You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Ciusso Hb <ci...@gmail.com> on 2019/01/04 08:27:02 UTC
Realms REST endpoint authorization
Hi all, I've noticed that the "/realms" REST endpoint need authentication,
but is callable without "REALM_LIST" entitlements, is this by design?
Furthermore, the list of realm returned start from the root (not only from
the realm of the user calling the method).
The "/domains" REST endpoint seems to have a similiar behavior: return 200
OK with an empty list, but in this case, I think is intentional because the
domain could be used to log in.
Thank you very much
Re: Realms REST endpoint authorization
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 04/01/19 11:37, Ciusso Hb wrote:
> Ok, simple like that...
> Sorry, I was misled by this line
> "AuthContextUtils.getAuthorizations().keySet().contains(StandardEntitlement.REALM_LIST);".
> With a rapid check, I thought that was used to check if a user could
> get the list of realms, but is used to get full data of realms.
>
> So authenticated user can get all realms list with basic data, and
> administrators (or users having REALM_LIST entitlement) could get
> realms list with all associated data (Account and Password policies,
> Actions, Templates and Resources).
> Correct?
Correct.
Regards.
> On Fri, Jan 4, 2019 at 11:01 AM Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> On 04/01/19 10:58, Ciusso Hb wrote:
>> Hi Francesco, good to know about the segregation of realms and
>> the code seems pretty clear.
>>
>> But with version 2.1.3-SNAPSHOT I've created a "simple" user
>> without any Entitlements and, via Swagger, called the realms
>> endpoint, passing his credential.
>> The method returned a list with all the realms when I expected a 403.
>
> Why? The method [1] is annotated as
>
> @PreAuthorize("isAuthenticated()")
>
> This means that any authenticated user is allowed to invoke the
> method.
>
> Regards.
>
>> On Fri, Jan 4, 2019 at 9:42 AM Francesco Chicchiriccò
>> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>>
>> On 04/01/19 09:27, Ciusso Hb wrote:
>> > Hi all, I've noticed that the "/realms" REST endpoint need
>> > authentication, but is callable without "REALM_LIST"
>> entitlements, is
>> > this by design?
>>
>> Hi,
>> it is not exactly like this: since one admin can own
>> REALM_LIST on a
>> folded realm but not on its parent realms, the behavior will
>> return
>> restricted realms when non-admin, and full-fledged realms
>> when admin.
>>
>> Such behavior is implemented by [1] and [2].
>>
>> > Furthermore, the list of realm returned start from the root
>> (not only
>> > from the realm of the user calling the method).
>> >
>> > The "/domains" REST endpoint seems to have a similiar
>> behavior: return
>> > 200 OK with an empty list, but in this case, I think is
>> intentional
>> > because the domain could be used to log in.
>>
>> Yep, correct.
>>
>> Regards.
>>
>> [1]
>> https://github.com/apache/syncope/blob/master/core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/RealmLogic.java#L73-L86
>> [2]
>> https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/RealmDataBinderImpl.java#L219-L246
>>
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: Realms REST endpoint authorization
Posted by Ciusso Hb <ci...@gmail.com>.
Ok, simple like that...
Sorry, I was misled by this line
"AuthContextUtils.getAuthorizations().keySet().contains(StandardEntitlement.REALM_LIST);".
With a rapid check, I thought that was used to check if a user could get
the list of realms, but is used to get full data of realms.
So authenticated user can get all realms list with basic data, and
administrators (or users having REALM_LIST entitlement) could get realms
list with all associated data (Account and Password policies, Actions,
Templates and Resources).
Correct?
Thank you
On Fri, Jan 4, 2019 at 11:01 AM Francesco Chicchiriccò <il...@apache.org>
wrote:
> On 04/01/19 10:58, Ciusso Hb wrote:
>
> Hi Francesco, good to know about the segregation of realms and the code
> seems pretty clear.
>
> But with version 2.1.3-SNAPSHOT I've created a "simple" user without any
> Entitlements and, via Swagger, called the realms endpoint, passing his
> credential.
> The method returned a list with all the realms when I expected a 403.
>
> Why? The method [1] is annotated as
>
> @PreAuthorize("isAuthenticated()")
>
> This means that any authenticated user is allowed to invoke the method.
>
> Regards.
>
> On Fri, Jan 4, 2019 at 9:42 AM Francesco Chicchiriccò <il...@apache.org>
> wrote:
>
>> On 04/01/19 09:27, Ciusso Hb wrote:
>> > Hi all, I've noticed that the "/realms" REST endpoint need
>> > authentication, but is callable without "REALM_LIST" entitlements, is
>> > this by design?
>>
>> Hi,
>> it is not exactly like this: since one admin can own REALM_LIST on a
>> folded realm but not on its parent realms, the behavior will return
>> restricted realms when non-admin, and full-fledged realms when admin.
>>
>> Such behavior is implemented by [1] and [2].
