Merge branch 'develop' into stable

README.md

@@ -20,6 +20,13 @@ The installation is simple.  Just include the JAR in the classpath of your Activ
 
 Notice the use of `PostResources` instead of `PreResources`.  This library needs to be loaded after the web application.  This is the best way to load any other extensions or customization to the Activiti App, including `JavaDelegate` implementations.
 
+## Support Matrix
+
+| Keycloak Activiti App Extension | Activiti App    |
+| ------------------------------- | --------------- |
+| v1.0 - v1.2                     | v1.11.x         |
+| v1.3+                           | v1.11.x - v2.3+ |
+
 ## Configuration
 
 The library is highly configurable.  You configure it with properties specified in the `activiti-app.properties` file, which exists somewhere in the root of the classpath.  That is typically in the `lib` folder.  The properties to configure are enumerated in the table below.
@@ -41,10 +48,10 @@ The library is highly configurable.  You configure it with properties specified
 
 ### For Activiti App Only
 
-| Property                                  | Default        | Description |
+| Property                                       | Default | Description |
-| ----------------------------------------- | -------------- | ----------- |
+| ---------------------------------------------- | ------- | ----------- |
-| `keycloak-ext.syncGroupAs`                | `organization` | When creating a new group, should it be a functional (`organization`) group or a system (`capability`) group? |
+| `keycloak-ext.group.capability.regex.patterns` |         | When creating a new group, sync as an APS Organization, except when the specified pattern matches the role.  In those cases, sync as an APS Capability. |
-| `keycloak-ext.external.id`                | `ais`            | When creating a new group or registering an internal group as external, use this ID as a prefix to the external group ID. |
+| `keycloak-ext.external.id`                     | `ais`   | When creating a new group or registering an internal group as external, use this ID as a prefix to the external group ID. |
 
 ### Rare
 

pom.xml

@@ -4,7 +4,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.inteligr8.activiti</groupId>
 	<artifactId>keycloak-activiti-app-ext</artifactId>
-	<version>1.1.3</version>
+	<version>1.3.0</version>
 	<name>Keycloak Authentication &amp; Authorization for APS</name>
 
 	<properties>
@@ -12,9 +12,9 @@
 		<maven.compiler.target>11</maven.compiler.target>
 		<maven.compiler.release>11</maven.compiler.release>
 
-		<aps.version>1.11.1.1</aps.version>
+		<aps.version>2.0.1</aps.version>
-		<keycloak.version>6.0.1</keycloak.version>
+		<keycloak.version>10.0.2</keycloak.version>
-		<spring-security-oauth2.version>2.0.17.RELEASE</spring-security-oauth2.version>
+		<spring-security-oauth2.version>2.5.2.RELEASE</spring-security-oauth2.version>
 		<slf4j.version>1.7.26</slf4j.version>
 	</properties>
 
@@ -37,6 +37,7 @@
 			<version>${keycloak.version}</version>
 			<scope>provided</scope>
 		</dependency>
+		<!-- Needed for Activiti App Identity Service inheritance/override -->
 		<dependency>
 			<groupId>com.activiti</groupId>
 			<artifactId>activiti-app</artifactId>
@@ -44,6 +45,7 @@
 			<classifier>classes</classifier>
 			<scope>provided</scope>
 		</dependency>
+		<!-- Needed for the Activiti App Public API -->
 		<dependency>
 			<groupId>com.activiti</groupId>
 			<artifactId>activiti-app-logic</artifactId>
@@ -52,42 +54,21 @@
 		</dependency>
 	</dependencies>
 
-	<build>
-		<plugins>
-			<plugin>
-				<groupId>io.repaint.maven</groupId>
-				<artifactId>tiles-maven-plugin</artifactId>
-				<version>2.21</version>
-				<extensions>true</extensions>
-				<configuration>
-					<filtering>true</filtering>
-					<tiles>
-						<tile>com.inteligr8:maven-public-deploy-tile:[1.0.0,2.0.0)</tile>
-					</tiles>
-				</configuration>
-			</plugin>
-		</plugins>
-	</build>
-
 	<repositories>
 		<repository>
-			<id>alfresco-public</id>
+			<id>alfresco-private</id>
-			<url>https://artifacts.alfresco.com/nexus/content/repositories/public</url>
+			<url>https://artifacts.alfresco.com/nexus/content/groups/private</url>
 		</repository>
 		<repository>
 			<id>activiti-releases</id>
 			<url>https://artifacts.alfresco.com/nexus/content/repositories/activiti-enterprise-releases</url>
 		</repository>
-		<repository>
-			<id>inteligr8-releases</id>
-			<url>https://repos.inteligr8.com/nexus/repository/inteligr8-private</url>
-		</repository>
 	</repositories>
 	
