index">
+        insert into ${prefix}ACT_ID_PRIV (ID_, NAME_) VALUES 
+        (#{privilege.id ,jdbcType=VARCHAR},
+         #{privilege.name ,jdbcType=VARCHAR}
+      </foreach>
+    SELECT * FROM dual
+  </insert>
+
+  <delete id="deletePrivilege" parameterType="org.activiti.idm.engine.impl.persistence.entity.PrivilegeEntityImpl">
+    delete from ${prefix}ACT_ID_PRIV where ID_ = #{id}
+  </delete>
+
+  <select id="selectPrivilege" parameterType="string" resultMap="privilegeResultMap">
+    select * from ${prefix}ACT_ID_PRIV where ID_ = #{id,jdbcType=VARCHAR}
+  </select>
+  
+  <select id="selectPrivilegeByQueryCriteria" parameterType="org.activiti.idm.engine.impl.PrivilegeQueryImpl" resultMap="privilegeResultMap">
+    ${limitBefore}
+    select RES.* ${limitBetween}
+    <include refid="selectPrivilegeByQueryCriteriaSql" />
+    ${orderBy}
+    ${limitAfter}
+  </select>
+  
+   <select id="selectPrivilegeCountByQueryCriteria" parameterType="org.activiti.idm.engine.impl.PrivilegeQueryImpl" resultType="long">
+    select count(RES.ID_)
+    <include refid="selectPrivilegeByQueryCriteriaSql" />
+  </select>
+  
+  <sql id="selectPrivilegeByQueryCriteriaSql">
+    from ${prefix}ACT_ID_PRIV RES 
+    <if test="userId != null || groupId != null || groupIds != null">
+        inner join ${prefix}ACT_ID_PRIV_MAPPING MAPPING on RES.ID_ = MAPPING.PRIV_ID_
+    </if>
+    <where>
+      <if test="id != null">
+        RES.ID_ = #{id}
+      </if>
+      <if test="name != null">
+        and RES.NAME_ = #{name}
+      </if>
+      <if test="userId != null">
+        and MAPPING.USER_ID_ = #{userId}
+      </if>
+      <if test="groupId != null">
+        and MAPPING.GROUP_ID_ = #{groupId}
+      </if>
+      <if test="groupIds != null">
+        and MAPPING.GROUP_ID_ IN
+        <foreach item="id" index="index" collection="groupIds" 
+                 open="(" separator="," close=")">
+          #{id}
+        </foreach>
+      </if>
+    </where>
+  </sql>
+
+  <select id="selectPrivilegeByNativeQuery" parameterType="java.util.Map" resultMap="privilegeResultMap">
+    <include refid="org.activiti.idm.engine.db.common.selectByNativeQuery"/>
+  </select>
+
+  <select id="selectPrivilegeCountByNativeQuery" parameterType="java.util.Map" resultType="long">
+    ${sql}
+  </select>
+  
+</mapper>
\ No newline at end of file

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/mapping/entity/PrivilegeMapping.xml

+<?xml version="1.0" encoding="UTF-8" ?> 
+
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd"> 
+  
+<mapper namespace="org.activiti.idm.engine.impl.persistence.entity.PrivilegeMappingEntityImpl">
+
+  <resultMap id="privilegeMappingResultMap" type="org.activiti.idm.engine.impl.persistence.entity.PrivilegeMappingEntityImpl">
+    <id property="id" column="ID_" jdbcType="VARCHAR" />
+    <result property="privilegeId" column="PRIV_ID_" jdbcType="VARCHAR" />
+    <result property="userId" column="USER_ID_" jdbcType="VARCHAR" />
+    <result property="groupId" column="GROUP_ID_" jdbcType="VARCHAR" />
+  </resultMap>
+
+  <insert id="insertPrivilegeMapping" parameterType="org.activiti.idm.engine.impl.persistence.entity.PrivilegeMappingEntityImpl">
+    insert into ${prefix}ACT_ID_PRIV_MAPPING (ID_, PRIV_ID_, USER_ID_, GROUP_ID_)
+    values (
+      #{id ,jdbcType=VARCHAR},
+      #{privilegeId ,jdbcType=VARCHAR},
+      #{userId ,jdbcType=VARCHAR},
+      #{groupId ,jdbcType=VARCHAR}
+    )
+  </insert>
+
+  <insert id="bulkInsertPrivilegeMapping" parameterType="java.util.List">
+    insert into ${prefix}ACT_ID_PRIV_MAPPING (ID_, PRIV_ID_, USER_ID_, GROUP_ID_) VALUES 
+      <foreach collection="list" item="privilege" index="index" separator=",">
+        (#{privilege.id ,jdbcType=VARCHAR},
+         #{privilege.privilegeId ,jdbcType=VARCHAR},
+         #{privilege.userId ,jdbcType=VARCHAR},
+         #{privilege.groupId ,jdbcType=VARCHAR})
+      </foreach>
+  </insert>
+
+  <insert id="bulkInsertPrivilegeMapping" databaseId="oracle" parameterType="java.util.List">
+    INSERT ALL 
+      <foreach collection="list" item="privilege" index="index">
+        insert into ${prefix}ACT_ID_PRIV_MAPPING (ID_, PRIV_ID_, USER_ID_, GROUP_ID_) VALUES 
+        (#{privilege.id ,jdbcType=VARCHAR},
+         #{privilege.privilegeId ,jdbcType=VARCHAR},
+         #{privilege.userId ,jdbcType=VARCHAR},
+         #{privilege.groupId ,jdbcType=VARCHAR})
+      </foreach>
+    SELECT * FROM dual
+  </insert>
+
+  <delete id="deletePrivilegeMapping" parameterType="org.activiti.idm.engine.impl.persistence.entity.PrivilegeMappingEntityImpl">
+    delete from ${prefix}ACT_ID_PRIV_MAPPING where ID_ = #{id}
+  </delete>
+  
+  <delete id="deleteByPrivilegeId" parameterType="string">
+    delete from ${prefix}ACT_ID_PRIV_MAPPING where PRIV_ID_ = #{id}
+  </delete>
+  
+  <delete id="deleteByPrivilegeIdAndUserId" parameterType="map">
+    delete from ${prefix}ACT_ID_PRIV_MAPPING where PRIV_ID_ = #{privilegeId} and USER_ID_ = #{userId}
+  </delete>
+
+    <delete id="deleteByPrivilegeIdAndGroupId" parameterType="map">
+    delete from ${prefix}ACT_ID_PRIV_MAPPING where PRIV_ID_ = #{privilegeId} and GROUP_ID_ = #{groupId}
+  </delete>
+
+
+  <select id="selectPrivilegeMapping" parameterType="string" resultMap="privilegeMappingResultMap">
+    select * from ${prefix}ACT_ID_PRIV_MAPPING where ID_ = #{id,jdbcType=VARCHAR}
+  </select>
+  
+</mapper>
\ No newline at end of file

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/mapping/entity/User.xml

@@ -154,4 +154,12 @@
     ${sql}
   </select>
   
+  <select id="selectUsersWithPrivilegeId" parameterType="string" resultMap="userResultMap">
+    select RES.* from ${prefix}ACT_ID_USER RES
+    inner join ${prefix}ACT_ID_PRIV_MAPPING MAPPING on MAPPING.USER_ID_ = RES.ID_
+    inner join ${prefix}ACT_ID_PRIV PRIV on PRIV.ID_ = MAPPING.PRIV_ID_
+    where PRIV.ID_ = #{parameter}
+    order by RES.LAST_
+  </select>
+  
 </mapper>
\ No newline at end of file

