RE: Differentiating unknown user and known user with wrong password ?
Hi Francesco, I added suspended to authentication.statuses parameter but still the response is “401 Unauthorized”. [cid:image001.jpg@01D22EBE.23CFCA90] Regards, Vellingiri From: Francesco Chicchiriccò [mailto:ilgro...@apache.org] Sent: Monday, October 24, 2016 8:30 PM To: user@syncope.apache.org Subject: Re: Differentiating unknown user and known user with wrong password ? On 24/10/2016 16:52, Mani, Vellingiri (Nokia - IN) wrote: Hi Francesco, I understand. For suspended user, the response is 401. Is it for the same reason ? Not quite: this is because of the authentication.statuses configuration parameter https://syncope.apache.org/docs/reference-guide.html#configuration-parameters which does not contain 'suspended' by default; when you add it to the list of supported statues for authentication, suspended users will be able to authenticate themselves. HTH Regards. From: Francesco Chicchiriccò [mailto:ilgro...@apache.org] Sent: Monday, October 24, 2016 12:44 PM To: user@syncope.apache.org<mailto:user@syncope.apache.org> Subject: Re: Differentiating unknown user and known user with wrong password ? On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote: Hi, Same response code(401) from Syncope during self-authentication [1] for both unknown user and known user with wrong password. [1] http://10.10.10.10:8080/syncope/rest/users/self How can we distinguish between the unknown user and the known user with wrong password ? This is on purpose: if there were different HTTP statuses, an attacker could exploit it to enumerate the existing users. Having said that, and even if I would not advice it, there is the chance to override such behaviour - in Syncope there is always a mean to override ;-) - by tweaking the Spring Security configuration: see some recent e-mail about this topic for more details. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
RE: Differentiating unknown user and known user with wrong password ?
Hi Francesco, I understand. For suspended user, the response is 401. Is it for the same reason ? Regards, Vellingiri From: Francesco Chicchiriccò [mailto:ilgro...@apache.org] Sent: Monday, October 24, 2016 12:44 PM To: user@syncope.apache.org Subject: Re: Differentiating unknown user and known user with wrong password ? On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote: Hi, Same response code(401) from Syncope during self-authentication [1] for both unknown user and known user with wrong password. [1] http://10.10.10.10:8080/syncope/rest/users/self How can we distinguish between the unknown user and the known user with wrong password ? This is on purpose: if there were different HTTP statues, an attacker could exploit it to enumerate the existing users. Having said that, and even if I would not advice it, there is the chance to override such behaviour - in Syncope there is always a mean to override ;-) - by tweaking the Spring Security configuration: see some recent e-mail about this topic for more details. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
RE: Syncope user creation from REST client
Ok. I understand your response.
which is the source for these users?
Actually, we have user information in text/excel file. Creating users manually
is a difficult job. We don’t have external connector.
Regards,
Vellingiri
From: Francesco Chicchiriccò [mailto:ilgro...@apache.org]
Sent: Monday, September 19, 2016 4:00 PM
To: user@syncope.apache.org
Subject: Re: Syncope user creation from REST client
On 19/09/2016 12:22, Mani, Vellingiri (Nokia - IN) wrote:
Hi Francesco,
I have a use case where I need to add thousands or more users in a single
request. i.e. bulk user creation.
Is it possible in Syncope ?
Bulk actions are available for the operations defined at [1] (see some samples
at [2] under the "Delete several users at once" example) - which does not
include create.
Instead of bulk creating thousand users via REST, I would rather suggest to
rely on some external connector: which is the source for these users? Can't
they be pulled from DB / LDAP / ...?
Regards.
[1]
https://github.com/apache/syncope/blob/2_0_X/common/lib/src/main/java/org/apache/syncope/common/lib/to/BulkAction.java#L41-L46
[2] http://syncope.apache.org/docs/reference-guide.html#client-library
From: Francesco Chicchiriccò [mailto:ilgro...@apache.org]
Sent: Monday, September 19, 2016 3:46 PM
To: user@syncope.apache.org<mailto:user@syncope.apache.org>
Subject: Re: Syncope user creation from REST client
On 19/09/2016 12:15, Mani, Vellingiri (Nokia - IN) wrote:
Thanks Francesco!!
After adding username, it works.
Glad it helped :-)
Regards.
From: Francesco Chicchiriccò [mailto:ilgro...@apache.org]
Sent: Monday, September 19, 2016 3:39 PM
To: user@syncope.apache.org<mailto:user@syncope.apache.org>
Subject: Re: Syncope user creation from REST client
On 19/09/2016 12:03, Mani, Vellingiri (Nokia - IN) wrote:
Hi,
Currently, I am evaluating syncope for our usage. I would need to do bulk user
creation from REST. I started to create single user from REST client and it
fails.
From postman, I tried to create a user with below inputs. I get '400 Bad
Request'.
If there is anything wrong in the request, please correct me. Is all fields
mandatory during user creation.
POST - http://135.249.22.223:8080/syncope/rest/users
Authorization:
Basic Auth - admin/password
Headers:
Content-type: application/json
Body:
{
"@class": "org.apache.syncope.common.lib.to.UserTO",
"creator": "admin",
"lastModifier": "admin",
"key": "rest1",
"type": "USER",
"realm": "/",
"status": "Active",
"auxClasses": [],
"plainAttrs": [],
"derAttrs": [],
"virAttrs": [],
"resources": []
}
Hi,
you should remove (not troublesome, just ignored):
* creator
* lastModifier
* key
* status
About what is mandatory, I can see there is no username.
Moreover, it depends on how you can your schemas and classes configured.
Please also take a look at logs to figure out what might go wrong.
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
RE: Syncope user creation from REST client
Hi Francesco,
I have a use case where I need to add thousands or more users in a single
request. i.e. bulk user creation.
Is it possible in Syncope ?
Regards,
Vellingiri
From: Francesco Chicchiriccò [mailto:ilgro...@apache.org]
Sent: Monday, September 19, 2016 3:46 PM
To: user@syncope.apache.org
Subject: Re: Syncope user creation from REST client
On 19/09/2016 12:15, Mani, Vellingiri (Nokia - IN) wrote:
Thanks Francesco!!
After adding username, it works.
Glad it helped :-)
Regards.
From: Francesco Chicchiriccò [mailto:ilgro...@apache.org]
Sent: Monday, September 19, 2016 3:39 PM
To: user@syncope.apache.org<mailto:user@syncope.apache.org>
Subject: Re: Syncope user creation from REST client
On 19/09/2016 12:03, Mani, Vellingiri (Nokia - IN) wrote:
Hi,
Currently, I am evaluating syncope for our usage. I would need to do bulk user
creation from REST. I started to create single user from REST client and it
fails.
From postman, I tried to create a user with below inputs. I get '400 Bad
Request'.
If there is anything wrong in the request, please correct me. Is all fields
mandatory during user creation.
POST - http://135.249.22.223:8080/syncope/rest/users
Authorization:
Basic Auth - admin/password
Headers:
Content-type: application/json
Body:
{
"@class": "org.apache.syncope.common.lib.to.UserTO",
"creator": "admin",
"lastModifier": "admin",
"key": "rest1",
"type": "USER",
"realm": "/",
"status": "Active",
"auxClasses": [],
"plainAttrs": [],
"derAttrs": [],
"virAttrs": [],
"resources": []
}
Hi,
you should remove (not troublesome, just ignored):
* creator
* lastModifier
* key
* status
About what is mandatory, I can see there is no username.
Moreover, it depends on how you can your schemas and classes configured.
Please also take a look at logs to figure out what might go wrong.
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
