RE: Differentiating unknown user and known user with wrong password ?
Hi Francesco, I added suspended to authentication.statuses parameter but still the response is “401 Unauthorized”. [cid:image001.jpg@01D22EBE.23CFCA90] Regards, Vellingiri From: Francesco Chicchiriccò [mailto:ilgro...@apache.org] Sent: Monday, October 24, 2016 8:30 PM To: user@syncope.apache.org Subject: Re: Differentiating unknown user and known user with wrong password ? On 24/10/2016 16:52, Mani, Vellingiri (Nokia - IN) wrote: Hi Francesco, I understand. For suspended user, the response is 401. Is it for the same reason ? Not quite: this is because of the authentication.statuses configuration parameter https://syncope.apache.org/docs/reference-guide.html#configuration-parameters which does not contain 'suspended' by default; when you add it to the list of supported statues for authentication, suspended users will be able to authenticate themselves. HTH Regards. From: Francesco Chicchiriccò [mailto:ilgro...@apache.org] Sent: Monday, October 24, 2016 12:44 PM To: user@syncope.apache.org<mailto:user@syncope.apache.org> Subject: Re: Differentiating unknown user and known user with wrong password ? On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote: Hi, Same response code(401) from Syncope during self-authentication [1] for both unknown user and known user with wrong password. [1] http://10.10.10.10:8080/syncope/rest/users/self How can we distinguish between the unknown user and the known user with wrong password ? This is on purpose: if there were different HTTP statuses, an attacker could exploit it to enumerate the existing users. Having said that, and even if I would not advice it, there is the chance to override such behaviour - in Syncope there is always a mean to override ;-) - by tweaking the Spring Security configuration: see some recent e-mail about this topic for more details. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
RE: Differentiating unknown user and known user with wrong password ?
Hi Francesco, I understand. For suspended user, the response is 401. Is it for the same reason ? Regards, Vellingiri From: Francesco Chicchiriccò [mailto:ilgro...@apache.org] Sent: Monday, October 24, 2016 12:44 PM To: user@syncope.apache.org Subject: Re: Differentiating unknown user and known user with wrong password ? On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote: Hi, Same response code(401) from Syncope during self-authentication [1] for both unknown user and known user with wrong password. [1] http://10.10.10.10:8080/syncope/rest/users/self How can we distinguish between the unknown user and the known user with wrong password ? This is on purpose: if there were different HTTP statues, an attacker could exploit it to enumerate the existing users. Having said that, and even if I would not advice it, there is the chance to override such behaviour - in Syncope there is always a mean to override ;-) - by tweaking the Spring Security configuration: see some recent e-mail about this topic for more details. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
RE: Syncope user creation from REST client
Ok. I understand your response. which is the source for these users? Actually, we have user information in text/excel file. Creating users manually is a difficult job. We don’t have external connector. Regards, Vellingiri From: Francesco Chicchiriccò [mailto:ilgro...@apache.org] Sent: Monday, September 19, 2016 4:00 PM To: user@syncope.apache.org Subject: Re: Syncope user creation from REST client On 19/09/2016 12:22, Mani, Vellingiri (Nokia - IN) wrote: Hi Francesco, I have a use case where I need to add thousands or more users in a single request. i.e. bulk user creation. Is it possible in Syncope ? Bulk actions are available for the operations defined at [1] (see some samples at [2] under the "Delete several users at once" example) - which does not include create. Instead of bulk creating thousand users via REST, I would rather suggest to rely on some external connector: which is the source for these users? Can't they be pulled from DB / LDAP / ...? Regards. [1] https://github.com/apache/syncope/blob/2_0_X/common/lib/src/main/java/org/apache/syncope/common/lib/to/BulkAction.java#L41-L46 [2] http://syncope.apache.org/docs/reference-guide.html#client-library From: Francesco Chicchiriccò [mailto:ilgro...@apache.org] Sent: Monday, September 19, 2016 3:46 PM To: user@syncope.apache.org<mailto:user@syncope.apache.org> Subject: Re: Syncope user creation from REST client On 19/09/2016 12:15, Mani, Vellingiri (Nokia - IN) wrote: Thanks Francesco!! After adding username, it works. Glad it helped :-) Regards. From: Francesco Chicchiriccò [mailto:ilgro...@apache.org] Sent: Monday, September 19, 2016 3:39 PM To: user@syncope.apache.org<mailto:user@syncope.apache.org> Subject: Re: Syncope user creation from REST client On 19/09/2016 12:03, Mani, Vellingiri (Nokia - IN) wrote: Hi, Currently, I am evaluating syncope for our usage. I would need to do bulk user creation from REST. I started to create single user from REST client and it fails. From postman, I tried to create a user with below inputs. I get '400 Bad Request'. If there is anything wrong in the request, please correct me. Is all fields mandatory during user creation. POST - http://135.249.22.223:8080/syncope/rest/users Authorization: Basic Auth - admin/password Headers: Content-type: application/json Body: { "@class": "org.apache.syncope.common.lib.to.UserTO", "creator": "admin", "lastModifier": "admin", "key": "rest1", "type": "USER", "realm": "/", "status": "Active", "auxClasses": [], "plainAttrs": [], "derAttrs": [], "virAttrs": [], "resources": [] } Hi, you should remove (not troublesome, just ignored): * creator * lastModifier * key * status About what is mandatory, I can see there is no username. Moreover, it depends on how you can your schemas and classes configured. Please also take a look at logs to figure out what might go wrong. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
RE: Syncope user creation from REST client
Hi Francesco, I have a use case where I need to add thousands or more users in a single request. i.e. bulk user creation. Is it possible in Syncope ? Regards, Vellingiri From: Francesco Chicchiriccò [mailto:ilgro...@apache.org] Sent: Monday, September 19, 2016 3:46 PM To: user@syncope.apache.org Subject: Re: Syncope user creation from REST client On 19/09/2016 12:15, Mani, Vellingiri (Nokia - IN) wrote: Thanks Francesco!! After adding username, it works. Glad it helped :-) Regards. From: Francesco Chicchiriccò [mailto:ilgro...@apache.org] Sent: Monday, September 19, 2016 3:39 PM To: user@syncope.apache.org<mailto:user@syncope.apache.org> Subject: Re: Syncope user creation from REST client On 19/09/2016 12:03, Mani, Vellingiri (Nokia - IN) wrote: Hi, Currently, I am evaluating syncope for our usage. I would need to do bulk user creation from REST. I started to create single user from REST client and it fails. From postman, I tried to create a user with below inputs. I get '400 Bad Request'. If there is anything wrong in the request, please correct me. Is all fields mandatory during user creation. POST - http://135.249.22.223:8080/syncope/rest/users Authorization: Basic Auth - admin/password Headers: Content-type: application/json Body: { "@class": "org.apache.syncope.common.lib.to.UserTO", "creator": "admin", "lastModifier": "admin", "key": "rest1", "type": "USER", "realm": "/", "status": "Active", "auxClasses": [], "plainAttrs": [], "derAttrs": [], "virAttrs": [], "resources": [] } Hi, you should remove (not troublesome, just ignored): * creator * lastModifier * key * status About what is mandatory, I can see there is no username. Moreover, it depends on how you can your schemas and classes configured. Please also take a look at logs to figure out what might go wrong. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/