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/mapping/mappings.xml

@@ -24,6 +24,7 @@
     <mapper resource="org/activiti/idm/db/mapping/entity/TableData.xml" />
     <mapper resource="org/activiti/idm/db/mapping/entity/Token.xml" />
     <mapper resource="org/activiti/idm/db/mapping/entity/User.xml" />
-    <mapper resource="org/activiti/idm/db/mapping/entity/Capability.xml" />
+    <mapper resource="org/activiti/idm/db/mapping/entity/Privilege.xml" />
+    <mapper resource="org/activiti/idm/db/mapping/entity/PrivilegeMapping.xml" />
   </mappers>
 </configuration>

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/upgrade/activiti.db2.upgradestep.0.to.6000.engine.sql

@@ -31,12 +31,25 @@ create table ACT_ID_TOKEN (
     primary key (ID_)
 );
 
-create table ACT_ID_CAPABILITY (
+create table ACT_ID_PRIV (
     ID_ varchar(64) not null,
+    NAME_ varchar(255),
+    primary key (ID_)
+);
+
+create table ACT_ID_PRIV_MAPPING {
+    ID_ varchar(64) not null,
+    PRIV_ID_ varchar(64) not null,
     USER_ID_ varchar(255),
     GROUP_ID_ varchar(255),
-    CAPABILITY_ varchar(255),
     primary key (ID_)
-);  
+};
+
+alter table ACT_ID_PRIV_MAPPING 
+    add constraint ACT_FK_PRIV_MAPPING 
+    foreign key (PRIV_ID_) 
+    references ACT_ID_PRIV (ID_);
     
-create index ACT_IDX_CAP_NAME on ACT_ID_CAPABILITY(CAPABILITY_);
+create index ACT_IDX_PRIV_USER on ACT_ID_PRIV_MAPPING(USER_ID_);
+create index ACT_IDX_PRIV_GROUP on ACT_ID_PRIV_MAPPING(GROUP_ID_);    
+  

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/upgrade/activiti.h2.upgradestep.0.to.6000.engine.sql

@@ -31,12 +31,24 @@ create table ACT_ID_TOKEN (
     primary key (ID_)
 );
 
-create table ACT_ID_CAPABILITY (
+create table ACT_ID_PRIV (
     ID_ varchar(64) not null,
+    NAME_ varchar(255),
+    primary key (ID_)
+);
+
+create table ACT_ID_PRIV_MAPPING {
+    ID_ varchar(64) not null,
+    PRIV_ID_ varchar(64) not null,
     USER_ID_ varchar(255),
     GROUP_ID_ varchar(255),
-    CAPABILITY_ varchar(255),
     primary key (ID_)
-);  
+};
+
+alter table ACT_ID_PRIV_MAPPING 
+    add constraint ACT_FK_PRIV_MAPPING 
+    foreign key (PRIV_ID_) 
+    references ACT_ID_PRIV (ID_);
     
-create index ACT_IDX_CAP_NAME on ACT_ID_CAPABILITY(CAPABILITY_);
+create index ACT_IDX_PRIV_USER on ACT_ID_PRIV_MAPPING(USER_ID_);
+create index ACT_IDX_PRIV_GROUP on ACT_ID_PRIV_MAPPING(GROUP_ID_);    

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/upgrade/activiti.hsql.upgradestep.0.to.6000.engine.sql

@@ -31,12 +31,24 @@ create table ACT_ID_TOKEN (
     primary key (ID_)
 );
 
-create table ACT_ID_CAPABILITY (
+create table ACT_ID_PRIV (
     ID_ varchar(64) not null,
+    NAME_ varchar(255),
+    primary key (ID_)
+);
+
+create table ACT_ID_PRIV_MAPPING {
+    ID_ varchar(64) not null,
+    PRIV_ID_ varchar(64) not null,
     USER_ID_ varchar(255),
     GROUP_ID_ varchar(255),
-    CAPABILITY_ varchar(255),
     primary key (ID_)
-);  
+};
+
+alter table ACT_ID_PRIV_MAPPING 
+    add constraint ACT_FK_PRIV_MAPPING 
+    foreign key (PRIV_ID_) 
+    references ACT_ID_PRIV (ID_);
     
-create index ACT_IDX_CAP_NAME on ACT_ID_CAPABILITY(CAPABILITY_);
\ No newline at end of file
+create index ACT_IDX_PRIV_USER on ACT_ID_PRIV_MAPPING(USER_ID_);
+create index ACT_IDX_PRIV_GROUP on ACT_ID_PRIV_MAPPING(GROUP_ID_);    

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/upgrade/activiti.mssql.upgradestep.0.to.6000.engine.sql

@@ -31,12 +31,24 @@ create table ACT_ID_TOKEN (
     primary key (ID_)
 );
 
-create table ACT_ID_CAPABILITY (
+create table ACT_ID_PRIV (
     ID_ nvarchar(64) not null,
+    NAME_ nvarchar(255),
+    primary key (ID_)
+);
+
+create table ACT_ID_PRIV_MAPPING {
+    ID_ nvarchar(64) not null,
+    PRIV_ID_ nvarchar(64) not null,
     USER_ID_ nvarchar(255),
     GROUP_ID_ nvarchar(255),
-    CAPABILITY_ nvarchar(255),
     primary key (ID_)
-);  
+};
+
+alter table ACT_ID_PRIV_MAPPING 
+    add constraint ACT_FK_PRIV_MAPPING 
+    foreign key (PRIV_ID_) 
+    references ACT_ID_PRIV (ID_);
     
-create index ACT_IDX_CAP_NAME on ACT_ID_CAPABILITY(CAPABILITY_);
+create index ACT_IDX_PRIV_USER on ACT_ID_PRIV_MAPPING(USER_ID_);
+create index ACT_IDX_PRIV_GROUP on ACT_ID_PRIV_MAPPING(GROUP_ID_);  

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/upgrade/activiti.mysql.upgradestep.0.to.6000.engine.sql

@@ -31,12 +31,25 @@ create table ACT_ID_TOKEN (
     primary key (ID_)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_bin;
 
-create table ACT_ID_CAPABILITY (
+create table ACT_ID_PRIV (
     ID_ varchar(64) not null,
+    NAME_ varchar(255),
+    primary key (ID_)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_bin;
+
+create table ACT_ID_PRIV_MAPPING {
+    ID_ varchar(64) not null,
+    PRIV_ID_ varchar(64) not null,
     USER_ID_ varchar(255),
     GROUP_ID_ varchar(255),
-    CAPABILITY_ varchar(255),
     primary key (ID_)
-) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_bin;  
+} ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_bin;
+
+alter table ACT_ID_PRIV_MAPPING 
+    add constraint ACT_FK_PRIV_MAPPING 
+    foreign key (PRIV_ID_) 
+    references ACT_ID_PRIV (ID_);
     
-create index ACT_IDX_CAP_NAME on ACT_ID_CAPABILITY(CAPABILITY_);
+create index ACT_IDX_PRIV_USER on ACT_ID_PRIV_MAPPING(USER_ID_);
+create index ACT_IDX_PRIV_GROUP on ACT_ID_PRIV_MAPPING(GROUP_ID_);   
+

