You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2013/02/27 16:10:53 UTC
Error with REST users/username=X
As per the discussions on SYNCOPE-324, I'm reading a user (from the new
API) via:
users?username=X
I am authenticating using the User's username/password and not the admin
user/password. I get an exception in the logs:
org.apache.syncope.core.rest.controller.UnauthorizedRoleException: Missing
entitlement for role(s) [100]
at
org.apache.syncope.core.rest.data.UserDataBinder.getUserFromUsername(UserDataBinder.java:132)
~[UserDataBinder.class:na]
Syncope is set up with a single Role with no entitlements, and a single
User with that role, that I am authenticating as. In
UserDataBinder.getUserFromUsername we have:
Set<Long> roleIds = user.getRoleIds();
Set<Long> adminRoleIds =
EntitlementUtil.getRoleIds(EntitlementUtil.getOwnedEntitlementNames());
roleIds.removeAll(adminRoleIds);
if (!roleIds.isEmpty()) {
throw new UnauthorizedRoleException(roleIds);
}
In this case, "adminRoleIds" is empty and so the exception is thrown. Any
ideas?
Colm.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Error with REST users/username=X
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 04/03/2013 14:21, Colm O hEigeartaigh wrote:
> Hi Francesco,
>
> Just looking at this logic again in UserDataBinder...
>
> Set<Long> roleIds = user.getRoleIds();
>> Set<Long> adminRoleIds =
>> EntitlementUtil.getRoleIds(EntitlementUtil.getOwnedEntitlementNames());
>> roleIds.removeAll(adminRoleIds);
>>
> In my test-case, a user "alice" has role "read-role" with permission
> "ROLE_READ". When I log on as "alice" when calling
> "cxf/users?username=alice", "ROLE_READ" is returned from
> EntitlementUtil.getOwnedEntitlementNames(), but as it isn't of the format
> expected by EntitlementUtil.ROLE_ENTITLEMENT_NAME_PATTERN,
> EntitlementUtil.getRoleIds(...) is empty.
>
> Is this a bug - or am I missing something? If the user has a role with a
> entitlement that does not match the reg exp, then an exception will always
> be thrown in this class.
Hi Colm,
please try to access
/rest/user/read/self.xml
or
/cxf/users/self
in dev / embedded mode form the browser, with authentication 'rossini' /
'password'
This works because UserController#read invokes
UserDataBinder#getAuthenticatedUserTO()
instead of
UserDataBinder#getUserTO(username) or UserDataBinder#getUserTO(id)
HTH
Regards.
[1]
https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization
> On Wed, Feb 27, 2013 at 10:12 AM, Francesco Chicchiriccò <
> ilgrosso@apache.org> wrote:
>
>> On 27/02/2013 16:10, Colm O hEigeartaigh wrote:
>>
>>> As per the discussions on SYNCOPE-324, I'm reading a user (from the new
>>> API) via:
>>>
>>> users?username=X
>>>
>>> I am authenticating using the User's username/password and not the admin
>>> user/password. I get an exception in the logs:
>>>
>>> org.apache.syncope.core.rest.**controller.**UnauthorizedRoleException:
>>> Missing
>>> entitlement for role(s) [100]
>>> at
>>> org.apache.syncope.core.rest.**data.UserDataBinder.**getUserFromUsername(
>>> **UserDataBinder.java:132)
>>> ~[UserDataBinder.class:na]
>>>
>>> Syncope is set up with a single Role with no entitlements, and a single
>>> User with that role, that I am authenticating as. In
>>> UserDataBinder.**getUserFromUsername we have:
>>>
>>> Set<Long> roleIds = user.getRoleIds();
>>> Set<Long> adminRoleIds =
>>> EntitlementUtil.getRoleIds(**EntitlementUtil.**
>>> getOwnedEntitlementNames());
>>> roleIds.removeAll(**adminRoleIds);
>>>
>>> if (!roleIds.isEmpty()) {
>>> throw new UnauthorizedRoleException(**roleIds);
>>> }
>>>
>>> In this case, "adminRoleIds" is empty and so the exception is thrown. Any
>>> ideas?
