Re: [Dev] Dynamic Values on attachPath for iterate mediator

2017-05-23 Thread Himasha Guruge 
Hi ,

You could have a look at [1] where templates can be used to specify dynamic
XPath expressions.

[1]
https://docs.wso2.com/display/ESB500/Sample+751%3A+Message+Split+Aggregate+Using+Templates

Thanks,
Himasha

On Wed, May 24, 2017 at 2:55 AM, Júnior  wrote:

> Hi,
>
> Is it possible to pass dynamic values to the attachPath of iterateMediator?
>
> I have scenario where I'd like to apply the same iterate sequence to
> different payloads, and the only thing that I need to change is the
> attachPath and expression.
>
> Expression seems to work, but not attachPath.
>
> attachPath="$ctx:TAG"
>   continueParent="true"
>   expression="//imp1:Person"
>   preservePayload="true"
>   sequential="true">
>
>
> In this TAG property I have the attachPath xpath, but, it seems that the
> code is evaluating only the string not the Xpath itself.
>
> Is there any to achieve this? Or using iterate mediator this way, I need
> to create the same itereate but with different configs?
>
>
>
> Thanks,
> --
> Francisco Ribeiro
> *SCEA|SCJP|SCWCD|IBM Certified SOA Associate*
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Himasha Guruge
*Software Engineer*
WS*O2* *Inc.*
Mobile: +94 777459299
himas...@wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Security using IS 5.3.0

2017-05-23 Thread Gayan Gunawardana 
On Mon, May 22, 2017 at 3:55 PM, Melodias  wrote:

> Hi
> I would like add extra security using IS 5.3.0.
>
> My first scenario is:
> I'm in London and I'm login to my webApp using SSO IS 5.3.0. After 30
> minutes someone login to my account from Beijing. It is not possible that
> it
> was me, because 30 minutes before I was in London. Can IS send me an email,
> that someone login to my account from Beijing?
>
In this case you want to proceed the login from Beijing and sending an
email just informing user about suspicious login or do you want to stop
login from Beijing with an email notification ?

>
> My second scenario is:
> to have trusted device. In first login I add my pc to trusted device. To
> add
> device, IS will send on my mobile phone message with code i have to write,
> to add trusted device. When I login to my account from other device, then
> IS
> send me an email with message that someone loggin to my account from
> unknown
> device, and to login I must have new code to add new device.
>
>From device side which attribute can you send to identify device ? Is there
any capability to run a agent program from device side ?

>
> It is possible to do this scenarios using IS?
>
> my regards
>
>
>
> --
> View this message in context: http://wso2-oxygen-tank.10903.
> n7.nabble.com/Security-using-IS-5-3-0-tp149117.html
> Sent from the WSO2 Development mailing list archive at Nabble.com.
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>



-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] 6.0.0 roadmap

2017-05-23 Thread Gayan Gunawardana 
On Mon, May 22, 2017 at 8:00 PM, Hanen Ben Rhouma 
wrote:

> Hello,
>
> Could you please state the new features and bug fixes introduced within IS
> 6.0.0.m2
>
Basically focused on SCIM 2.0 support and bug fixes from 6.0.0-m1.

>
> And what's coming within the major release and it's date please?
>
Plan is not yet finalized.

>
> Regards,
> Hanen
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [WSO2-IoTS] What is correct tag or branch of cdmf-agent-android for use with v3.0.0

2017-05-23 Thread Lakshman Udayakantha 
Hi Clovis,

Since error says 500 internal server error, you have to look at the
wso2carbon.log for server errors.

Thanks,
Lakshman

On Wed, May 24, 2017 at 6:12 AM, Clovis Wichoski 
wrote:

> Hi Lakshman,
>
> I reviewed and can build better with version tag 3.1.7 of the agent, the
> problem before was about SSLv3 disabled on server, then on agent I forced
> to use a lower version. Now I can do enrollment, but cant get the
> notifications from server, debuging on device I get follow error:
>
> 05-23 20:41:43.474 2692-2692/org.wso2.iot.agent E/APIController:
> {"code":500,"message":"Internal server error.","description":"The server
> encountered an internal error. Please contact administrator.","moreInfo":"",
> "error":[]}
> 05-23 20:41:43.474 2692-2692/org.wso2.iot.agent E/APIController:
> com.android.volley.ServerError
>
> I tried to enable some DEBUG log, but cant find a usefull message, appears
> to be a problem at server side now on 
> org.wso2.carbon.device.mgt.mobile.android.api
> plugin.
>
> on Server I got:
> ==> core/repository/logs/http_access_2017-05-23.log <==
> 10.0.0.4 - - [23/May/2017:20:52:11 -0300] "PUT
> /api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
> HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
> 10.0.0.4 - - [23/May/2017:20:54:30 -0300] "PUT
> /api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
> HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
> 10.0.0.4 - - [23/May/2017:20:55:50 -0300] "POST /oauth2/token HTTP/1.1"
> 400 87 "-" "Synapse-PT-HttpComponents-NIO"
> 10.0.0.4 - - [23/May/2017:20:56:09 -0300] "POST 
> /services/APIKeyValidationService
> HTTP/1.1" 200 3408 "-" "Axis2"
> 10.0.0.4 - - [23/May/2017:20:56:09 -0300] "PUT
> /api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
> HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
> 10.0.0.4 - - [23/May/2017:20:56:49 -0300] "PUT
> /api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
> HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
> 10.0.0.4 - - [23/May/2017:20:58:20 -0300] "PUT
> /api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
> HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
> 10.0.0.4 - - [23/May/2017:20:59:59 -0300] "POST 
> /services/APIKeyValidationService
> HTTP/1.1" 200 7832 "-" "Axis2"
> 10.0.0.4 - - [23/May/2017:20:59:59 -0300] "PUT
> /api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
> HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
> 10.0.0.4 - - [23/May/2017:21:00:50 -0300] "POST /oauth2/token HTTP/1.1"
> 400 87 "-" "Synapse-PT-HttpComponents-NIO"
> 10.0.0.4 - - [23/May/2017:21:02:11 -0300] "PUT
> /api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
> HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
> 10.0.0.4 - - [23/May/2017:21:03:46 -0300] "PUT
> /api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
> HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
> 10.0.0.4 - - [23/May/2017:21:04:12 -0300] "PUT
> /api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
> HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
> 10.0.0.4 - - [23/May/2017:21:05:52 -0300] "POST /oauth2/token HTTP/1.1"
> 400 87 "-" "Synapse-PT-HttpComponents-NIO"
> 10.0.0.4 - - [23/May/2017:21:06:01 -0300] "PUT
> /api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
> HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
>
> Now I will try to check how to figure out why got these errors.
>
> Best regards.
>
> Clóvis
>
>
>
> Em 22 de mai de 2017 05:24, "Lakshman Udayakantha" 
> escreveu:
>
> Hi Clovis,
>
> According to the compatibility doc [1], IOT 3.0.0 should work with agent
> 2.0.0 version. Could you check the tag and build and see? Anyway, can you
> see any error in log (server log or logcat)?
>
> [1] https://docs.wso2.com/display/IoTS300/WSO2+IoT+Server+an
> d+Agent+Compatibility
>
> Thanks,
> Lakshman.
>
> On Sun, May 21, 2017 at 7:41 PM, Clovis Wichoski 
> wrote:
>
>>
>> Hi,
>>
>> I'm try to configure and test with Sansung Tablet SM-T560 that uses
>> Android Kitkat 4.4.4, when I try the application on emulator with same
>> version all works fine, but when use with physical device dont get
>> enrollment, I'm compiling the sources from git on branch release-2.0.0 (as
>> I see that some changes in APIs dont worked with new branches) that work
>> with version 3.0.0 of WSO2 IoTS.
>>
>> Can be any specific issue with physical devices that differ from
>> emulator? Any clue? Maybe using another branch or tag?
>>
>> Best regards
>>
>> Clóvis
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Lakshman Udayakantha
> WSO2 Inc. www.wso2.com
> lean.enterprise.middleware
> Mobile: *0717429601*
>
>
>


-- 
Lakshman Udayakantha
WSO2 Inc.

Re: [Dev] [WSO2-IoTS] What is correct tag or branch of cdmf-agent-android for use with v3.0.0

2017-05-23 Thread Clovis Wichoski 
Hi Lakshman,

I reviewed and can build better with version tag 3.1.7 of the agent, the
problem before was about SSLv3 disabled on server, then on agent I forced
to use a lower version. Now I can do enrollment, but cant get the
notifications from server, debuging on device I get follow error:

05-23 20:41:43.474 2692-2692/org.wso2.iot.agent E/APIController:
{"code":500,"message":"Internal server error.","description":"The server
encountered an internal error. Please contact
administrator.","moreInfo":"","error":[]}
05-23 20:41:43.474 2692-2692/org.wso2.iot.agent E/APIController:
com.android.volley.ServerError