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/upgrade/activiti.mysql55.upgradestep.0.to.6000.engine.sql

@@ -31,12 +31,24 @@ create table ACT_ID_TOKEN (
     primary key (ID_)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_bin;
 
-create table ACT_ID_CAPABILITY (
+create table ACT_ID_PRIV (
     ID_ varchar(64) not null,
+    NAME_ varchar(255),
+    primary key (ID_)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_bin;
+
+create table ACT_ID_PRIV_MAPPING {
+    ID_ varchar(64) not null,
+    PRIV_ID_ varchar(64) not null,
     USER_ID_ varchar(255),
     GROUP_ID_ varchar(255),
-    CAPABILITY_ varchar(255),
     primary key (ID_)
-) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_bin;  
+} ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_bin;
+
+alter table ACT_ID_PRIV_MAPPING 
+    add constraint ACT_FK_PRIV_MAPPING 
+    foreign key (PRIV_ID_) 
+    references ACT_ID_PRIV (ID_);
     
-create index ACT_IDX_CAP_NAME on ACT_ID_CAPABILITY(CAPABILITY_);
+create index ACT_IDX_PRIV_USER on ACT_ID_PRIV_MAPPING(USER_ID_);
+create index ACT_IDX_PRIV_GROUP on ACT_ID_PRIV_MAPPING(GROUP_ID_);   

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/upgrade/activiti.oracle.upgradestep.0.to.6000.engine.sql

@@ -31,12 +31,25 @@ create table ACT_ID_TOKEN (
     primary key (ID_)
 );
 
-create table ACT_ID_CAPABILITY (
+create table ACT_ID_PRIV (
     ID_ NVARCHAR2(64) not null,
+    NAME_ NVARCHAR2(255),
+    primary key (ID_)
+);
+
+create table ACT_ID_PRIV_MAPPING {
+    ID_ NVARCHAR2(64) not null,
+    PRIV_ID_ NVARCHAR2(64) not null,
     USER_ID_ NVARCHAR2(255),
     GROUP_ID_ NVARCHAR2(255),
-    CAPABILITY_ NVARCHAR2(255),
     primary key (ID_)
-);  
+};
+
+create index ACT_IDX_PRIV_MAPPING on ACT_ID_PRIV_MAPPING(PRIV_ID_);    
+alter table ACT_ID_PRIV_MAPPING 
+    add constraint ACT_FK_PRIV_MAPPING 
+    foreign key (PRIV_ID_) 
+    references ACT_ID_PRIV (ID_);
     
-create index ACT_IDX_CAP_NAME on ACT_ID_CAPABILITY(CAPABILITY_);
+create index ACT_IDX_PRIV_USER on ACT_ID_PRIV_MAPPING(USER_ID_);
+create index ACT_IDX_PRIV_GROUP on ACT_ID_PRIV_MAPPING(GROUP_ID_);   

modules/flowable-idm-engine/src/main/resources/org/activiti/idm/db/upgrade/activiti.postgres.upgradestep.0.to.6000.engine.sql

@@ -31,12 +31,25 @@ create table ACT_ID_TOKEN (
     primary key (ID_)
 );
 
-create table ACT_ID_CAPABILITY (
+create table ACT_ID_PRIV (
     ID_ varchar(64) not null,
+    NAME_ varchar(255),
+    primary key (ID_)
+);
+
+create table ACT_ID_PRIV_MAPPING {
+    ID_ varchar(64) not null,
+    PRIV_ID_ varchar(64) not null,
     USER_ID_ varchar(255),
     GROUP_ID_ varchar(255),
-    CAPABILITY_ varchar(255),
     primary key (ID_)
-);  
+};
+
+create index ACT_IDX_PRIV_MAPPING on ACT_ID_PRIV_MAPPING(PRIV_ID_);    
+alter table ACT_ID_PRIV_MAPPING 
+    add constraint ACT_FK_PRIV_MAPPING 
+    foreign key (PRIV_ID_) 
+    references ACT_ID_PRIV (ID_);
     
-create index ACT_IDX_CAP_NAME on ACT_ID_CAPABILITY(CAPABILITY_);
+create index ACT_IDX_PRIV_USER on ACT_ID_PRIV_MAPPING(USER_ID_);
+create index ACT_IDX_PRIV_GROUP on ACT_ID_PRIV_MAPPING(GROUP_ID_);
\ No newline at end of file

modules/flowable-idm-engine/src/test/java/org/activiti/idm/engine/test/api/identity/CapabilityQueryTest.java → modules/flowable-idm-engine/src/test/java/org/activiti/idm/engine/test/api/identity/PrivilegesTest.java

@@ -14,22 +14,25 @@ package org.activiti.idm.engine.test.api.identity;
 
 import java.util.List;
 
-import org.activiti.idm.api.Capability;
-import org.activiti.idm.engine.impl.persistence.entity.CapabilityEntity;
+import org.activiti.engine.common.api.ActivitiIllegalArgumentException;
+import org.activiti.idm.api.Group;
+import org.activiti.idm.api.Privilege;
+import org.activiti.idm.api.User;
+import org.activiti.idm.engine.impl.persistence.entity.PrivilegeEntity;
 import org.activiti.idm.engine.test.PluggableActivitiIdmTestCase;
 
 /**
  * @author Joram Barrez
  */
-public class CapabilityQueryTest extends PluggableActivitiIdmTestCase {
+public class PrivilegesTest extends PluggableActivitiIdmTestCase {
 
   @Override
   protected void setUp() throws Exception {
     super.setUp();
     
-    createGroup("admins", null, "user");
-    createGroup("sales", null, "user");
-    createGroup("engineering", null, "user");
+    createGroup("admins", "Admins", "user");
+    createGroup("sales", "Sales", "user");
+    createGroup("engineering", "Engineering" , "user");
 
     idmIdentityService.saveUser(idmIdentityService.newUser("kermit"));
     idmIdentityService.saveUser(idmIdentityService.newUser("fozzie"));
@@ -41,17 +44,20 @@ public class CapabilityQueryTest extends PluggableActivitiIdmTestCase {
     idmIdentityService.createMembership("fozzie", "sales");
     idmIdentityService.createMembership("mispiggy", "engineering");
 
-    String adminCapability = "access admin application";
-    idmIdentityService.createCapability(adminCapability, null, "admins");
-    idmIdentityService.createCapability(adminCapability, "mispiggy", null);
+    String adminPrivilegename = "access admin application";
+    Privilege adminPrivilege = idmIdentityService.createPrivilege(adminPrivilegename);
+    idmIdentityService.addGroupPrivilegeMapping(adminPrivilege.getId(), "admins");
+    idmIdentityService.addUserPrivilegeMapping(adminPrivilege.getId(), "mispiggy");
     
-    String modelerCapability = "access modeler application";
-    idmIdentityService.createCapability(modelerCapability, null, "admins");
-    idmIdentityService.createCapability(modelerCapability, null, "engineering");
-    idmIdentityService.createCapability(modelerCapability, "kermit", null);
+    String modelerPrivilegeName = "access modeler application";
+    Privilege modelerPrivilege = idmIdentityService.createPrivilege(modelerPrivilegeName);
+    idmIdentityService.addGroupPrivilegeMapping(modelerPrivilege.getId(), "admins");
+    idmIdentityService.addGroupPrivilegeMapping(modelerPrivilege.getId(), "engineering");
+    idmIdentityService.addUserPrivilegeMapping(modelerPrivilege.getId(), "kermit");
     