 	<distributionManagement>
 		<repository>
 			<id>inteligr8-releases</id>
-			<url>https://repos.inteligr8.com/nexus/repository/inteligr8-private</url>
+			<url>https://repos.inteligr8.com/nexus/repository/inteligr8-public</url>
 		</repository>
 		<snapshotRepository>
 			<id>inteligr8-snapshots</id>
@@ -95,4 +76,4 @@
 		</snapshotRepository>
 	</distributionManagement>
 	
-</project>
+</project>

src/main/java/com/inteligr8/activiti/ActivitiAppAdminGroupFixer.java

@@ -0,0 +1,128 @@
+package com.inteligr8.activiti;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+import com.activiti.domain.idm.Group;
+import com.activiti.domain.idm.GroupCapability;
+import com.activiti.domain.idm.Tenant;
+import com.activiti.service.api.GroupService;
+
+/**
+ * This class/bean overrides the APS security configuration with a collection
+ * of implementations.  The OOTB extension only provides one override.  This
+ * uses that extension point, but delegates it out to multiple possible
+ * implementations.
+ * 
+ * Order cannot be controlled, so it should not be assumed in any adapter
+ * implementation.
+ * 
+ * @author brian@inteligr8.com
+ */
+@Component
+public class ActivitiAppAdminGroupFixer implements DataFixer {
+	
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
+    
+    private final List<String> adminCapabilities = Arrays.asList(
+    		"access-all-models-in-tenant",
+    		"access-editor",
+    		"access-reports",
+    		"publish-app-to-dashboard",
+    		"tenant-admin",
+    		"tenant-admin-api",
+    		"upload-license");
+    
+    @Autowired(required = false)
+    private GroupService groupService;
+    
+    @Autowired
+    private TenantFinderService tenantFinderService;
+    
+    @Value("${keycloak-ext.group.admins.name:admins}")
+    private String adminGroupName;
+    
+    @Value("${keycloak-ext.group.admins.externalId:#{null}}")
+    private String adminGroupExternalId;
+    
+    @Value("${keycloak-ext.group.admins.validate:false}")
+    private boolean validateAdministratorsGroup;
+    
+    @Override
+	public void fix() {
+		this.logger.trace("fix()");
+		
+		if (this.logger.isTraceEnabled())
+			this.logGroups();
+		if (this.validateAdministratorsGroup)
+			this.validateAdmins();
+	}
+	
+	private void logGroups() {
+		if (this.groupService == null)
+			return;
+		
+		Collection<Tenant> tenants = this.tenantFinderService.getTenants();
+		for (Tenant tenant : tenants) {
+			this.logger.trace("Tenant: {} => {}", tenant.getId(), tenant.getName());
+			this.logger.trace("Functional groups: {}", this.toGroupNames(this.groupService.getFunctionalGroups(tenant.getId())));
+			this.logger.trace("System groups: {}", this.toGroupNames(this.groupService.getSystemGroups(tenant.getId())));
+		}
+		
+		this.logger.trace("Tenant: null");
+		this.logger.trace("Functional groups: {}", this.toGroupNames(this.groupService.getFunctionalGroups(null)));
+		this.logger.trace("System groups: {}", this.toGroupNames(this.groupService.getSystemGroups(null)));
+	}
+	
+	private void validateAdmins() {
+		if (this.groupService == null)
+			return;
+		
+    	Long tenantId = this.tenantFinderService.findTenantId();
+		Group group = this.groupService.getGroupByExternalIdAndTenantId(this.adminGroupExternalId, tenantId);
+		if (group == null) {
+			List<Group> groups = this.groupService.getGroupByNameAndTenantId(this.adminGroupName, tenantId);
+			if (!groups.isEmpty())
+				group = groups.iterator().next();
+		}
+
+		if (group == null) {
+			this.logger.info("Creating group: {} ({})", this.adminGroupName, this.adminGroupExternalId);
+			if (this.adminGroupExternalId != null) {
+				group = this.groupService.createGroupFromExternalStore(
+						this.adminGroupExternalId, tenantId, Group.TYPE_SYSTEM_GROUP, null, this.adminGroupName, new Date());
+			} else {
+				group = this.groupService.createGroup(this.adminGroupName, tenantId, Group.TYPE_SYSTEM_GROUP, null);
+			}
+		}
+
+		this.logger.debug("Checking group capabilities: {}", group.getName());
+		Group groupWithCaps = this.groupService.getGroup(group.getId(), false, true, false, false);
+		Set<String> adminCaps = new HashSet<>(this.adminCapabilities);
+		for (GroupCapability cap : groupWithCaps.getCapabilities())
+			adminCaps.remove(cap.getName());
+		if (!adminCaps.isEmpty()) {
+			this.logger.info("Granting group '{}' capabilities: {}", group.getName(), adminCaps);
+			this.groupService.addCapabilitiesToGroup(group.getId(), new ArrayList<>(adminCaps));
+		}
+	}
+	
+	private Collection<String> toGroupNames(Collection<Group> groups) {
+		List<String> groupNames = new ArrayList<>(groups.size());
+		for (Group group : groups)
+			groupNames.add(group.getName() + " [" + group.getExternalId() + "]");
+		return groupNames;
+	}
+
+}