I tried to enable some DEBUG log, but cant find a usefull message, appears
to be a problem at server side now on
org.wso2.carbon.device.mgt.mobile.android.api plugin.

on Server I got:
==> core/repository/logs/http_access_2017-05-23.log <==
10.0.0.4 - - [23/May/2017:20:52:11 -0300] "PUT
/api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
10.0.0.4 - - [23/May/2017:20:54:30 -0300] "PUT
/api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
10.0.0.4 - - [23/May/2017:20:55:50 -0300] "POST /oauth2/token HTTP/1.1" 400
87 "-" "Synapse-PT-HttpComponents-NIO"
10.0.0.4 - - [23/May/2017:20:56:09 -0300] "POST
/services/APIKeyValidationService HTTP/1.1" 200 3408 "-" "Axis2"
10.0.0.4 - - [23/May/2017:20:56:09 -0300] "PUT
/api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
10.0.0.4 - - [23/May/2017:20:56:49 -0300] "PUT
/api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
10.0.0.4 - - [23/May/2017:20:58:20 -0300] "PUT
/api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
10.0.0.4 - - [23/May/2017:20:59:59 -0300] "POST
/services/APIKeyValidationService HTTP/1.1" 200 7832 "-" "Axis2"
10.0.0.4 - - [23/May/2017:20:59:59 -0300] "PUT
/api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
10.0.0.4 - - [23/May/2017:21:00:50 -0300] "POST /oauth2/token HTTP/1.1" 400
87 "-" "Synapse-PT-HttpComponents-NIO"
10.0.0.4 - - [23/May/2017:21:02:11 -0300] "PUT
/api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
10.0.0.4 - - [23/May/2017:21:03:46 -0300] "PUT
/api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
10.0.0.4 - - [23/May/2017:21:04:12 -0300] "PUT
/api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"
10.0.0.4 - - [23/May/2017:21:05:52 -0300] "POST /oauth2/token HTTP/1.1" 400
87 "-" "Synapse-PT-HttpComponents-NIO"
10.0.0.4 - - [23/May/2017:21:06:01 -0300] "PUT
/api/device-mgt/android/v1.0/devices/17e2fad557210525/pending-operations
HTTP/1.1" 500 160 "-" "Synapse-PT-HttpComponents-NIO"

Now I will try to check how to figure out why got these errors.

Best regards.

Clóvis



Em 22 de mai de 2017 05:24, "Lakshman Udayakantha" 
escreveu:

Hi Clovis,

According to the compatibility doc [1], IOT 3.0.0 should work with agent
2.0.0 version. Could you check the tag and build and see? Anyway, can you
see any error in log (server log or logcat)?

[1] https://docs.wso2.com/display/IoTS300/WSO2+IoT+Server+
and+Agent+Compatibility

Thanks,
Lakshman.

On Sun, May 21, 2017 at 7:41 PM, Clovis Wichoski 
wrote:

>
> Hi,
>
> I'm try to configure and test with Sansung Tablet SM-T560 that uses
> Android Kitkat 4.4.4, when I try the application on emulator with same
> version all works fine, but when use with physical device dont get
> enrollment, I'm compiling the sources from git on branch release-2.0.0 (as
> I see that some changes in APIs dont worked with new branches) that work
> with version 3.0.0 of WSO2 IoTS.
>
> Can be any specific issue with physical devices that differ from emulator?
> Any clue? Maybe using another branch or tag?
>
> Best regards
>
> Clóvis
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Lakshman Udayakantha
WSO2 Inc. www.wso2.com
lean.enterprise.middleware
Mobile: *0717429601*
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Dynamic Values on attachPath for iterate mediator

2017-05-23 Thread Júnior 
Hi,

Is it possible to pass dynamic values to the attachPath of iterateMediator?

I have scenario where I'd like to apply the same iterate sequence to
different payloads, and the only thing that I need to change is the
attachPath and expression.

Expression seems to work, but not attachPath.

 


In this TAG property I have the attachPath xpath, but, it seems that the
code is evaluating only the string not the Xpath itself.

Is there any to achieve this? Or using iterate mediator this way, I need to
create the same itereate but with different configs?