-    String startProcessesCapability = "start processes";
-    idmIdentityService.createCapability(startProcessesCapability, null, "sales");
+    String startProcessesPrivilegename = "start processes";
+    Privilege startProcessesPrivilege = idmIdentityService.createPrivilege(startProcessesPrivilegename);
+    idmIdentityService.addGroupPrivilegeMapping(startProcessesPrivilege.getId(), "sales");
   }
   
   @Override
@@ -60,79 +66,89 @@ public class CapabilityQueryTest extends PluggableActivitiIdmTestCase {
     super.tearDown();
   }
   
-  public void testQueryAll() {
-    List<Capability> capabilities = idmIdentityService.createCapabilityQuery().list();
-    assertEquals(6, capabilities.size());
-    assertEquals(6L, idmIdentityService.createCapabilityQuery().count());
+  public void testCreateDuplicatePrivilege() {
+    try {
+      idmIdentityService.createPrivilege("access admin application");
+      fail();
+    } catch (ActivitiIllegalArgumentException e) { }
+  }
+  
+  public void testGetUsers() {
+    String privilegeId = idmIdentityService.createPrivilegeQuery().privilegeName("access admin application").singleResult().getId();
+    List<User> users = idmIdentityService.getUsersWithPrivilege(privilegeId);
+    assertEquals(1, users.size());
+    assertEquals("mispiggy", users.get(0).getId());
     
-    int nrOfUserCapabilities = 0;
-    int nrOfGroupCapabilities = 0;
-    for (Capability capability : capabilities) {
-      assertNotNull(capability.getCapabilityName());
-      if (capability.getUserId() != null) {
-        nrOfUserCapabilities++;
-      }
-      if (capability.getGroupId() != null) {
-        nrOfGroupCapabilities++;
-      }
-    }
+    assertEquals(0, idmIdentityService.getUsersWithPrivilege("does not exist").size());
     
-    assertEquals(2, nrOfUserCapabilities);
-    assertEquals(4, nrOfGroupCapabilities);
+    try {
+      idmIdentityService.getUsersWithPrivilege(null); 
+      fail();
+    } catch (Exception e) { }
   }
   
-  public void testQueryByCapabilityName() {
-    List<Capability> capabilities = idmIdentityService.createCapabilityQuery().capabilityName("access admin application").list();
-    assertEquals(2, capabilities.size());
+  public void testGetGroups() {
+    String privilegeId = idmIdentityService.createPrivilegeQuery().privilegeName("access modeler application").singleResult().getId();
+    List<Group> groups = idmIdentityService.getGroupsWithPrivilege(privilegeId);
+    assertEquals(2, groups.size());
+    assertEquals("admins", groups.get(0).getId());
+    assertEquals("engineering", groups.get(1).getId());
     
-    boolean groupFound = false;
-    boolean userFound = false;
-    for (Capability capability : capabilities) {
-      if ("admins".equals(capability.getGroupId())) {
-        groupFound = true;
-      } 
-      if ("mispiggy".equals(capability.getUserId())) {
-        userFound = true;
-      }
-    }
+    assertEquals(0, idmIdentityService.getGroupsWithPrivilege("does not exist").size());
+    
+    try {
+      idmIdentityService.getGroupsWithPrivilege(null);
+      fail();
+    } catch (Exception e) {}
+  }
+  
+  public void testQueryAll() {
+    List<Privilege> privileges = idmIdentityService.createPrivilegeQuery().list();
+    assertEquals(3, privileges.size());
+    assertEquals(3L, idmIdentityService.createPrivilegeQuery().count());
+  }
+  
+  public void testQueryByName() {
+    List<Privilege> privileges = idmIdentityService.createPrivilegeQuery().privilegeName("access admin application").list();
+    assertEquals(1, privileges.size());
     
-    assertTrue(userFound);
-    assertTrue(groupFound);
+    assertEquals(1, idmIdentityService.getUsersWithPrivilege(privileges.get(0).getId()).size());
+    assertEquals(1, idmIdentityService.getGroupsWithPrivilege(privileges.get(0).getId()).size());
   }
   
- public void testQueryByInvalidCapabilityName() {
-    assertEquals(0, idmIdentityService.createCapabilityQuery().capabilityName("does not exist").list().size());
+ public void testQueryByInvalidName() {
+    assertEquals(0, idmIdentityService.createPrivilegeQuery().privilegeName("does not exist").list().size());
   }
   
   public void testQueryByUserId() {
-    List<Capability> capabilities = idmIdentityService.createCapabilityQuery().userId("kermit").list();
-    assertEquals(1, capabilities.size());
+    List<Privilege> privileges = idmIdentityService.createPrivilegeQuery().userId("kermit").list();
+    assertEquals(1, privileges.size());
     
-    Capability capability = capabilities.get(0);
-    assertEquals("access modeler application", capability.getCapabilityName());
+    Privilege privilege = privileges.get(0);
+    assertEquals("access modeler application", privilege.getName());
   }
   
   public void testQueryByInvalidUserId() {
-    assertEquals(0, idmIdentityService.createCapabilityQuery().userId("does not exist").list().size());
+    assertEquals(0, idmIdentityService.createPrivilegeQuery().userId("does not exist").list().size());
   }
   
   public void testQueryByGroupId() {
-    List<Capability> capabilities = idmIdentityService.createCapabilityQuery().groupId("admins").list();
-    assertEquals(2, capabilities.size());
+    List<Privilege> privileges = idmIdentityService.createPrivilegeQuery().groupId("admins").list();
+    assertEquals(2, privileges.size());
   }
   
   public void testQueryByInvalidGroupId() {
-    assertEquals(0, idmIdentityService.createCapabilityQuery().groupId("does not exist").list().size());
+    assertEquals(0, idmIdentityService.createPrivilegeQuery().groupId("does not exist").list().size());
   }
   
   public void testNativeQuery() {
-    assertEquals("ACT_ID_CAPABILITY", idmManagementService.getTableName(Capability.class));
-    assertEquals("ACT_ID_CAPABILITY", idmManagementService.getTableName(CapabilityEntity.class));
+    assertEquals("ACT_ID_PRIV", idmManagementService.getTableName(Privilege.class));
+    assertEquals("ACT_ID_PRIV", idmManagementService.getTableName(PrivilegeEntity.class));
     
-    String tableName = idmManagementService.getTableName(CapabilityEntity.class);
-    String baseQuerySql = "SELECT * FROM " + tableName + " where USER_ID_ = #{userId}";
+    String tableName = idmManagementService.getTableName(PrivilegeEntity.class);
+    String baseQuerySql = "SELECT * FROM " + tableName + " where NAME_ = #{name}";
 
-    assertEquals(1, idmIdentityService.createNativeUserQuery().sql(baseQuerySql).parameter("userId", "kermit").list().size());
+    assertEquals(1, idmIdentityService.createNativeUserQuery().sql(baseQuerySql).parameter("name", "access admin application").list().size());
   }
   
 }

modules/flowable-ui-admin/src/main/java/org/activiti/filter/FlowableCookieFilter.java

