You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by Francesco Chicchiriccò <il...@apache.org> on 2015/10/28 15:01:54 UTC
Re: wrong exception in SecurityQuestion service?
On 28/10/2015 11:38, Massimiliano Perrone wrote:
> Hi Syncopers,
> running securityQuestionService.readByUser(username) method from
> org.apache.syncope.common.rest.api.service.SecurityQuestionService I
> get a wrong exception, I'm supposing..
>
> From the log header the URL called is, for instance,
> http://localhost:9080/syncope/rest/securityQuestions/byUser/rossini
> and, if I tried to run it from the web browser it works because the
> response is:
> <syncope:errorxmlns:syncope="http://syncope.apache.org/2.0">
> <elements>
> <element>
> NotFoundException: Security question for user rossini
> </element>
> </elements>
> <status>404</status>
> <type>NotFound</type>
> </syncope:error>
>
> but the client return 403 as the header shows:
> Headers: {Content-Length=[0], Date=[Wed, 28 Oct 2015 10:29:18 GMT],
> Server=[Apache-Coyote/1.1], X-Application-Error-Code=[Forbidden],
> X-Application-Error-Info=[Access is denied], X-Syncope-Domain=[Master]}
>
> The exception is:
> GRAVE: Problem with reading the data, class
> org.apache.syncope.common.lib.to.ErrorTO, ContentType: */*.
> Exception in thread "main" java.security.AccessControlException:
> Access is denied
> at
> org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:69)
> at
> org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42)
> at
> org.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:303)
> at
> org.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:760)
> at
> org.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:722)
> at
> org.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:228)
> at com.sun.proxy.$Proxy29.readByUser(Unknown Source)
>
> Is it the right behavior or it is a bug?
This is coherent with [1]: only anonymous users are meant to invoke that
method (via /securityQuestions/byUser/rossini).
If an admin wants to get to such information, he / she needs to read the
given user entry.
Hope this clarifies.
Regards.
[1]
https://github.com/apache/syncope/blob/master/core/logic/src/main/java/org/apache/syncope/core/logic/SecurityQuestionLogic.java#L109
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
Re: wrong exception in SecurityQuestion service?
Posted by Massimiliano Perrone <ma...@tirasa.net>.
Il 28/10/2015 15:01, Francesco Chicchiriccò ha scritto:
> On 28/10/2015 11:38, Massimiliano Perrone wrote:
>> Hi Syncopers,
>> running securityQuestionService.readByUser(username) method from
>> org.apache.syncope.common.rest.api.service.SecurityQuestionService I
>> get a wrong exception, I'm supposing..
>>
>> From the log header the URL called is, for instance,
>> http://localhost:9080/syncope/rest/securityQuestions/byUser/rossini
>> and, if I tried to run it from the web browser it works because the
>> response is:
>> <syncope:errorxmlns:syncope="http://syncope.apache.org/2.0">
>> <elements>
>> <element>
>> NotFoundException: Security question for user rossini
>> </element>
>> </elements>
>> <status>404</status>
>> <type>NotFound</type>
>> </syncope:error>
>>
>> but the client return 403 as the header shows:
>> Headers: {Content-Length=[0], Date=[Wed, 28 Oct 2015 10:29:18 GMT],
>> Server=[Apache-Coyote/1.1], X-Application-Error-Code=[Forbidden],
>> X-Application-Error-Info=[Access is denied], X-Syncope-Domain=[Master]}
>>
>> The exception is:
>> GRAVE: Problem with reading the data, class
>> org.apache.syncope.common.lib.to.ErrorTO, ContentType: */*.
>> Exception in thread "main" java.security.AccessControlException:
>> Access is denied
>> at
>> org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:69)
>> at
>> org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42)
>> at
>> org.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:303)
>> at
>> org.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:760)
>> at
>> org.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:722)
>> at
>> org.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:228)
>> at com.sun.proxy.$Proxy29.readByUser(Unknown Source)
>>
>> Is it the right behavior or it is a bug?
>
> This is coherent with [1]: only anonymous users are meant to invoke
> that method (via /securityQuestions/byUser/rossini).
>
> If an admin wants to get to such information, he / she needs to read
> the given user entry.
>
> Hope this clarifies.
as usual :)
> Regards.
>
> [1]
> https://github.com/apache/syncope/blob/master/core/logic/src/main/java/org/apache/syncope/core/logic/SecurityQuestionLogic.java#L109
>
--
Massimiliano Perrone
Tel +39 393 9121310
Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)