>>
>> > Furthermore, the list of realm returned start from the root (not only
>> > from the realm of the user calling the method).
>> >
>> > The "/domains" REST endpoint seems to have a similiar behavior: return
>> > 200 OK with an empty list, but in this case, I think is intentional
>> > because the domain could be used to log in.
>>
>> Yep, correct.
>>
>> Regards.
>>
>> [1]
>>
>> https://github.com/apache/syncope/blob/master/core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/RealmLogic.java#L73-L86
>> [2]
>>
>> https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/RealmDataBinderImpl.java#L219-L246
>>
>> --
>> Francesco Chicchiriccò
>>
>> Tirasa - Open Source Excellence
>> http://www.tirasa.net/
>>
>> Member at The Apache Software Foundation
>> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
>> http://home.apache.org/~ilgrosso/
>>
>>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellencehttp://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMailhttp://home.apache.org/~ilgrosso/
>
>
Re: Realms REST endpoint authorization
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 04/01/19 10:58, Ciusso Hb wrote:
> Hi Francesco, good to know about the segregation of realms and the
> code seems pretty clear.
>
> But with version 2.1.3-SNAPSHOT I've created a "simple" user without
> any Entitlements and, via Swagger, called the realms endpoint, passing
> his credential.
> The method returned a list with all the realms when I expected a 403.
Why? The method [1] is annotated as
@PreAuthorize("isAuthenticated()")
This means that any authenticated user is allowed to invoke the method.
Regards.
> On Fri, Jan 4, 2019 at 9:42 AM Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> On 04/01/19 09:27, Ciusso Hb wrote:
> > Hi all, I've noticed that the "/realms" REST endpoint need
> > authentication, but is callable without "REALM_LIST"
> entitlements, is
> > this by design?
>
> Hi,
> it is not exactly like this: since one admin can own REALM_LIST on a
> folded realm but not on its parent realms, the behavior will return
> restricted realms when non-admin, and full-fledged realms when admin.
>
> Such behavior is implemented by [1] and [2].
>
> > Furthermore, the list of realm returned start from the root (not
> only
> > from the realm of the user calling the method).
> >
> > The "/domains" REST endpoint seems to have a similiar behavior:
> return
> > 200 OK with an empty list, but in this case, I think is intentional
> > because the domain could be used to log in.
>
> Yep, correct.
>
> Regards.
>
> [1]
> https://github.com/apache/syncope/blob/master/core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/RealmLogic.java#L73-L86
> [2]
> https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/RealmDataBinderImpl.java#L219-L246
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: Realms REST endpoint authorization
Posted by Ciusso Hb <ci...@gmail.com>.
Hi Francesco, good to know about the segregation of realms and the code
seems pretty clear.
But with version 2.1.3-SNAPSHOT I've created a "simple" user without any
Entitlements and, via Swagger, called the realms endpoint, passing his
credential.
The method returned a list with all the realms when I expected a 403.
On Fri, Jan 4, 2019 at 9:42 AM Francesco Chicchiriccò <il...@apache.org>
wrote:
> On 04/01/19 09:27, Ciusso Hb wrote:
> > Hi all, I've noticed that the "/realms" REST endpoint need
> > authentication, but is callable without "REALM_LIST" entitlements, is
> > this by design?
>
> Hi,
> it is not exactly like this: since one admin can own REALM_LIST on a
> folded realm but not on its parent realms, the behavior will return
> restricted realms when non-admin, and full-fledged realms when admin.
>
> Such behavior is implemented by [1] and [2].
>
> > Furthermore, the list of realm returned start from the root (not only
> > from the realm of the user calling the method).
> >
> > The "/domains" REST endpoint seems to have a similiar behavior: return
> > 200 OK with an empty list, but in this case, I think is intentional
> > because the domain could be used to log in.
>
> Yep, correct.
>
> Regards.
>
> [1]
>
> https://github.com/apache/syncope/blob/master/core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/RealmLogic.java#L73-L86
> [2]
>
> https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/RealmDataBinderImpl.java#L219-L246
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>
Re: Realms REST endpoint authorization
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 04/01/19 09:27, Ciusso Hb wrote:
> Hi all, I've noticed that the "/realms" REST endpoint need
> authentication, but is callable without "REALM_LIST" entitlements, is
> this by design?
Hi,
it is not exactly like this: since one admin can own REALM_LIST on a
folded realm but not on its parent realms, the behavior will return
restricted realms when non-admin, and full-fledged realms when admin.
Such behavior is implemented by [1] and [2].
> Furthermore, the list of realm returned start from the root (not only
> from the realm of the user calling the method).
>
> The "/domains" REST endpoint seems to have a similiar behavior: return
> 200 OK with an empty list, but in this case, I think is intentional
> because the domain could be used to log in.
Yep, correct.
Regards.
[1]
https://github.com/apache/syncope/blob/master/core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/RealmLogic.java#L73-L86
[2]
https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/RealmDataBinderImpl.java#L219-L246
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/