@@ -99,7 +99,6 @@ public class FlowableCookieFilter extends OncePerRequestFilter {
               throw new ActivitiException("user not found " + userId);
             }
             
-            // Add capabilities to user object
             Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
 
             // add default authority

modules/flowable-ui-common/pom.xml

+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <name>Flowable UI Common</name>
+  <artifactId>flowable-ui-common</artifactId>
+
+  <parent>
+    <groupId>org.flowable</groupId>
+    <artifactId>flowable-root</artifactId>
+    <relativePath>../..</relativePath>
+    <version>6.0.0.RC1-SNAPSHOT</version>
+  </parent>
+
+  <properties>
+    <!-- Maven build properties -->
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <java.version>1.7</java.version>
+  </properties>
+
+  <prerequisites>
+    <maven>3.0.0</maven>
+  </prerequisites>
+
+  <dependencies>
+
+    <!-- Flowable -->
+    <dependency>
+      <groupId>org.flowable</groupId>
+      <artifactId>flowable-idm-api</artifactId>
+    </dependency>
+    
+    <dependency>
+	  <groupId>commons-codec</groupId>
+	  <artifactId>commons-codec</artifactId>
+	  <version>1.10</version>
+	</dependency>
+
+    <!-- Spring -->
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-aop</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-beans</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-context</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-context-support</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-expression</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-jdbc</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-tx</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-web</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-webmvc</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-config</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-crypto</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-web</artifactId>
+    </dependency>
+
+    <!-- HttpClient -->
+    <dependency>
+      <groupId>org.apache.httpcomponents</groupId>
+      <artifactId>httpclient</artifactId>
+    </dependency>
+
+    <!-- Guava -->
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+    </dependency>
+
+    <!-- Logging -->
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-log4j12</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>jcl-over-slf4j</artifactId>
+    </dependency>
+
+    <!-- Json -->
+    <dependency>
+      <groupId>com.fasterxml.jackson.datatype</groupId>
+      <artifactId>jackson-datatype-json-org</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.datatype</groupId>
+      <artifactId>jackson-datatype-hppc</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.datatype</groupId>
+      <artifactId>jackson-datatype-joda</artifactId>
+    </dependency>
+    
+    <!-- Uuid -->
+    <dependency>
+      <groupId>com.fasterxml.uuid</groupId>
+      <artifactId>java-uuid-generator</artifactId>
+    </dependency>
+
+    <!-- Servlet -->
+    <dependency>
+      <groupId>javax.servlet</groupId>
+      <artifactId>javax.servlet-api</artifactId>
+      <scope>provided</scope>
+    </dependency>
+  </dependencies>
+
+</project>

modules/flowable-ui-modeler/flowable-ui-modeler-conf/src/main/java/org/activiti/app/filter/FlowableCookieFilter.java → modules/flowable-ui-common/src/main/java/org/activiti/app/filter/FlowableCookieFilter.java

@@ -24,14 +24,13 @@ import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.activiti.app.model.common.RemoteToken;
+import org.activiti.app.model.common.RemoteUser;
 import org.activiti.app.security.ActivitiAppUser;
-import org.activiti.app.security.AuthoritiesConstants;
+import org.activiti.app.security.CookieConstants;
+import org.activiti.app.service.idm.RemoteIdmService;
 import org.activiti.engine.common.api.ActivitiException;
-import org.activiti.engine.impl.identity.Authentication;
-import org.activiti.idm.api.Group;
-import org.activiti.idm.api.IdmIdentityService;
-import org.activiti.idm.api.Token;
-import org.activiti.idm.api.User;
+import org.apache.commons.codec.binary.Base64;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -40,9 +39,7 @@ import org.springframework.security.authentication.RememberMeAuthenticationToken
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.crypto.codec.Base64;
 import org.springframework.security.web.authentication.rememberme.InvalidCookieException;
-import org.springframework.stereotype.Component;
 import org.springframework.util.StringUtils;
 import org.springframework.web.filter.OncePerRequestFilter;
 
@@ -50,35 +47,50 @@ import com.google.common.cache.CacheBuilder;
 import com.google.common.cache.CacheLoader;
 import com.google.common.cache.LoadingCache;
 
-@Component
 public class FlowableCookieFilter extends OncePerRequestFilter {
   
   private final Logger logger = LoggerFactory.getLogger(FlowableCookieFilter.class);
   
-  protected static final String COOKIE_NAME = "FLOWABLE_REMEMBER_ME";
   protected static final String DELIMITER = ":";
   
   @Autowired
   protected Environment env;
   
   @Autowired
-  protected IdmIdentityService idmIdentityService;
+  protected RemoteIdmService remoteIdmService;
   
-  // Caching the persistent tokens to avoid hitting the database too often (eg when doing multiple requests at the same time)
-  // (This happens a lot, when the page consists of multiple requests)
-  protected LoadingCache<String, Token> tokenCache;
+  @Autowired(required=false)
+  protected FlowableCookieFilterCallback filterCallback;
   
+  protected String idmAppUrl;
+  
+  // Caching the persistent tokens and users to avoid hitting the database too often 
+  // (eg when doing multiple requests at the same time)
+  protected LoadingCache<String, RemoteToken> tokenCache;
   protected LoadingCache<String, ActivitiAppUser> userCache;
   
   @PostConstruct
+  protected void initCaches() {
+    initIdmAppUrl();
+    initTokenCache();
+    initUserCache();
+  }
+
+  protected void initIdmAppUrl() {
+    idmAppUrl = env.getRequiredProperty("idm.app.url");
+    if (idmAppUrl.endsWith("/") == false) {
+      idmAppUrl += "/";
+    }
+  }
+
   protected void initTokenCache() {
     Long maxSize = env.getProperty("cache.login-tokens.max.size", Long.class, 2048l);
     Long maxAge = env.getProperty("cache.login-tokens.max.age", Long.class, 30l);
     tokenCache = CacheBuilder.newBuilder().maximumSize(maxSize).expireAfterWrite(maxAge, TimeUnit.SECONDS).recordStats()
-        .build(new CacheLoader<String, Token>() {
+        .build(new CacheLoader<String, RemoteToken>() {
 
-          public Token load(final String tokenId) throws Exception {
-            Token token = idmIdentityService.createTokenQuery().tokenId(tokenId).singleResult();
+          public RemoteToken load(final String tokenId) throws Exception {
+            RemoteToken token = remoteIdmService.getToken(tokenId); 
             if (token != null) {
               return token;
             } else {
@@ -87,35 +99,27 @@ public class FlowableCookieFilter extends OncePerRequestFilter {
           }
 
         });
-    
+  }
+
+  protected void initUserCache() {
     Long userMaxSize = env.getProperty("cache.login-users.max.size", Long.class, 2048l);
     Long userMaxAge = env.getProperty("cache.login-users.max.age", Long.class, 30l);
     userCache = CacheBuilder.newBuilder().maximumSize(userMaxSize).expireAfterWrite(userMaxAge, TimeUnit.SECONDS).recordStats()
         .build(new CacheLoader<String, ActivitiAppUser>() {
 
           public ActivitiAppUser load(final String userId) throws Exception {
-            User userFromToken = idmIdentityService.createUserQuery().userId(userId).singleResult();
-            
-            if (userFromToken == null) {
+            RemoteUser user = remoteIdmService.getUser(userId);
+            if (user == null) {
               throw new ActivitiException("user not found " + userId);
             }
             
