> > > On Apr 27, 2015, at 7:39 AM, Oleksandr Bodriagov (Polystar) > <[email protected]> wrote: > > 1. I would like to clarify for myself if Fortress request to > http://<SERVER_IP>:8080/fortress-rest-<VERSION>/rbacPerms has the following > form: > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > <FortRequest> > <entity … /> > <contextId>HOME</contextId> > <session>…</session> > </FortResponse> > > Where <entity>, and <session> elements come from the Fortress response from > http://<SERVER_IP>:8080/fortress-rest-<VERSION>/rbacCreate. >
Fortress Rest uses this entity to pass data into the server: https://directory.apache.org/fortress/gen-docs/latest/apidocs/org/apache/directory/fortress/core/rest/FortRequest.html The elements that are used vary by service but contextId must be passed on every request. Only apis in access manager must pass a session, with exception of create session, which of course doesn’t have one yet. There is a fairly easy way to generate examples for how the requests must be formatted. The fortress core can communicate with fortress rest. You would add these props to build.properties: # Using REST/HTTP allows Fortress communications to pass through firewalls and other non-LDAP network intermediaries. enable.mgr.impl.rest=true # This user account is added automatically during init-slapd or init-apacheds target via 'FortressDemoUsers.xml' policy file: http.user=demouser4 http.pw=password http.host=localhost http.port=8080 http.protocol=http run mvn install from command line to get these changes inserted into fortress.properties. Next you will run: mvn test -Pconsole The request/responses generated by the test console app will communicate over rest. You can place a sniffer on the wire, or route the requests through a monitor to see what gets sent. One catch, you have to do another pull on core. I had to add the client side rest dependencies to the profiles. https://issues.apache.org/jira/browse/FC-95 > On Apr 27, 2015, at 7:39 AM, Oleksandr Bodriagov (Polystar) > <[email protected]> wrote: > > 2. How does a request for getting permissions for a specific role looks like? rolePerms is the name of the service that returns permissions for a given role. I ran a trace of that service and pasted it here: https://paste.apache.org/0KUs > > On Apr 27, 2015, at 7:39 AM, Oleksandr Bodriagov (Polystar) > <[email protected]> wrote: > > 3. I get <warnings><id>2051</id><msg>validateConstraints role > [GalileoDataReader] for user [Bob] was deactivated reason code > [2051]</msg><type>ROLE</type><name>GalileoDataReader</name></warnings> when > sending a request to > http://<SERVER_IP>:8080/fortress-rest-<VERSION>/rbacCreate. > What could be the reason? I have attached a description of temporal > constraints for the GalileoDataReader role. User Bob has the following > temporal constraints: > > <FortResponse> … <session> … <userId>Bob</userId><description>my user > 1</description><name>Bob</name><internalId>19305e67-b556-47b6-8461-f58aeac4a230</internalId><ou>Bla-Mobile</ou><sn>Bob</sn><cn>Bob</cn><dn>uid=Bob,ou=People,dc=example,dc=com</dn><address/><props><modId>72791a08-9cf0-4638-b519-c7a78b8a26d9</modId><entry><key>init</key><value></value></entry></props><locked>false</locked><reset>false</reset><system>false</system><beginDate>20150201</beginDate><endDate>20400301</endDate><beginLockDate>20300301</beginLockDate><endLockDate>20300401</endLockDate><dayMask>1234567</dayMask><timeout>5</timeout></user><isAuthenticated>true</isAuthenticated><sessionId>2343e7f1-766e-4a47-b5d0-4178e82fa184</sessionId><lastAccess>1430137954924</lastAccess><timeout>0</timeout><errorId>0</errorId><expirationSeconds>0</expirationSeconds><graceLogins>0</graceLogins><warnings><id>2051</id><msg>validateConstraints > role [GalileoDataReader] for user [Bob] was deactivated reason code > [2051]</msg><type>ROLE</type><name>GalileoDataReader</name></warnings></session></FortResponse> > 2051 is: public static final int ACTV_FAILED_DATE Entity activation failed due to date validation failure. The list of fortress error codes is in the javadoc here: https://directory.apache.org/fortress/gen-docs/latest/apidocs/org/apache/directory/fortress/core/SecurityException.html That error will occur if the current date falls outside the range stated in beginDate and endDate. In this case the role gaileodatareader failed that date check. Shawn [email protected]