src/main/java/com/inteligr8/activiti/ActivitiAppAdminMembersFixer.java

@@ -0,0 +1,95 @@
+package com.inteligr8.activiti;
+
+import java.util.Arrays;
+import java.util.List;
+
+import javax.persistence.NonUniqueResultException;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+import com.activiti.domain.idm.Group;
+import com.activiti.domain.idm.User;
+import com.activiti.service.api.GroupService;
+import com.activiti.service.api.UserService;
+
+/**
+ * This class/bean overrides the APS security configuration with a collection
+ * of implementations.  The OOTB extension only provides one override.  This
+ * uses that extension point, but delegates it out to multiple possible
+ * implementations.
+ * 
+ * Order cannot be controlled, so it should not be assumed in any adapter
+ * implementation.
+ * 
+ * @author brian@inteligr8.com
+ */
+@Component
+public class ActivitiAppAdminMembersFixer implements DataFixer {
+	
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
+    
+    @Autowired(required = false)
+    private UserService userService;
+    
+    @Autowired(required = false)
+    private GroupService groupService;
+    
+    @Autowired
+    private TenantFinderService tenantFinderService;
+    
+    @Value("${keycloak-ext.default.admins.users:#{null}}")
+    private String adminUserStrs;
+    
+    @Value("${keycloak-ext.group.admins.name:admins}")
+    private String adminGroupName;
+    
+    @Value("${keycloak-ext.group.admins.externalId:#{null}}")
+    private String adminGroupExternalId;
+    
+    @Override
+	public void fix() {
+		this.logger.trace("fix()");
+		
+    	if (this.adminUserStrs != null && this.adminUserStrs.length() > 0)
+    		this.associateAdmins();
+	}
+	
+	private void associateAdmins() {
+		if (this.userService == null || this.groupService == null)
+			return;
+		
+		List<String> adminUsers = Arrays.asList(this.adminUserStrs.split(","));
+		if (adminUsers.isEmpty())
+			return;
+
+    	Long tenantId = this.tenantFinderService.findTenantId();
+    	List<Group> groups = null;
+    	try {
+			Group group1 = this.groupService.getGroupByExternalIdAndTenantId(this.adminGroupExternalId, tenantId);
+			if (group1 != null)
+				groups = Arrays.asList(group1);
+    	} catch (NonUniqueResultException nure) {
+    		// suppress
+    	}
+		if (groups == null)
+			groups = this.groupService.getGroupByNameAndTenantId(this.adminGroupName, tenantId);
+		
+		this.logger.debug("Found {} admin group(s)", groups.size());
+		
+		for (String email : adminUsers) {
+    		User user = this.userService.findUserByEmailAndTenantId(email, tenantId);
+    		if (user == null) {
+    			this.logger.info("The user with email '{}' does not exist, so they cannot be added as an administrator", email);
+    		} else {
+	    		this.logger.debug("Adding {} to admin group(s)", user.getEmail());
+	    		for (Group group : groups)
+	    			this.groupService.addUserToGroup(group, user);
+    		}
+		}
+	}
+
+}

src/main/java/com/inteligr8/activiti/ActivitiAppAdminPasswordFixer.java

@@ -0,0 +1,45 @@
+package com.inteligr8.activiti;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+import com.activiti.domain.idm.User;
+import com.activiti.service.api.UserService;
+
+/**
+ * @author brian@inteligr8.com
+ */
+@Component
+public class ActivitiAppAdminPasswordFixer implements DataFixer {
+	
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
+    
+    @Autowired(required = false)
+    private UserService userService;
+    
+    @Autowired
+    private TenantFinderService tenantFinderService;
+
+    @Value("${keycloak-ext.reset.admin.username:admin@app.activiti.com}")
+    private String adminUsername;
+    
+    @Value("${keycloak-ext.reset.admin.password:#{null}}")
+    private String adminPassword;
+    
+    @Override
+	public void fix() {
+		this.logger.trace("fix()");
+		
+		if (this.adminPassword != null) {
+			this.logger.info("Resetting the password for admin user '{}'", this.adminUsername);
+			
+			Long tenantId = this.tenantFinderService.findTenantId();
+			User adminUser = this.userService.findUserByEmailAndTenantId(this.adminUsername, tenantId);
+			this.userService.changePassword(adminUser.getId(), this.adminPassword);
+		}
+	}
+
+}

src/main/java/com/inteligr8/activiti/DataFixer.java

@@ -0,0 +1,7 @@
+package com.inteligr8.activiti;
+
+public interface DataFixer {
+	
+	void fix();
+
+}

src/main/java/com/inteligr8/activiti/Inteligr8SecurityConfigurationRegistry.java

@@ -1,31 +1,16 @@
 package com.inteligr8.activiti;
 
