You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@syncope.apache.org by Massimiliano Perrone <ma...@tirasa.net> on 2015/10/28 11:38:14 UTC

wrong exception in SecurityQuestion service

Hi Syncopers,
running securityQuestionService.readByUser(username) method from 
org.apache.syncope.common.rest.api.service.SecurityQuestionService I get 
a wrong exception, I'm supposing..

 From the log header the URL called is, for instance, 
http://localhost:9080/syncope/rest/securityQuestions/byUser/rossini and, 
if I tried to run it from the web browser it works because the response is:
<syncope:errorxmlns:syncope="http://syncope.apache.org/2.0">
<elements>
<element>
NotFoundException: Security question for user rossini
</element>
</elements>
<status>404</status>
<type>NotFound</type>
</syncope:error>

but the client return 403 as the header shows:
Headers: {Content-Length=[0], Date=[Wed, 28 Oct 2015 10:29:18 GMT], 
Server=[Apache-Coyote/1.1], X-Application-Error-Code=[Forbidden], 
X-Application-Error-Info=[Access is denied], X-Syncope-Domain=[Master]}

The exception is:
GRAVE: Problem with reading the data, class 
org.apache.syncope.common.lib.to.ErrorTO, ContentType: */*.
Exception in thread "main" java.security.AccessControlException: Access 
is denied
     at 
org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:69)
     at 
org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42)
     at 
org.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:303)
     at 
org.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:760)
     at 
org.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:722)
     at 
org.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:228)
     at com.sun.proxy.$Proxy29.readByUser(Unknown Source)

Is it the right behavior or it is a bug?

Massi

-- 
Massimiliano Perrone
Tel +39 393 9121310

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)

Re: wrong exception in SecurityQuestion service?

Posted by Massimiliano Perrone <ma...@tirasa.net>.


Il 28/10/2015 15:01, Francesco Chicchiriccò ha scritto:
> On 28/10/2015 11:38, Massimiliano Perrone wrote:
>> Hi Syncopers,
>> running securityQuestionService.readByUser(username) method from 
>> org.apache.syncope.common.rest.api.service.SecurityQuestionService I 
>> get a wrong exception, I'm supposing..
>>
>> From the log header the URL called is, for instance, 
>> http://localhost:9080/syncope/rest/securityQuestions/byUser/rossini 
>> and, if I tried to run it from the web browser it works because the 
>> response is:
>> <syncope:errorxmlns:syncope="http://syncope.apache.org/2.0">
>> <elements>
>> <element>
>> NotFoundException: Security question for user rossini
>> </element>
>> </elements>
>> <status>404</status>
>> <type>NotFound</type>
>> </syncope:error>
>>
>> but the client return 403 as the header shows:
>> Headers: {Content-Length=[0], Date=[Wed, 28 Oct 2015 10:29:18 GMT], 
>> Server=[Apache-Coyote/1.1], X-Application-Error-Code=[Forbidden], 
>> X-Application-Error-Info=[Access is denied], X-Syncope-Domain=[Master]}
>>
>> The exception is:
>> GRAVE: Problem with reading the data, class 
>> org.apache.syncope.common.lib.to.ErrorTO, ContentType: */*.
>> Exception in thread "main" java.security.AccessControlException: 
>> Access is denied
>>     at 
>> org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:69)
>>     at 
>> org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42)
>>     at 
>> org.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:303)
>>     at 
>> org.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:760)
>>     at 
>> org.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:722)
>>     at 
>> org.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:228)
>>     at com.sun.proxy.$Proxy29.readByUser(Unknown Source)
>>
>> Is it the right behavior or it is a bug?
>
> This is coherent with [1]: only anonymous users are meant to invoke 
> that method (via /securityQuestions/byUser/rossini).
>
> If an admin wants to get to such information, he / she needs to read 
> the given user entry.
>
> Hope this clarifies.

as usual :)

> Regards.
>
> [1] 
> https://github.com/apache/syncope/blob/master/core/logic/src/main/java/org/apache/syncope/core/logic/SecurityQuestionLogic.java#L109
>

-- 
Massimiliano Perrone
Tel +39 393 9121310

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)

Re: wrong exception in SecurityQuestion service?

Posted by Francesco Chicchiriccò <il...@apache.org>.

On 28/10/2015 11:38, Massimiliano Perrone wrote:
> Hi Syncopers,
> running securityQuestionService.readByUser(username) method from 
> org.apache.syncope.common.rest.api.service.SecurityQuestionService I 
> get a wrong exception, I'm supposing..
>
> From the log header the URL called is, for instance, 
> http://localhost:9080/syncope/rest/securityQuestions/byUser/rossini 
> and, if I tried to run it from the web browser it works because the 
> response is:
> <syncope:errorxmlns:syncope="http://syncope.apache.org/2.0">
> <elements>
> <element>
> NotFoundException: Security question for user rossini
> </element>
> </elements>
> <status>404</status>
> <type>NotFound</type>
> </syncope:error>
>
> but the client return 403 as the header shows:
> Headers: {Content-Length=[0], Date=[Wed, 28 Oct 2015 10:29:18 GMT], 
> Server=[Apache-Coyote/1.1], X-Application-Error-Code=[Forbidden], 
> X-Application-Error-Info=[Access is denied], X-Syncope-Domain=[Master]}
>
> The exception is:
> GRAVE: Problem with reading the data, class 
> org.apache.syncope.common.lib.to.ErrorTO, ContentType: */*.
> Exception in thread "main" java.security.AccessControlException: 
> Access is denied
>     at 
> org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:69)
>     at 
> org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42)
>     at 
> org.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:303)
>     at 
> org.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:760)
>     at 
> org.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:722)
>     at 
> org.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:228)
>     at com.sun.proxy.$Proxy29.readByUser(Unknown Source)
>
> Is it the right behavior or it is a bug?

This is coherent with [1]: only anonymous users are meant to invoke that 
method (via /securityQuestions/byUser/rossini).

If an admin wants to get to such information, he / she needs to read the 
given user entry.

Hope this clarifies.
Regards.

[1] 
https://github.com/apache/syncope/blob/master/core/logic/src/main/java/org/apache/syncope/core/logic/SecurityQuestionLogic.java#L109

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/