Thanks,
-- 
Francisco Ribeiro
*SCEA|SCJP|SCWCD|IBM Certified SOA Associate*
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Security using IS 5.3.0

2017-05-23 Thread Ruwan Abeykoon 
Hi Melodias,
Both of your use cases needs some level of customization and advanced
analytics.
Case 1: What you can do is to write custom Authenticator, (see [1]) to
evaluate the logic given. You can use WSO2 DAS [2] to perform analysis
about fraudulent activities and keep a table updated about Geo-Location and
time based information as your use case requires. Then the custom
authenticator can evaluate the analysis table to decide sending an email as
your requirement.

Case 2: Also can be done as same as case 1, with a custom authenticator.
The difference here is that you may need to write some UI components to
manage the trusted devices. Current IS releases has no inbuilt capability
to identify the devices. However you may find WSO2 IoT Server [3] better
suited in managing and identifying the trusted device.

[1] http://wso2.com/library/articles/2017/04/writing-a-
custom-inbound-authenticator-for-wso2-identity-server/
[2] http://wso2.com/smart-analytics
[3] http://wso2.com/iot

Cheers,
Ruwan


On Mon, May 22, 2017 at 3:55 PM, Melodias  wrote:

> Hi
> I would like add extra security using IS 5.3.0.
>
> My first scenario is:
> I'm in London and I'm login to my webApp using SSO IS 5.3.0. After 30
> minutes someone login to my account from Beijing. It is not possible that
> it
> was me, because 30 minutes before I was in London. Can IS send me an email,
> that someone login to my account from Beijing?
>
> My second scenario is:
> to have trusted device. In first login I add my pc to trusted device. To
> add
> device, IS will send on my mobile phone message with code i have to write,
> to add trusted device. When I login to my account from other device, then
> IS
> send me an email with message that someone loggin to my account from
> unknown
> device, and to login I must have new code to add new device.
>
> It is possible to do this scenarios using IS?
>
> my regards
>
>
>
> --
> View this message in context: http://wso2-oxygen-tank.10903.
> n7.nabble.com/Security-using-IS-5-3-0-tp149117.html
> Sent from the WSO2 Development mailing list archive at Nabble.com.
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>



-- 

*Ruwan Abeykoon*
*Associate Director/Architect**,*
*WSO2, Inc. http://wso2.com  *
*lean.enterprise.middleware.*
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Oauth2 token introspection URL Access

2017-05-23 Thread Dimuthu De Lanerolle 
Hi Kawas,

Yes, Rest API works as you have mentioned correctly.

Regards
DimuthuD

On Tue, May 23, 2017 at 6:37 PM, kawas  wrote:

> Hello,
>
> After reading the documentation one more time, I finally found my error:
> My user is in a tenant
>
> Rest introspect URL is:
>   accessible by carbon admin with URL like: https://server/oauth2/
> introspect
>   and accessible by tenant users with URL like: https://server/t/tenant_
> domain/oauth2/introspect
>
> I was not thinking about tenant, because previously we were using the SOAP
> service for token validation and it was working without tenant domain
> prefix.
> - Can you confirm this specific behavior ?
>
> regards,
>
> Kawas
>
> On Tue, May 23, 2017 at 11:29 AM, Dimuthu De Lanerolle 
> wrote:
>
>> Hi Kawas,
>>
>> I hope you can get some idea on the permission level with the following
>> doc[1]
>>
>> [1] https://docs.wso2.com/display/IS530/Invoke+the+OAuth+
>> Introspection+Endpoint
>>
>> Regards
>> DimuthuD
>>
>> On Tue, May 23, 2017 at 2:51 PM, kawas  wrote:
>>
>>> Hello,
>>>
>>> I would like to have a precision about the permission a user should have
>>> to access the OAuth2 token introspection URL
>>> ex: https://my-wso2-server:9443/oauth2/introspect
>>>
>>> It seems to work fine with admin/admin
>>> but failed for regular user even if I set identity > Application
>>> Management > View permission.
>>> I keep getting 403 forbidden
>>>
>>> I am using WSO2 IS 5.3.0
>>> - Could you tell me the proper permission to assign to a regular user to
>>> access this introspect endpoint ?
>>>
>>> Regards,
>>>
>>> Kawas
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Dimuthu De Lanerolle
>> Software Engineer
>> WSO2 Inc.
>> lean . enterprise . middlewear.
>> http://wso2.com/
>> Tel. : +94 11 2145345 <011%202%20145345>  Fax : +94 11 2145300
>> <011%202%20145300>  email : dimut...@wso2.com
>>
>>
>