-            // Add capabilities to user object
             Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
-
-            // add default authority
-            grantedAuthorities.add(new SimpleGrantedAuthority(AuthoritiesConstants.USER));
-
-            // check if user is in super user group
-            String superUserGroupName = env.getRequiredProperty("admin.group");
-            for (Group group : idmIdentityService.createGroupQuery().groupMember(userFromToken.getId()).list()) {
-              if (superUserGroupName.equals(group.getName())) {
-                grantedAuthorities.add(new SimpleGrantedAuthority(AuthoritiesConstants.ADMIN));
-              }
+            for (String privilege : user.getPrivileges()) {
+              grantedAuthorities.add(new SimpleGrantedAuthority(privilege));
             }
 
             // put account into security context (for controllers to use)
-            ActivitiAppUser appUser = new ActivitiAppUser(userFromToken, userFromToken.getId(), grantedAuthorities);
+            ActivitiAppUser appUser = new ActivitiAppUser(user, user.getId(), grantedAuthorities);
             return appUser;
           }
 
@@ -125,75 +129,93 @@ public class FlowableCookieFilter extends OncePerRequestFilter {
   @Override
   protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
     if (skipAuthenticationCheck(request) == false) {
-      boolean authenticated = checkAuthentication(request);
-      
-      if (authenticated == false) {
-        String idmAppUrl = env.getRequiredProperty("idm.app.url");
-        if (idmAppUrl.endsWith("/") == false) {
-          idmAppUrl += "/";
+      RemoteToken token = getValidToken(request);
+      if (token != null) {
+        onValidTokenFound(request, response, token);
+        if (filterCallback != null) {
+          filterCallback.onValidTokenFound(request, response, token);
         }
-        
-        response.sendRedirect(idmAppUrl + "#/login?redirectUrl=" + request.getRequestURL());
-        return;
+      } else {
+        redirectToLogin(request, response);
+        return; // no need to execute any other filters
       }
     }
     
-    filterChain.doFilter(request, response);
+    try {
+      filterChain.doFilter(request, response);
+    } finally {
+      if (filterCallback != null) {
+        filterCallback.onFilterCleanup(request, response);
+      }
+    }
   }
-  
-  protected boolean checkAuthentication(HttpServletRequest request) {
-    boolean authenticated = false;
+
+  protected RemoteToken getValidToken(HttpServletRequest request) {
     Cookie[] cookies = request.getCookies();
     if (cookies != null){
       for (Cookie cookie : cookies) {
-        if (COOKIE_NAME.equals(cookie.getName())) {
+        if (CookieConstants.COOKIE_NAME.equals(cookie.getName())) {
           String[] tokens = decodeCookie(cookie.getValue());
           
           try {
-            Token token = tokenCache.get(tokens[0]);
-            if (token.getTokenValue().equals(tokens[1]) == false) {
+            RemoteToken token = tokenCache.get(tokens[0]);
+            if (token.getValue().equals(tokens[1]) == false) {
               // refetch the token from the database
               tokenCache.invalidate(tokens[0]);
               token = tokenCache.get(tokens[0]);
-              if (token.getTokenValue().equals(tokens[1])) {
-                authenticated = true;
+              if (token.getValue().equals(tokens[1])) {
+                return token;
               }
-            
             } else {
-              authenticated = true;
+              return token;
             }
             
-            ActivitiAppUser appUser = userCache.get(token.getUserId());
-            
-            SecurityContextHolder.getContext().setAuthentication(new RememberMeAuthenticationToken(token.getId(), 
-                appUser, appUser.getAuthorities()));
-            
-            Authentication.setAuthenticatedUserId(token.getUserId());
-            
-            authenticated = true;
-            break;
+            break; // We're only interested in one particular cookie
             
           } catch (Exception e) {
-            logger.trace("Could not get user for token", e);
-            return false;
+            logger.trace("Could not get token", e);
+            return null;
           }
         }
       }
     }
     
-    return authenticated;
+    return null;
   }
   
-  protected boolean skipAuthenticationCheck(HttpServletRequest request) {
-    boolean skipAuthentication = false;
-    if (request.getRequestURI().endsWith(".css") || request.getRequestURI().endsWith(".js") ||
-        request.getRequestURI().endsWith(".html") || request.getRequestURI().endsWith(".map") ||
-        request.getRequestURI().endsWith(".woff") || request.getRequestURI().endsWith(".map") ||
-        request.getRequestURI().endsWith(".png") || request.getRequestURI().endsWith(".jpg")) {
+  protected void onValidTokenFound(HttpServletRequest request, HttpServletResponse response, RemoteToken token) {
+    try {
+      ActivitiAppUser appUser = userCache.get(token.getUserId());
       
-      skipAuthentication = true;
+      SecurityContextHolder.getContext().setAuthentication(new RememberMeAuthenticationToken(token.getId(), 
+          appUser, appUser.getAuthorities()));
+      
+    } catch (Exception e) {
+      logger.trace("Could not set necessary threadlocals for token, e");
+      redirectToLogin(request, response);
+    }
+  }
+  
+  protected void redirectToLogin(HttpServletRequest request, HttpServletResponse response)  {
+    try {
+      response.sendRedirect(idmAppUrl + "#/login?redirectOnAuthSuccess=true&redirectUrl=" + request.getRequestURL());
+    } catch (IOException e) {
+      logger.warn("Could not redirect to " + idmAppUrl, e);
+    }
+  }
+  
+  protected boolean skipAuthenticationCheck(HttpServletRequest request) {
+    if (request.getRequestURI().endsWith(".css") || 
+        request.getRequestURI().endsWith(".js") ||
+        request.getRequestURI().endsWith(".html") || 
+        request.getRequestURI().endsWith(".map") ||
+        request.getRequestURI().endsWith(".woff") || 
+        request.getRequestURI().endsWith(".map") ||
+        request.getRequestURI().endsWith(".png") || 
+        request.getRequestURI().endsWith(".jpg")) {
+      return true;
     }
-    return skipAuthentication;
+    return false;
   }
   
   protected String[] decodeCookie(String cookieValue) throws InvalidCookieException {
@@ -205,7 +227,7 @@ public class FlowableCookieFilter extends OncePerRequestFilter {
       throw new InvalidCookieException("Cookie token was not Base64 encoded; value was '" + cookieValue + "'");
     }
 
-    String cookieAsPlainText = new String(Base64.decode(cookieValue.getBytes()));
+    String cookieAsPlainText = new String(Base64.decodeBase64(cookieValue.getBytes()));
 
     String[] tokens = StringUtils.delimitedListToStringArray(cookieAsPlainText, DELIMITER);
 

modules/flowable-ui-common/src/main/java/org/activiti/app/filter/FlowableCookieFilterCallback.java

+/* Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.activiti.app.filter;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.activiti.app.model.common.RemoteToken;
+
+public interface FlowableCookieFilterCallback {
+  
+  void onValidTokenFound(HttpServletRequest request, HttpServletResponse response, RemoteToken token);
+  
+  void onFilterCleanup(HttpServletRequest request, HttpServletResponse response);
+
+}

modules/flowable-ui-idm/flowable-ui-idm-logic/src/main/java/org/activiti/app/model/idm/GroupRepresentation.java → modules/flowable-ui-common/src/main/java/org/activiti/app/model/common/GroupRepresentation.java