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
 import java.util.Collections;
-import java.util.Date;
-import java.util.HashSet;
 import java.util.List;
-import java.util.Set;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.stereotype.Component;
 
 import com.activiti.api.security.AlfrescoSecurityConfigOverride;
-import com.activiti.domain.idm.Group;
-import com.activiti.domain.idm.GroupCapability;
-import com.activiti.domain.idm.Tenant;
-import com.activiti.domain.idm.User;
-import com.activiti.service.api.GroupService;
-import com.activiti.service.api.UserService;
-import com.activiti.service.idm.TenantService;
-import com.activiti.service.license.LicenseService;
 
 /**
  * This class/bean overrides the APS security configuration with a collection
@@ -43,41 +28,11 @@ public class Inteligr8SecurityConfigurationRegistry implements AlfrescoSecurityC
 	
     private final Logger logger = LoggerFactory.getLogger(this.getClass());
     
-    private final List<String> adminCapabilities = Arrays.asList(
-    		"access-all-models-in-tenant",
-    		"access-editor",
-    		"access-reports",
-    		"publish-app-to-dashboard",
-    		"tenant-admin",
-    		"tenant-admin-api",
-    		"upload-license");
-    
     @Autowired
     private List<ActivitiSecurityConfigAdapter> adapters;
     
     @Autowired(required = false)
-    private LicenseService licenseService;
+    private List<DataFixer> fixers;
-    
-    @Autowired(required = false)
-    private TenantService tenantService;
-    
-    @Autowired(required = false)
-    private UserService userService;
-    
-    @Autowired(required = false)
-    private GroupService groupService;
-    
-    @Value("${keycloak-ext.default.admins.users:#{null}}")
-    private String adminUserStrs;
-    
-    @Value("${keycloak-ext.group.admins.name:admins}")
-    private String adminGroupName;
-    
-    @Value("${keycloak-ext.group.admins.externalId:#{null}}")
-    private String adminGroupExternalId;
-    
-    @Value("${keycloak-ext.group.admins.validate:false}")
-    private boolean validateAdministratorsGroup;
 	
 	@Override
 	public void configureGlobal(AuthenticationManagerBuilder authmanBuilder, UserDetailsService userDetailsService) {
@@ -85,12 +40,10 @@ public class Inteligr8SecurityConfigurationRegistry implements AlfrescoSecurityC
 		
 		Collections.sort(this.adapters);
 		
-		if (this.logger.isTraceEnabled())
+		if (this.fixers != null) {
-			this.logGroups();
+			for (DataFixer fixer : this.fixers)
-		if (this.validateAdministratorsGroup)
+				fixer.fix();
-			this.validateAdmins();
+		}
-    	if (this.adminUserStrs != null && this.adminUserStrs.length() > 0)
-    		this.associateAdmins();
 		