-- 
Dimuthu De Lanerolle
Software Engineer
WSO2 Inc.
lean . enterprise . middlewear.
http://wso2.com/
Tel. : +94 11 2145345  Fax : +94 11 2145300  email : dimut...@wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Oauth2 token introspection URL Access

2017-05-23 Thread kawas 
Hello,

After reading the documentation one more time, I finally found my error: My
user is in a tenant

Rest introspect URL is:
  accessible by carbon admin with URL like: https://server/oauth2/introspect
  and accessible by tenant users with URL like:
https://server/t/tenant_domain/oauth2/introspect

I was not thinking about tenant, because previously we were using the SOAP
service for token validation and it was working without tenant domain
prefix.
- Can you confirm this specific behavior ?

regards,

Kawas

On Tue, May 23, 2017 at 11:29 AM, Dimuthu De Lanerolle 
wrote:

> Hi Kawas,
>
> I hope you can get some idea on the permission level with the following
> doc[1]
>
> [1] https://docs.wso2.com/display/IS530/Invoke+the+
> OAuth+Introspection+Endpoint
>
> Regards
> DimuthuD
>
> On Tue, May 23, 2017 at 2:51 PM, kawas  wrote:
>
>> Hello,
>>
>> I would like to have a precision about the permission a user should have
>> to access the OAuth2 token introspection URL
>> ex: https://my-wso2-server:9443/oauth2/introspect
>>
>> It seems to work fine with admin/admin
>> but failed for regular user even if I set identity > Application
>> Management > View permission.
>> I keep getting 403 forbidden
>>
>> I am using WSO2 IS 5.3.0
>> - Could you tell me the proper permission to assign to a regular user to
>> access this introspect endpoint ?
>>
>> Regards,
>>
>> Kawas
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Dimuthu De Lanerolle
> Software Engineer
> WSO2 Inc.
> lean . enterprise . middlewear.
> http://wso2.com/
> Tel. : +94 11 2145345  Fax : +94 11 2145300  email : dimut...@wso2.com
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [DEV] [BPS] BPS 3.5.0. signals

2017-05-23 Thread Igor Golovko 


Hi,

Sorry for long response.


1.   We’ve done with puppet configuration, v2.1.0, hiera in particular, 
here is the link 
https://github.com/wso2-attic/puppet-modules/releases/tag/v2.1.0 adding 
kubernetes support with clustering

2.   Then we built docker containers using scripts, v1.0.0, here is repo: 
https://github.com/wso2-attic/dockerfiles/releases/tag/v1.0.0 like “./build.sh 
-v 3.5.0 -s kubernetes -r puppet -l "manager|worker"”

Thanks


From: Lakshman Udayakantha [mailto:lakshm...@wso2.com]
Sent: Monday, May 22, 2017 4:08 PM
To: Igor Golovko >; WSO2 
Developers' List >
Subject: Re: [Dev] [DEV] [BPS] BPS 3.5.0. signals


On Mon, May 22, 2017 at 6:22 PM, Igor Golovko 
> wrote:
Thanks for a quick answer.

We use BPS 3.5.0 because of kubernetes support. But as far as I know BPS 3.6.0 
doesn’t support kubernetes.
Do you plan to fix BPS 3.5.0. signals or maybe you plan add kubernetes support 
on 3.6.0 ?

How you build the kubernets artifacts?

Thanks,
Lakshman.

Thanks,
Igor Golovko


From: Lakshman Udayakantha 
[mailto:lakshm...@wso2.com]
Sent: Monday, May 22, 2017 3:11 PM
To: Igor Golovko >
Cc: dev@wso2.org; Hasitha Aravinda 
>; Amal Gunatilake 
>; Vinod Kavinda 
>; Isuru Wijesinghe 
>; Milinda Perera 
>
Subject: Re: [Dev] [DEV] [BPS] BPS 3.5.0. signals

Hi Igor,

You can migrate to the 3.6.0 by following migration doc [1] version since this 
issue is resolved there.

[1] https://docs.wso2.com/display/BPS360/Upgrading+to+the+Latest+BPS+Version

Thanks,
Lakshman.

On Mon, May 22, 2017 at 5:34 PM, Lakshman Udayakantha 
> wrote:
[Adding BPS folks]

On Mon, May 22, 2017 at 5:26 PM, Igor Golovko 
> wrote:
Dear dev team, we have a problem with wso2 BPS 3.5.0.
We have bps-process with signal boundary events.
We try to activate request and when send request from rest api, this signal 
events didn’t activate.
We send next request:

[cid:image001.png@01D2D3B0.A5750460]

Response:
[cid:image002.jpg@01D2D3B0.A5750460]
P.S In version 3.6.0 of WSO2 BPS, that works well.

