You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@syncope.apache.org by Vlad Zelenko <vz...@gmail.com> on 2017/03/16 21:27:34 UTC

Self Registration help

Hey all.  I am evaluating syncope as IMS, and want to test the REST API.
For starters, I am using Swagger UI to test self-registration.

1.  (POST /users/self)  When I execute it from the browser, I invariably
receive CODE 403 with message "Access to the specified resource has been
forbidden."

2.  When I use the suggested 'curl' line (
http://localhost:8080/syncope/rest/users/self?storePassword=true, etc.),
'Access Denied' is seen in 'core-rest.log' of the application, but nothing
comes back to the STDOUT of cURL.

3. When I use regular create user in Swagger UI (POST /users) with the same
UserTO payload (see below), the user is created in syncope, code 201 is
returned with a Generated Key.

PAYLOAD:
{"username":"test","password":"12SomeComplex!!!Pwd","realm":"/","securityQuestion":"","securityAnswer":"","plainAttrs":[{"schema":"email","values":[]}],"derAttrs":[],"virAttrs":[],"resources":[],"auxClasses":[],"memberships":[],"@class":"org.apache.syncope.common.lib.to.UserTO"}


My question is, what is the correct way of performing Self-registration
using REST API (I need this for our web application?)  Losing my mind over
this...

Re: Self Registration help

Posted by vladz <vz...@gmail.com>.

HA!  It looks like the issue with "curl" not going through was that I used
the suggested by SwaggerUI line, and it contained 2 errors:

1. (This one I fixed initially, so adding it here for completeness.)  The
"@class" attribute is shown there HTML-escaped as "%40class", which when
sent via curl produces "required attribute @class has not been set" kind of
message.

2. The "Accept" header is set by the Swagger UI curl line to "text/html"
where it should have been set to "application/json."  

This last change indeed did the trick for me, thanks to the old syncope WIKI
link I found
(https://cwiki.apache.org/confluence/display/SYNCOPE/Call+REST+services+from+CLI.)

--
View this message in context: http://syncope-user.1051894.n5.nabble.com/Self-Registration-help-tp5709077p5709080.html
Sent from the syncope-user mailing list archive at Nabble.com.

Re: Self Registration help

Posted by vladz <vz...@gmail.com>.

First of all, THANK YOU, Francesco, for a fast reply!


ilgrosso wrote
> 
> vladz wrote
>> 1.  (POST /users/self)  When I execute it from the browser, I invariably
>> receive CODE 403 with message "Access to the specified resource has been
>> forbidden."
> Question: what is the value of the 'selfRegistration.allowed' 
> configuration parameter [1] in your Syncope deployment? (You can find it 
> out from Admin Console under Configuration > Parameters).
> E.g. was self-registration enabled at all?

Indeed, as far as I can see the "selfRegistration.allowed" flag was left at
its default TRUE value.  I was aware of it and checked in the
syncope-console Parameters section first.


ilgrosso wrote
> When enabled, the "POST /users/self" endpoint requires to be invoked 
> anonymously, e.g. without any 'Authorization' HTTP header.
> Are you sure that you did not populate the username / password fields in 
> the Swagger UI when attempting the "POST /users/self" invocation?

Regarding user/pass, the fields on top of the SwaggerUI were filled out with
values.  I have removed them and tried POST again with the same 403 error.

Looking at the actual request headers, there is an Authorization Basic hash
value set for the self request.  I wonder how it gets there and shouldn't
the SwaggerUI know to remove it?  That was a GOOD POINTER!

Thanks again, 


- vlad

--
View this message in context: http://syncope-user.1051894.n5.nabble.com/Self-Registration-help-tp5709077p5709079.html
Sent from the syncope-user mailing list archive at Nabble.com.

Re: Self Registration help

Posted by Francesco Chicchiriccò <il...@apache.org>.

On 16/03/2017 22:27, Vlad Zelenko wrote:
> Hey all.  I am evaluating syncope as IMS, and want to test the REST 
> API.  For starters, I am using Swagger UI to test self-registration.

Hi Vlad,
glad of your interest in Apache Syncope.

> 1.  (POST /users/self)  When I execute it from the browser, I 
> invariably receive CODE 403 with message "Access to the specified 
> resource has been forbidden."

Question: what is the value of the 'selfRegistration.allowed' 
configuration parameter [1] in your Syncope deployment? (You can find it 
out from Admin Console under Configuration > Parameters).
E.g. was self-registration enabled at all?

When enabled, the "POST /users/self" endpoint requires to be invoked 
anonymously, e.g. without any 'Authorization' HTTP header.
Are you sure that you did not populate the username / password fields in 
the Swagger UI when attempting the "POST /users/self" invocation?

> 2.  When I use the suggested 'curl' line 
> (http://localhost:8080/syncope/rest/users/self?storePassword=true, 
> etc.), 'Access Denied' is seen in 'core-rest.log' of the application, 
> but nothing comes back to the STDOUT of cURL.

Use "curl -v" and you will get all the response headers, including 
X-Application-Error-Code and X-Application-Error-Info.
More on available REST headers at [2].

> 3. When I use regular create user in Swagger UI (POST /users) with the 
> same UserTO payload (see below), the user is created in syncope, code 
> 201 is returned with a Generated Key.
>
> PAYLOAD:
> {"username":"test","password":"12SomeComplex!!!Pwd","realm":"/","securityQuestion":"","securityAnswer":"","plainAttrs":[{"schema":"email","values":[]}],"derAttrs":[],"virAttrs":[],"resources":[],"auxClasses":[],"memberships":[],"@class":"org.apache.syncope.common.lib.to.UserTO"}
>
>
> My question is, what is the correct way of performing 
> Self-registration using REST API (I need this for our web 
> application?)  Losing my mind over this...

It seems - for very valid reasons, I presume - that you are not 
interested in the Enduser application [3] nor in using the Java client 
library [4] for communicating via REST with Core (architectural 
reference available at [5]).
I would invite you anyway to carefully consider all the related security 
aspects: you can read from [6] how we did tackle them in the Enduser 
application.

Regards.

[1] 
https://syncope.apache.org/docs/reference-guide.html#configuration-parameters
[2] https://syncope.apache.org/docs/reference-guide.html#rest-headers
[3] 
https://syncope.apache.org/docs/reference-guide.html#customization-enduser
[4] https://syncope.apache.org/docs/reference-guide.html#client-library
[5] https://syncope.apache.org/docs/reference-guide.html#architecture
[6] http://blog.tirasa.net/syncope-enduser-security-features.html

-- 
Francesco Chicchiricc�

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/