 		for (ActivitiSecurityConfigAdapter adapter : this.adapters) {
 			if (adapter.isEnabled()) {
@@ -102,91 +55,5 @@ public class Inteligr8SecurityConfigurationRegistry implements AlfrescoSecurityC
 			}
 		}
 	}
-	
-	private void logGroups() {
-		if (this.groupService == null)
-			return;
-		
-		Long tenantId = this.findDefaultTenantId();
-		if (tenantId != null) {
-			// not first boot
-			this.logger.trace("Functional groups: {}", this.toGroupNames(this.groupService.getFunctionalGroups(tenantId)));
-			this.logger.trace("System groups: {}", this.toGroupNames(this.groupService.getSystemGroups(tenantId)));
-		}
-	}
-	
-	private void validateAdmins() {
-		if (this.groupService == null)
-			return;
-		
-    	Long tenantId = this.findDefaultTenantId();
-		Group group = this.groupService.getGroupByExternalIdAndTenantId(this.adminGroupExternalId, tenantId);
-		if (group == null) {
-			List<Group> groups = this.groupService.getGroupByNameAndTenantId(this.adminGroupName, tenantId);
-			if (!groups.isEmpty())
-				group = groups.iterator().next();
-		}
-
-		if (group == null) {
-			this.logger.info("Creating group: {} ({})", this.adminGroupName, this.adminGroupExternalId);
-			if (this.adminGroupExternalId != null) {
-				group = this.groupService.createGroupFromExternalStore(
-						this.adminGroupExternalId, tenantId, Group.TYPE_SYSTEM_GROUP, null, this.adminGroupName, new Date());
-			} else {
-				group = this.groupService.createGroup(this.adminGroupName, tenantId, Group.TYPE_SYSTEM_GROUP, null);
-			}
-		}
-
-		this.logger.debug("Checking group capabilities: {}", group.getName());
-		Group groupWithCaps = this.groupService.getGroup(group.getId(), false, true, false, false);
-		Set<String> adminCaps = new HashSet<>(this.adminCapabilities);
-		for (GroupCapability cap : groupWithCaps.getCapabilities())
-			adminCaps.remove(cap.getName());
-		if (!adminCaps.isEmpty()) {
-			this.logger.info("Granting group '{}' capabilities: {}", group.getName(), adminCaps);
-			this.groupService.addCapabilitiesToGroup(group.getId(), new ArrayList<>(adminCaps));
-		}
-	}
-	
-	private void associateAdmins() {
-		if (this.userService == null || this.groupService == null)
-			return;
-		
-		List<String> adminUsers = Arrays.asList(this.adminUserStrs.split(","));
-		if (adminUsers.isEmpty())
-			return;
-		
-    	Long tenantId = this.findDefaultTenantId();
-		List<Group> groups = this.groupService.getSystemGroupWithName("Administrators", tenantId);
-		
-		for (String email : adminUsers) {
-    		User user = this.userService.findUserByEmail(email);
-
-    		this.logger.debug("Adding {} to {}", user.getEmail(), "Administrators");
-    		for (Group group : groups)
-    			this.groupService.addUserToGroup(group, user);
-		}
-	}
-    
-    private Long findDefaultTenantId() {
-    	String defaultTenantName = this.licenseService.getDefaultTenantName();
-		this.logger.trace("Default Tenant: {}", defaultTenantName);
-		
-    	List<Tenant> tenants = this.tenantService.findTenantsByName(defaultTenantName);
-    	if (tenants == null || tenants.isEmpty()) {
-    		this.logger.warn("Default tenant not found");
-    		return null;
-    	}
-    	
-    	Tenant tenant = tenants.iterator().next();
-    	return tenant.getId();
-    }
-	
-	private Collection<String> toGroupNames(Collection<Group> groups) {
-		List<String> groupNames = new ArrayList<>(groups.size());
-		for (Group group : groups)
-			groupNames.add(group.getName() + " [" + group.getExternalId() + "]");
-		return groupNames;
-	}
 
 }

src/main/java/com/inteligr8/activiti/TenantFinderService.java

@@ -0,0 +1,82 @@
+package com.inteligr8.activiti;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+import com.activiti.domain.idm.Tenant;
+import com.activiti.service.idm.TenantService;
+import com.activiti.service.license.LicenseService;
+
+@Component
+public class TenantFinderService {
+	
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
+    
+    @Autowired(required = false)
+    private LicenseService licenseService;
+    
+    @Autowired(required = false)
+    private TenantService tenantService;
+    
+    @Value("${keycloak-ext.tenant:#{null}}")
+    private String tenant;
+    
+    public Long findTenantId() {
+    	Tenant tenant = this.findTenant();
+    	return tenant == null ? null : tenant.getId();
+    }
+    
+    public Tenant findTenant() {
+		this.logger.debug("Checking for a single tenant ...");
+		
+    	String tenantName = null;
+    	if (this.tenant != null) {
+    		tenantName = this.tenant;
+    	} else {
+    		List<Object[]> tenants = this.tenantService.getAllTenants();
+    		if (tenants == null || tenants.isEmpty()) {
+    			this.logger.warn("No tenants found!");
+    			return null;
+    		} else if (tenants.size() == 1) {
+    			Object[] tenant = tenants.iterator().next();
+    			this.logger.debug("Only one tenant available; selecting it: {}", tenant[0]);
+    			return this.tenantService.getTenant((Long)tenant[0]);
+    		} else {
+    			tenantName = this.licenseService.getDefaultTenantName();
+    		}
+    	}
+    	
+		this.logger.debug("Trying to find by tenant name: {}", tenantName);
+		
+    	List<Tenant> tenants = this.tenantService.findTenantsByName(tenantName);
+    	if (tenants == null || tenants.isEmpty()) {
+    		this.logger.warn("Named tenant not found");
+    		return null;
+    	}
+
+		this.logger.debug("Found {} tenants with name {}; selecting the first one", tenants.size(), tenantName);
+    	return tenants.iterator().next();
+    }
+    
+    public Collection<Tenant> getTenants() {
+		List<Object[]> tenantObjs = this.tenantService.getAllTenants();
+		
+		List<Tenant> tenants = new ArrayList<>(tenantObjs.size());
+		for (Object[] tenantObj : tenantObjs) {
+			if (tenantObj != null && tenantObj[0] != null) {
+				Tenant tenant = this.tenantService.getTenant((Long)tenantObj[0]);
+				tenants.add(tenant);
+			}
+		}
+		
+		return tenants;
+    }
+
+}

src/main/java/com/inteligr8/activiti/keycloak/AbstractKeycloakActivitiAuthenticator.java

