You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Vlad Zelenko <vz...@gmail.com> on 2017/03/16 21:27:34 UTC
Self Registration help
Hey all. I am evaluating syncope as IMS, and want to test the REST API.
For starters, I am using Swagger UI to test self-registration.
1. (POST /users/self) When I execute it from the browser, I invariably
receive CODE 403 with message "Access to the specified resource has been
forbidden."
2. When I use the suggested 'curl' line (
http://localhost:8080/syncope/rest/users/self?storePassword=true, etc.),
'Access Denied' is seen in 'core-rest.log' of the application, but nothing
comes back to the STDOUT of cURL.
3. When I use regular create user in Swagger UI (POST /users) with the same
UserTO payload (see below), the user is created in syncope, code 201 is
returned with a Generated Key.
PAYLOAD:
{"username":"test","password":"12SomeComplex!!!Pwd","realm":"/","securityQuestion":"","securityAnswer":"","plainAttrs":[{"schema":"email","values":[]}],"derAttrs":[],"virAttrs":[],"resources":[],"auxClasses":[],"memberships":[],"@class":"org.apache.syncope.common.lib.to.UserTO"}
My question is, what is the correct way of performing Self-registration
using REST API (I need this for our web application?) Losing my mind over
this...
Re: Self Registration help
Posted by vladz <vz...@gmail.com>.
HA! It looks like the issue with "curl" not going through was that I used
the suggested by SwaggerUI line, and it contained 2 errors:
1. (This one I fixed initially, so adding it here for completeness.) The
"@class" attribute is shown there HTML-escaped as "%40class", which when
sent via curl produces "required attribute @class has not been set" kind of
message.
2. The "Accept" header is set by the Swagger UI curl line to "text/html"
where it should have been set to "application/json."
This last change indeed did the trick for me, thanks to the old syncope WIKI
link I found
(https://cwiki.apache.org/confluence/display/SYNCOPE/Call+REST+services+from+CLI.)
--
View this message in context: http://syncope-user.1051894.n5.nabble.com/Self-Registration-help-tp5709077p5709080.html
Sent from the syncope-user mailing list archive at Nabble.com.
Re: Self Registration help
Posted by vladz <vz...@gmail.com>.
First of all, THANK YOU, Francesco, for a fast reply!
ilgrosso wrote
>
> vladz wrote
>> 1. (POST /users/self) When I execute it from the browser, I invariably
>> receive CODE 403 with message "Access to the specified resource has been
>> forbidden."
> Question: what is the value of the 'selfRegistration.allowed'
> configuration parameter [1] in your Syncope deployment? (You can find it
> out from Admin Console under Configuration > Parameters).
> E.g. was self-registration enabled at all?
Indeed, as far as I can see the "selfRegistration.allowed" flag was left at
its default TRUE value. I was aware of it and checked in the
syncope-console Parameters section first.
ilgrosso wrote
> When enabled, the "POST /users/self" endpoint requires to be invoked
> anonymously, e.g. without any 'Authorization' HTTP header.
> Are you sure that you did not populate the username / password fields in
> the Swagger UI when attempting the "POST /users/self" invocation?
Regarding user/pass, the fields on top of the SwaggerUI were filled out with
values. I have removed them and tried POST again with the same 403 error.
Looking at the actual request headers, there is an Authorization Basic hash
value set for the self request. I wonder how it gets there and shouldn't
the SwaggerUI know to remove it? That was a GOOD POINTER!
Thanks again,
- vlad
--
View this message in context: http://syncope-user.1051894.n5.nabble.com/Self-Registration-help-tp5709077p5709079.html
Sent from the syncope-user mailing list archive at Nabble.com.
Re: Self Registration help
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 16/03/2017 22:27, Vlad Zelenko wrote:
> Hey all. I am evaluating syncope as IMS, and want to test the REST
> API. For starters, I am using Swagger UI to test self-registration.
Hi Vlad,
glad of your interest in Apache Syncope.
> 1. (POST /users/self) When I execute it from the browser, I
> invariably receive CODE 403 with message "Access to the specified
> resource has been forbidden."
Question: what is the value of the 'selfRegistration.allowed'
configuration parameter [1] in your Syncope deployment? (You can find it
out from Admin Console under Configuration > Parameters).
E.g. was self-registration enabled at all?
When enabled, the "POST /users/self" endpoint requires to be invoked
anonymously, e.g. without any 'Authorization' HTTP header.
Are you sure that you did not populate the username / password fields in
the Swagger UI when attempting the "POST /users/self" invocation?
> 2. When I use the suggested 'curl' line
> (http://localhost:8080/syncope/rest/users/self?storePassword=true,
> etc.), 'Access Denied' is seen in 'core-rest.log' of the application,
> but nothing comes back to the STDOUT of cURL.
Use "curl -v" and you will get all the response headers, including
X-Application-Error-Code and X-Application-Error-Info.
More on available REST headers at [2].
> 3. When I use regular create user in Swagger UI (POST /users) with the
> same UserTO payload (see below), the user is created in syncope, code
> 201 is returned with a Generated Key.
>
> PAYLOAD:
> {"username":"test","password":"12SomeComplex!!!Pwd","realm":"/","securityQuestion":"","securityAnswer":"","plainAttrs":[{"schema":"email","values":[]}],"derAttrs":[],"virAttrs":[],"resources":[],"auxClasses":[],"memberships":[],"@class":"org.apache.syncope.common.lib.to.UserTO"}
>
>
> My question is, what is the correct way of performing
> Self-registration using REST API (I need this for our web
> application?) Losing my mind over this...
It seems - for very valid reasons, I presume - that you are not
interested in the Enduser application [3] nor in using the Java client
library [4] for communicating via REST with Core (architectural
reference available at [5]).
I would invite you anyway to carefully consider all the related security
aspects: you can read from [6] how we did tackle them in the Enduser
application.
Regards.
[1]
https://syncope.apache.org/docs/reference-guide.html#configuration-parameters
[2] https://syncope.apache.org/docs/reference-guide.html#rest-headers
[3]
https://syncope.apache.org/docs/reference-guide.html#customization-enduser
[4] https://syncope.apache.org/docs/reference-guide.html#client-library
[5] https://syncope.apache.org/docs/reference-guide.html#architecture
[6] http://blog.tirasa.net/syncope-enduser-security-features.html
--
Francesco Chicchiricc�
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/