>>>
>> Hi Colm,
>> for reading own roles, the same approach as per RoleController#selfRead
>> should be implemented.
>>
>> Regards.
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
Re: Error with REST users/username=X
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Francesco,
Just looking at this logic again in UserDataBinder...
Set<Long> roleIds = user.getRoleIds();
> Set<Long> adminRoleIds =
> EntitlementUtil.getRoleIds(EntitlementUtil.getOwnedEntitlementNames());
> roleIds.removeAll(adminRoleIds);
>
In my test-case, a user "alice" has role "read-role" with permission
"ROLE_READ". When I log on as "alice" when calling
"cxf/users?username=alice", "ROLE_READ" is returned from
EntitlementUtil.getOwnedEntitlementNames(), but as it isn't of the format
expected by EntitlementUtil.ROLE_ENTITLEMENT_NAME_PATTERN,
EntitlementUtil.getRoleIds(...) is empty.
Is this a bug - or am I missing something? If the user has a role with a
entitlement that does not match the reg exp, then an exception will always
be thrown in this class.
Colm.
On Wed, Feb 27, 2013 at 10:12 AM, Francesco Chicchiriccò <
ilgrosso@apache.org> wrote:
> On 27/02/2013 16:10, Colm O hEigeartaigh wrote:
>
>> As per the discussions on SYNCOPE-324, I'm reading a user (from the new
>> API) via:
>>
>> users?username=X
>>
>> I am authenticating using the User's username/password and not the admin
>> user/password. I get an exception in the logs:
>>
>> org.apache.syncope.core.rest.**controller.**UnauthorizedRoleException:
>> Missing
>> entitlement for role(s) [100]
>> at
>> org.apache.syncope.core.rest.**data.UserDataBinder.**getUserFromUsername(
>> **UserDataBinder.java:132)
>> ~[UserDataBinder.class:na]
>>
>> Syncope is set up with a single Role with no entitlements, and a single
>> User with that role, that I am authenticating as. In
>> UserDataBinder.**getUserFromUsername we have:
>>
>> Set<Long> roleIds = user.getRoleIds();
>> Set<Long> adminRoleIds =
>> EntitlementUtil.getRoleIds(**EntitlementUtil.**
>> getOwnedEntitlementNames());
>> roleIds.removeAll(**adminRoleIds);
>>
>> if (!roleIds.isEmpty()) {
>> throw new UnauthorizedRoleException(**roleIds);
>> }
>>
>> In this case, "adminRoleIds" is empty and so the exception is thrown. Any
>> ideas?
>>
>
> Hi Colm,
> for reading own roles, the same approach as per RoleController#selfRead
> should be implemented.
>
> Regards.
>
> --
> Francesco Chicchiriccò
>
> ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
> http://people.apache.org/~**ilgrosso/<http://people.apache.org/~ilgrosso/>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Error with REST users/username=X
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 27/02/2013 16:10, Colm O hEigeartaigh wrote:
> As per the discussions on SYNCOPE-324, I'm reading a user (from the new
> API) via:
>
> users?username=X
>
> I am authenticating using the User's username/password and not the admin
> user/password. I get an exception in the logs:
>
> org.apache.syncope.core.rest.controller.UnauthorizedRoleException: Missing
> entitlement for role(s) [100]
> at
> org.apache.syncope.core.rest.data.UserDataBinder.getUserFromUsername(UserDataBinder.java:132)
> ~[UserDataBinder.class:na]
>
> Syncope is set up with a single Role with no entitlements, and a single
> User with that role, that I am authenticating as. In
> UserDataBinder.getUserFromUsername we have:
>
> Set<Long> roleIds = user.getRoleIds();
> Set<Long> adminRoleIds =
> EntitlementUtil.getRoleIds(EntitlementUtil.getOwnedEntitlementNames());
> roleIds.removeAll(adminRoleIds);
>
> if (!roleIds.isEmpty()) {
> throw new UnauthorizedRoleException(roleIds);
> }
>
> In this case, "adminRoleIds" is empty and so the exception is thrown. Any
> ideas?
Hi Colm,
for reading own roles, the same approach as per RoleController#selfRead
should be implemented.
Regards.
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/