@@ -12,6 +12,8 @@ import java.util.Set;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import javax.annotation.OverridingMethodsMustInvokeSuper;
+
 import org.apache.commons.lang3.StringUtils;
 import org.keycloak.KeycloakPrincipal;
 import org.keycloak.KeycloakSecurityContext;
@@ -71,6 +73,7 @@ public abstract class AbstractKeycloakActivitiAuthenticator implements Authentic
     protected final Set<Pattern> groupExcludes = new HashSet<>();
     
     @Override
+    @OverridingMethodsMustInvokeSuper
     public void afterPropertiesSet() {
     	if (this.regexPatterns != null) {
     		String[] regexPatternStrs = StringUtils.split(this.regexPatterns, ',');

src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiAppAuthenticator.java

@@ -1,12 +1,15 @@
 package com.inteligr8.activiti.keycloak;
 
 import java.util.Date;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.Map.Entry;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import javax.annotation.OverridingMethodsMustInvokeSuper;
 import javax.persistence.NonUniqueResultException;
 
 import org.apache.commons.lang3.StringUtils;
@@ -21,12 +24,10 @@ import org.springframework.security.core.AuthenticationException;
 import org.springframework.stereotype.Component;
 
 import com.activiti.domain.idm.Group;
-import com.activiti.domain.idm.Tenant;
 import com.activiti.domain.idm.User;
 import com.activiti.service.api.GroupService;
 import com.activiti.service.api.UserService;
-import com.activiti.service.idm.TenantService;
+import com.inteligr8.activiti.TenantFinderService;
-import com.activiti.service.license.LicenseService;
 
 /**
  * This class/bean implements an Open ID Connect authenticator for Alfresco
@@ -48,12 +49,6 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
     private final Logger logger = LoggerFactory.getLogger(this.getClass());
     
     private final Pattern emailNamesPattern = Pattern.compile("([A-Za-z]+)[A-Za-z0-9]*\\.([A-Za-z]+)[A-Za-z0-9]*@.*");
-
-    @Autowired
-    private LicenseService licenseService;
-    
-    @Autowired
-    private TenantService tenantService;
     
     @Autowired
     private UserService userService;
@@ -61,19 +56,28 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
     @Autowired
     private GroupService groupService;
     
+    @Autowired
+    private TenantFinderService tenantFinderService;
+    
     @Value("${keycloak-ext.external.id:ais}")
     protected String externalIdmSource;
 
-    @Value("${keycloak-ext.syncGroupAs:organization}")
+    @Value("${keycloak-ext.group.capability.regex.patterns:#{null}}")
-    protected String syncGroupAs;
+    protected String regexCapIncludes;
+
+    protected final Set<Pattern> capIncludes = new HashSet<>();
     
-    protected boolean syncGroupAsOrganization() {
+    @Override
-    	return !this.syncGroupAsCapability();
+    @OverridingMethodsMustInvokeSuper
-    }
+	public void afterPropertiesSet() {
-    
+		super.afterPropertiesSet();
-    protected boolean syncGroupAsCapability() {
+		
-    	return this.syncGroupAs != null && this.syncGroupAs.toLowerCase().startsWith("cap");
+    	if (this.regexCapIncludes != null) {
-    }
+    		String[] regexPatternStrs = StringUtils.split(this.regexCapIncludes, ',');
+    		for (int i = 0; i < regexPatternStrs.length; i++)
+    			this.capIncludes.add(Pattern.compile(regexPatternStrs[i]));
+    	}
+	}
     
     /**
      * This method validates that the user exists, if not, it creates the
@@ -81,7 +85,7 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
      */
     @Override
     public void preAuthenticate(Authentication auth) throws AuthenticationException { 
-    	Long tenantId = this.findDefaultTenantId();
+    	Long tenantId = this.tenantFinderService.findTenantId();
 		this.logger.trace("Tenant ID: {}", tenantId);
 		