@@ -10,7 +10,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.activiti.app.model.idm;
+package org.activiti.app.model.common;
 
 import org.activiti.app.model.common.AbstractRepresentation;
 import org.activiti.idm.api.Group;

modules/flowable-ui-common/src/main/java/org/activiti/app/model/common/RemoteGroup.java

+/* Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.activiti.app.model.common;
+
+import org.activiti.idm.api.Group;
+
+public class RemoteGroup implements Group {
+  
+  protected String id;
+  protected String name;
+  
+  public RemoteGroup() {
+    
+  }
+  
+  public RemoteGroup(String id, String name) {
+    this.id = id;
+    this.name = name;
+  }
+  
+  public String getId() {
+    return id;
+  }
+  public void setId(String id) {
+    this.id = id;
+  }
+  public String getName() {
+    return name;
+  }
+  public void setName(String name) {
+    this.name = name;
+  }
+
+  public String getType() {
+    // not supported
+    return null;
+  }
+
+  public void setType(String string) {
+   // not supported
+  }
+
+}

modules/flowable-ui-modeler/flowable-ui-modeler-logic/src/main/java/org/activiti/app/model/common/BaseRestActionRepresentation.java → modules/flowable-ui-common/src/main/java/org/activiti/app/model/common/RemoteToken.java

@@ -12,25 +12,29 @@
  */
 package org.activiti.app.model.common;
 
-
-/**
- * @author Frederik Heremans
- */
-public class BaseRestActionRepresentation {
-
-    protected String action;
-    protected String comment;
-    
-    public String getAction() {
-        return action;
-    }
-    public void setAction(String action) {
-        this.action = action;
-    }
-    public String getComment() {
-        return comment;
-    }
-    public void setComment(String comment) {
-        this.comment = comment;
-    }
+public class RemoteToken {
+  
+  protected String id;
+  protected String value;
+  protected String userId;
+  
+  public String getId() {
+    return id;
+  }
+  public void setId(String id) {
+    this.id = id;
+  }
+  public String getValue() {
+    return value;
+  }
+  public void setValue(String value) {
+    this.value = value;
+  }
+  public String getUserId() {
+    return userId;
+  }
+  public void setUserId(String userId) {
+    this.userId = userId;
+  }
+  
 }

modules/flowable-ui-modeler/flowable-ui-modeler-rest/src/main/java/org/activiti/app/rest/idm/UserRepresentation.java → modules/flowable-ui-common/src/main/java/org/activiti/app/model/common/RemoteUser.java

@@ -10,33 +10,22 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.activiti.app.rest.idm;
+package org.activiti.app.model.common;
+
+import java.util.ArrayList;
+import java.util.List;
 
-import org.activiti.app.model.common.AbstractRepresentation;
 import org.activiti.idm.api.User;
 
-/**
- * @author Joram Barrez
- */
-public class UserRepresentation extends AbstractRepresentation {
+public class RemoteUser implements User {
   
   protected String id;
   protected String firstName;
   protected String lastName;
   protected String email;
   protected String fullName;
-  
-  public UserRepresentation() {
-    
-  }
-  
-  public UserRepresentation(User user) {
-    setId(user.getId());
-    setFirstName(user.getFirstName());
-    setLastName(user.getLastName());
-    setFullName( (user.getFirstName() != null ? user.getFirstName() : "") + " " + (user.getLastName() != null ? user.getLastName() : ""));
-    setEmail(user.getEmail());
-  }
+  protected List<RemoteGroup> groups = new ArrayList<RemoteGroup>();
+  protected List<String> privileges = new ArrayList<String>();
   
   public String getId() {
     return id;
@@ -68,5 +57,29 @@ public class UserRepresentation extends AbstractRepresentation {
   public void setFullName(String fullName) {
     this.fullName = fullName;
   }
+  public List<RemoteGroup> getGroups() {
+    return groups;
+  }
+  public void setGroups(List<RemoteGroup> groups) {
+    this.groups = groups;
+  }
+  public List<String> getPrivileges() {
+    return privileges;
+  }
+  public void setPrivileges(List<String> privileges) {
+    this.privileges = privileges;
+  }
+  
+  public String getPassword() {
+    // Not supported
+    return null;
+  }
+  public void setPassword(String string) {
+   // Not supported
+  }
+  public boolean isPictureSet() {
+   // Not supported
+    return false;
+  }
   
 }

modules/flowable-ui-idm/flowable-ui-idm-logic/src/main/java/org/activiti/app/model/idm/UserRepresentation.java → modules/flowable-ui-common/src/main/java/org/activiti/app/model/common/UserRepresentation.java

@@ -10,7 +10,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.activiti.app.model.idm;
+package org.activiti.app.model.common;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -29,6 +29,7 @@ public class UserRepresentation extends AbstractRepresentation {
   protected String email;
   protected String fullName;
   protected List<GroupRepresentation> groups = new ArrayList<GroupRepresentation>();
+  protected List<String> privileges = new ArrayList<String>();
   
   public UserRepresentation() {
     
@@ -78,5 +79,11 @@ public class UserRepresentation extends AbstractRepresentation {
   public void setGroups(List<GroupRepresentation> groups) {
     this.groups = groups;
   }
+  public List<String> getPrivileges() {
+    return privileges;
+  }
+  public void setPrivileges(List<String> privileges) {
+    this.privileges = privileges;
+  }
   
 }

modules/flowable-ui-modeler/flowable-ui-modeler-logic/src/main/java/org/activiti/app/repository/editor/UuidIdGenerator.java → modules/flowable-ui-common/src/main/java/org/activiti/app/repository/UuidIdGenerator.java

-package org.activiti.app.repository.editor;
+package org.activiti.app.repository;
 
 import org.springframework.stereotype.Component;
 import org.springframework.util.IdGenerator;

modules/flowable-ui-common/src/main/java/org/activiti/app/rest/idm/remote/RemoteAccountResource.java

+/* Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.activiti.app.rest.idm.remote;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.activiti.app.model.common.GroupRepresentation;
+import org.activiti.app.model.common.RemoteGroup;
+import org.activiti.app.model.common.RemoteUser;
+import org.activiti.app.model.common.UserRepresentation;
+import org.activiti.app.security.SecurityUtils;
+import org.activiti.app.service.exception.NotFoundException;
+import org.activiti.app.service.idm.RemoteIdmService;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class RemoteAccountResource {
+	
+	@Autowired
+	private RemoteIdmService remoteIdmService;
+
+  /**
+   * GET  /rest/account -> get the current user.
+   */
+  @RequestMapping(value = "/rest/account", method = RequestMethod.GET, produces = "application/json")
+  public UserRepresentation getAccount() {
+    UserRepresentation userRepresentation = null;
+    String currentUserId = SecurityUtils.getCurrentUserId();
+    if (currentUserId != null) {
+      RemoteUser remoteUser = remoteIdmService.getUser(currentUserId);
+      if (remoteUser != null) {
+        userRepresentation = new UserRepresentation(remoteUser);
+        
+        if (remoteUser.getGroups() != null && remoteUser.getGroups().size() > 0) {
+          List<GroupRepresentation> groups = new ArrayList<GroupRepresentation>();
+          for (RemoteGroup remoteGroup : remoteUser.getGroups()) {
+            groups.add(new GroupRepresentation(remoteGroup));
+          }
+          userRepresentation.setGroups(groups);
+        }
+        
+        if (remoteUser.getPrivileges() != null && remoteUser.getPrivileges().size() > 0) {
+          userRepresentation.setPrivileges(remoteUser.getPrivileges());
+        }
+        
+      }
+    }
+    
+    if (userRepresentation != null) {
+      return userRepresentation;
+    } else {
+      throw new NotFoundException();
+    }
+  }
+  
+}

modules/flowable-ui-idm/flowable-ui-idm-logic/src/main/java/org/activiti/app/security/ActivitiAppUser.java → modules/flowable-ui-common/src/main/java/org/activiti/app/security/ActivitiAppUser.java

