Re: Error with REST users/username=X

Francesco Chicchiriccò Mon, 04 Mar 2013 08:29:03 -0800

On 04/03/2013 14:21, Colm O hEigeartaigh wrote:

Hi Francesco,


Just looking at this logic again in UserDataBinder...

  Set<Long> roleIds = user.getRoleIds();

  Set<Long> adminRoleIds =
EntitlementUtil.getRoleIds(EntitlementUtil.getOwnedEntitlementNames());
  roleIds.removeAll(adminRoleIds);

In my test-case, a user "alice" has role "read-role" with permission
"ROLE_READ". When I log on as "alice" when calling
"cxf/users?username=alice", "ROLE_READ" is returned from
EntitlementUtil.getOwnedEntitlementNames(), but as it isn't of the format
expected by EntitlementUtil.ROLE_ENTITLEMENT_NAME_PATTERN,
EntitlementUtil.getRoleIds(...) is empty.

Is this a bug - or am I missing something? If the user has a role with a
entitlement that does not match the reg exp, then an exception will always
be thrown in this class.


Hi Colm,
please try to access

/rest/user/read/self.xml

or

/cxf/users/self

in dev / embedded mode form the browser, with authentication 'rossini' /'password'


This works because UserController#read invokes

UserDataBinder#getAuthenticatedUserTO()

instead of

UserDataBinder#getUserTO(username) or UserDataBinder#getUserTO(id)

HTH
Regards.

[1]https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization

On Wed, Feb 27, 2013 at 10:12 AM, Francesco Chicchiriccò <
[email protected]> wrote:

On 27/02/2013 16:10, Colm O hEigeartaigh wrote:

As per the discussions on SYNCOPE-324, I'm reading a user (from the new
API) via:

users?username=X

I am authenticating using the User's username/password and not the admin
user/password. I get an exception in the logs:

org.apache.syncope.core.rest.**controller.**UnauthorizedRoleException:
Missing
entitlement for role(s) [100]
          at
org.apache.syncope.core.rest.**data.UserDataBinder.**getUserFromUsername(
**UserDataBinder.java:132)
~[UserDataBinder.class:na]

Syncope is set up with a single Role with no entitlements, and a single
User with that role, that I am authenticating as. In
UserDataBinder.**getUserFromUsername we have:

          Set<Long> roleIds = user.getRoleIds();
          Set<Long> adminRoleIds =
EntitlementUtil.getRoleIds(**EntitlementUtil.**
getOwnedEntitlementNames());
          roleIds.removeAll(**adminRoleIds);

          if (!roleIds.isEmpty()) {
              throw new UnauthorizedRoleException(**roleIds);
          }

In this case, "adminRoleIds" is empty and so the exception is thrown. Any
ideas?

Hi Colm,
for reading own roles, the same approach as per RoleController#selfRead
should be implemented.

Regards.


--
Francesco Chicchiriccò

ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/

Re: Error with REST users/username=X

Reply via email to