     	User user = this.findUser(auth, tenantId);
@@ -122,27 +126,13 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
      */
     @Override
     public void postAuthenticate(Authentication auth) throws AuthenticationException {
-    	Long tenantId = this.findDefaultTenantId();
+    	Long tenantId = this.tenantFinderService.findTenantId();
     	User user = this.findUser(auth, tenantId);
 		this.logger.debug("Inspecting user: {} => {}", user.getId(), user.getExternalId());
 		
     	this.syncUserRoles(user, auth, tenantId);
     }
     
-    private Long findDefaultTenantId() {
-    	String defaultTenantName = this.licenseService.getDefaultTenantName();
-		this.logger.trace("Default Tenant: {}", defaultTenantName);
-		
-    	List<Tenant> tenants = this.tenantService.findTenantsByName(defaultTenantName);
-    	if (tenants == null || tenants.isEmpty()) {
-    		this.logger.warn("Default tenant not found");
-    		return null;
-    	}
-    	
-    	Tenant tenant = tenants.iterator().next();
-    	return tenant.getId();
-    }
-    
     private User findUser(Authentication auth, Long tenantId) {
     	String email = auth.getName();
 		
@@ -182,8 +172,6 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
     		return;
     	}
     	
-    	boolean syncAsOrg = this.syncGroupAsOrganization();
-    	
 		// check Activiti groups
 		User userWithGroups = this.userService.getUser(user.getId(), true);
 		for (Group group : userWithGroups.getGroups()) {
@@ -193,8 +181,18 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
 			this.logger.trace("Inspecting group: {} => {} ({})", group.getId(), group.getName(), group.getExternalId());
 			
 			if (group.getExternalId() != null && this.removeMapEntriesByValue(roles, this.apsGroupExternalIdToKeycloakRole(group.getExternalId()))) {
+				if (group.getTenantId() == null) {
+					// fix stray groups
+					group.setTenantId(tenantId);
+					group.setLastUpdate(new Date());
+					this.groupService.save(group);
+				}
 				// role already existed and the user is already a member
 			} else if (group.getExternalId() == null && roles.remove(this.apsGroupNameToKeycloakRole(group.getName())) != null) {
+				// register the group as external
+				group.setExternalId(this.keycloakRoleToApsGroupExternalId(this.apsGroupNameToKeycloakRole(group.getName())));
+				group.setLastUpdate(new Date());
+				this.groupService.save(group);
 				// internal role already existed and the user is already a member
 			} else {
 				// at this point, we have a group that the user does not have a corresponding role for
@@ -237,6 +235,8 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
 			if (group == null) {
 				if (this.createMissingGroup) {
 					this.logger.trace("Creating new group for role: {}", role);
+					boolean syncAsOrg = this.isRoleToBeOrganization(role.getKey());
+					this.logger.trace("Creating new group as {}: {}", syncAsOrg ? "organization" : "capability", role);
 					String name = this.keycloakRoleToApsGroupName(role.getValue());
 					String externalId = this.keycloakRoleToApsGroupExternalId(role.getKey());
 					int type = syncAsOrg ? Group.TYPE_FUNCTIONAL_GROUP : Group.TYPE_SYSTEM_GROUP;
@@ -273,4 +273,17 @@ public class KeycloakActivitiAppAuthenticator extends AbstractKeycloakActivitiAu
     	return externalId;
     }
     
+    private boolean isRoleToBeOrganization(String role) {
+    	if (this.capIncludes.isEmpty())
+    		return true;
+    	
+		for (Pattern regex : this.capIncludes) {
+			Matcher matcher = regex.matcher(role);
+			if (matcher.matches())
+				return false;
+		}
+		
+		return true;
+    }
+    
 }

src/main/java/com/inteligr8/activiti/keycloak/KeycloakActivitiEngineAuthenticator.java