@@ -35,7 +35,7 @@ public class ActivitiAppUser extends User {
      * The userId needs to be passed explicitly. It can be the email, but also the external id when eg LDAP is being used. 
      */
     public ActivitiAppUser(org.activiti.idm.api.User user, String userId, Collection<? extends GrantedAuthority> authorities) {
-        super(userId, user.getPassword() != null ? user.getPassword() : "", authorities); // Passwords needs to be non-null. Even if it's not there (eg LDAP auth)
+        super(userId, user.getPassword() != null ? user.getPassword() : "", authorities); // password needs to be non null
         this.userObject = user;
     }
     

modules/flowable-ui-common/src/main/java/org/activiti/app/security/ClearFlowableCookieLogoutHandler.java

+/* Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.activiti.app.security;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
+
+public class ClearFlowableCookieLogoutHandler implements LogoutHandler {
+
+  public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
+    Cookie cookie = new Cookie(CookieConstants.COOKIE_NAME, null);
+    cookie.setPath("/");
+    cookie.setMaxAge(0);
+    response.addCookie(cookie);
+  }
+
+}

modules/flowable-ui-modeler/flowable-ui-modeler-logic/src/main/java/org/activiti/app/model/common/AbstractRepresentation.java → modules/flowable-ui-common/src/main/java/org/activiti/app/security/CookieConstants.java

 /* Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- *
+ * 
  *      http://www.apache.org/licenses/LICENSE-2.0
- *
+ * 
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.activiti.app.model.common;
+package org.activiti.app.security;
 
+public interface CookieConstants {
+  
+  String COOKIE_NAME = "FLOWABLE_REMEMBER_ME";
 
-/**
- * @author Tijs Rademakers
- */
-public class AbstractRepresentation {
-	
-	
 }

modules/flowable-ui-common/src/main/java/org/activiti/app/security/DefaultPrivileges.java

+/* Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.activiti.app.security;
+
+/**
+ * @author Joram Barrez
+ */
+public interface DefaultPrivileges {
+  
+  String ACCESS_IDM = "access-idm";
+  
+  String ACCESS_MODELER = "access-modeler";
+  
+  String ACCESS_ADMIN = "access-admin";
+
+}

modules/flowable-ui-common/src/main/java/org/activiti/app/service/idm/RemoteIdmService.java

+/* Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.activiti.app.service.idm;
+
+import org.activiti.app.model.common.RemoteToken;
+import org.activiti.app.model.common.RemoteUser;
+
+public interface RemoteIdmService {
+  
+  RemoteToken getToken(String tokenValue);
+  
+  RemoteUser getUser(String userId);
+
+}

modules/flowable-ui-common/src/main/java/org/activiti/app/service/idm/RemoteIdmServiceImpl.java

+/* Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.activiti.app.service.idm;
+
+import java.io.IOException;
+import java.net.URLEncoder;
+import java.nio.charset.Charset;
+
+import javax.annotation.PostConstruct;
+
+import org.activiti.app.model.common.RemoteGroup;
+import org.activiti.app.model.common.RemoteToken;
+import org.activiti.app.model.common.RemoteUser;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.http.HttpHeaders;
+import org.apache.http.HttpResponse;
+import org.apache.http.HttpStatus;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.core.env.Environment;
+import org.springframework.stereotype.Service;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ArrayNode;
+
+@Service
+public class RemoteIdmServiceImpl implements RemoteIdmService {
+  
+  private static final Logger logger = LoggerFactory.getLogger(RemoteIdmService.class);
+
+  private static final String PROPERTY_URL = "idm.app.url";
+  private static final String PROPERTY_ADMIN_USER = "idm.admin.user";
+  private static final String PROPERTY_ADMIN_PASSWORD = "idm.admin.password";
+
+  @Autowired
+  protected Environment environment;
+  
+  @Autowired
+  protected ObjectMapper objectMapper;
+
+  protected String url;
+  protected String adminUser;
+  protected String adminPassword;
+
+  @PostConstruct
+  protected void init() {
+    url = environment.getProperty(PROPERTY_URL);
+    adminUser = environment.getProperty(PROPERTY_ADMIN_USER);
+    adminPassword = environment.getProperty(PROPERTY_ADMIN_PASSWORD);
+  }
+  
+  public RemoteToken getToken(String tokenValue) {
+    JsonNode json = callRemoteIdmService(url + "/api/idm/tokens/" + encode(tokenValue));
+    if (json != null) {
+      RemoteToken token = new RemoteToken();
+      token.setId(json.get("id").asText());
+      token.setValue(json.get("value").asText());
+      token.setUserId(json.get("userId").asText());
+      return token;
+    }
+    return null;
+  }
+
+  @Override
+  public RemoteUser getUser(String userId) {
+    JsonNode json = callRemoteIdmService(url + "/api/idm/users/" + encode(userId));
+    if (json != null) {
+      RemoteUser user = new RemoteUser();
+      user.setId(json.get("id").asText());
+      user.setFirstName(json.get("firstName").asText());
+      user.setLastName(json.get("lastName").asText());
+      user.setEmail(json.get("email").asText());
+      user.setFullName(json.get("fullName").asText());
+      
+      if (json.has("groups")) {
+        for (JsonNode groupNode : ((ArrayNode) json.get("groups"))) {
+          user.getGroups().add(new RemoteGroup(groupNode.get("id").asText(), groupNode.get("name").asText()));
+        }
+      }
+      
+      if (json.has("privileges")) {
+        for (JsonNode privilegeNode : ((ArrayNode) json.get("privileges"))) {
+          user.getPrivileges().add(privilegeNode.asText());
+        }
+      }
+      
+      return user;
+    }
+    return null;
+  }
+  
+  protected JsonNode callRemoteIdmService(String url) {
+    HttpGet httpGet = new HttpGet(url);
+    httpGet.setHeader(HttpHeaders.AUTHORIZATION, "Basic " + new String(
+        Base64.encodeBase64((adminUser + ":" + adminPassword).getBytes(Charset.forName("UTF-8")))));
+     
+    CloseableHttpClient client = HttpClientBuilder.create().build();
+    try {
+      HttpResponse response = client.execute(httpGet);
+      if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {
+        return objectMapper.readTree(response.getEntity().getContent());
+      }
+    } catch (Exception e) {
+      logger.warn("Exception while getting token", e);
+    } finally {
+      if (client != null) {
+        try {
+          client.close();
+        } catch (IOException e) {
+          logger.warn("Exception while closing http client", e);
+        }
+      }
+    }
+    return null;
+  }
+  
+  protected String encode(String s) {
+    try {
+      return URLEncoder.encode(s, "UTF-8");
+    } catch (Exception e) {
+      logger.warn("Could not encode url param", e);
+      return null;
+    }
+  }
+
+}