@@ -1,162 +0,0 @@
-package com.inteligr8.activiti.keycloak;
-
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-
-import org.activiti.engine.IdentityService;
-import org.activiti.engine.identity.Group;
-import org.activiti.engine.identity.User;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.annotation.Lazy;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
-import org.springframework.stereotype.Component;
-
-/**
- * This is an unused implementation for non-APS installation.  It is not tested
- * and probably pointless.
- * 
- * @author brian.long@yudrio.com
- */
-@Component("keycloak-ext.activiti-engine.authenticator")
-@Lazy
-public class KeycloakActivitiEngineAuthenticator extends AbstractKeycloakActivitiAuthenticator {
-	
-    private final Logger logger = LoggerFactory.getLogger(this.getClass());
-    
-    @Autowired
-    private IdentityService identityService;
-    
-    @Value("${keycloak-ext.group.prefix:KEYCLOAK_}")
-    private String groupPrefix;
-
-    /**
-     * This method validates that the user exists, if not, it creates the
-     * missing user.  Without this functionality, SSO straight up fails.
-     */
-    @Override
-    public void preAuthenticate(Authentication auth) throws AuthenticationException {
-    	User user = this.findUser(auth);
-    	if (user == null) {
-    		if (this.createMissingUser) {
-    			this.logger.debug("User does not yet exist; creating the user: {}", auth.getName());
-
-        		user = this.createUser(auth);
-	    		this.logger.debug("Created user: {} => {}", user.getId(), user.getEmail());
-        		
-        		if (this.clearNewUserDefaultGroups) {
-		    		this.logger.debug("Clearing groups: {}", user.getId());
-	        		List<Group> groups = this.identityService.createGroupQuery()
-	        				.groupMember(user.getId())
-	        				.list();
-	        		for (Group group : groups)
-	        			this.identityService.deleteMembership(user.getId(), group.getId());
-        		}
-    		} else {
-    			this.logger.info("User does not exist; user creation is disabled: {}", auth.getName());
-    		}
-    	}
-    }
-    
-    /**
-     * This method validates that the groups exist, if not, it creates the
-     * missing ones.  Without this functionality, SSO works, but the user's
-     * authorities are not synchronized.
-     */
-    @Override
-    public void postAuthenticate(Authentication auth) throws AuthenticationException {
-    	User user = this.findUser(auth);
-		this.logger.debug("Inspecting user: {} => {}", user.getId(), user.getEmail());
-		
-    	this.syncUserRoles(user, auth);
-    }
-    
-    private User findUser(Authentication auth) {
-    	String email = auth.getName();
-    	
-    	User user = this.identityService.createUserQuery()
-    			.userEmail(email)
-    			.singleResult();
-    	
-    	return user;
-    }
-    
-    private User createUser(Authentication auth) {
-    	User user = this.identityService.newUser(auth.getName());
-    	user.setEmail(auth.getName());
-    	this.identityService.saveUser(user);
-    	return user;
-    }
-
-    private void syncUserRoles(User user, Authentication auth) {
-    	Map<String, String> roles = this.getKeycloakRoles(auth);
-    	if (roles == null) {
-    		this.logger.debug("The user roles could not be determined; skipping sync: {}", user.getEmail());
-    		return;
-    	}
-    	
-		// check Activiti groups
-    	List<Group> groups = this.identityService.createGroupQuery()
-    			.groupMember(user.getEmail())
-    			.list();
-		this.logger.debug("User is currently a member of {} groups", groups.size());
-    	for (Group group : groups) {
-    		if (!group.getId().startsWith(this.groupPrefix) && this.syncInternalGroups)
-    			continue;
-    		
-    		this.logger.trace("Inspecting group: {} => {} ({})", group.getId(), group.getName(), group.getType());
-    		if (roles.remove(this.activitiGroupIdToKeycloakRole(group.getId())) != null) {
-        		this.logger.trace("Group and membership already exist: {} => {}", user.getEmail(), group.getName());
-    			// already a member of the group
-    		} else {
-    			if (this.syncGroupRemove) {
-	        		this.logger.trace("Group membership not in OIDC token; removing from group: {} => {}", user.getEmail(), group.getName());
-	    			this.identityService.deleteMembership(user.getId(), group.getId());
-    			} else {
-    				this.logger.debug("User/group membership sync disabled; not removing user from group: {} => {}", user.getId(), group.getId());
-    			}
-    		}
-    	}
-
-		this.logger.debug("Unaddressed OIDC roles: {}", roles);
-    	
-    	// check remainder/unaddressed roles
-    	for (Entry<String, String> role : roles.entrySet()) {
-    		this.logger.trace("Inspecting role: {}", role);
-    		
-    		Group group = this.identityService.createGroupQuery()
-    				.groupId(this.keycloakRoleToActivitiGroupId(role.getKey()))
-    				.singleResult();
-    		if (group == null) {
-    			if (this.createMissingGroup) {
-	        		this.logger.trace("Group does not exist; creating one");
-	        		group = this.identityService.newGroup(this.keycloakRoleToActivitiGroupId(role.getKey()));
-	        		group.setName(role.getValue());
-	        		this.identityService.saveGroup(group);
-    			} else {
-        			this.logger.info("Group does not exist; group creation is disabled: {}", role.getKey());
-    			}
-    		}
-
-    		if (group != null && this.syncGroupAdd) {
-	    		this.logger.trace("Group membership not in Activiti; adding to group: {} => {}", user.getEmail(), group.getName());
-	    		this.identityService.createMembership(user.getId(), group.getId());
-			} else {
-				this.logger.debug("User/group membership sync disabled; not adding user to group: {} => {}", user.getId(), group.getId());
-    		}
-    	}
-    }
-    
-    private String keycloakRoleToActivitiGroupId(String role) {
-    	return this.groupPrefix + role;
-    }
-    
-    private String activitiGroupIdToKeycloakRole(String groupId) {
-    	return groupId.startsWith(this.groupPrefix) ? groupId.substring(this.groupPrefix.length()) : groupId;
-    }
-    
-}