Best regards,
Igor Golovko




This e-mail may contain privileged and confidential information. If you are not 
the intended recipient, be aware that any use, disclosure, copying or 
distribution of this e-mail or any attachments is prohibited. If you have 
received this e-mail in error, please notify us immediately by returning it to 
the sender and delete this copy from your system. Thank you.



This e-mail may contain privileged and confidential information. If you are not 
the intended recipient, be aware that any use, disclosure, copying or 
distribution of this e-mail or any attachments is prohibited. If you have 
received this e-mail in error, please notify us immediately by returning it to 
the sender and delete this copy from your system. Thank you.

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev



--
Lakshman Udayakantha
WSO2 Inc. www.wso2.com
lean.enterprise.middleware
Mobile: 0717429601




--
Lakshman Udayakantha
WSO2 Inc. www.wso2.com
lean.enterprise.middleware
Mobile: 0717429601




This e-mail may contain privileged and confidential information. If you are not 
the intended recipient, be aware that any use, disclosure, copying or 
distribution of this e-mail or any attachments is prohibited. If you have 
received this e-mail in error, please notify us immediately by returning it to 
the sender and delete this copy from your system. Thank you.



--
Lakshman Udayakantha
WSO2 Inc. www.wso2.com
lean.enterprise.middleware
Mobile: 0717429601




This e-mail may contain privileged and confidential information. If you are not 
the intended recipient, be aware that any use, disclosure, copying or 
distribution of this e-mail or any attachments is prohibited. If you have 
received this e-mail in error, please notify us immediately by returning it to 
the sender and delete this copy from your system. Thank you.
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Carbon] Clarifications about keystores in WSO2 Products

2017-05-23 Thread Niranjan Karunanandham 
Hi Dilan,

On Tue, May 23, 2017 at 3:44 PM, Dilan Udara Ariyaratne 
wrote:

>
> Hi Niranjan,
>
> On Mon, May 22, 2017 at 5:54 PM, Niranjan Karunanandham  > wrote:
>
>> Hi Dilan,
>>
>> On Mon, May 22, 2017 at 5:11 PM, Dilan Udara Ariyaratne 
>> wrote:
>>
>>> Hi Niranjan,
>>>
>>> On Mon, May 22, 2017 at 2:48 PM, Niranjan Karunanandham <
>>> niran...@wso2.com> wrote:
>>>
 Hi Dilan,

 On Fri, May 5, 2017 at 7:15 PM, Dilan Udara Ariyaratne  wrote:

> Hi Folks,
>
> Following conceptions are still there regarding keystores used in WSO2
> products.
>
>1. Primary KeyStore must contain only one private key. There can
>not be two private keys. (This is due to some issue in WSO2 products 
> which
>may be fixed in future).
>2. Primary KeyStore must contain *same* password as KeyStore
>password and private key password. (This is due to some issue in WSO2
>products which may be fixed in future)
>
> Are these conceptions still valid or have these issues been already
> fixed ?
>

 In WSO2 Carbon there are multiple keystores. I believe the above
 keystore that you have mentioned is only the Keystore [1] in carbon.xml. In
 4.4.x, this keystore is only used for secure vault only.

>>>
>>> Aren't those secure vault configurations for keystores configured in 
>>> secret-conf.properties
>>> ?
>>>
>>
>> This file is created by the cipher tool script file. It reads the
>> carbon.xml and creates this file. You can find info on these files in [1].
>>
>
> Yes, it's true that secret-conf.properties file is created once you run
> cipher tool. But from a user's point of view, if someone wants to configure
> a keystore for secure-vault, file to configure that is secret-conf.properties,
> right ?
>

The secret-conf.properties is for configuring the keystore in a wso2
product. When you execute the cipher-tool script, it creates the
secret-conf.properties, with some configuration such as callback handler,
etc... The customer can write custom components for that and then configure
the secret-conf.properties to that component. Also in the code, it checks
if the secret-conf.properties is there and the values are there. Based on
this information, it figures out whether secure vault is enabled or not.
Also cipher-tool script can be used standalone, i.e., in non wso2 products.
in which case it create the keystore which can be modified. You can find
about this in [1].


>
>
>>
>>
>>>
>>>
>>> As you have mentioned, in 4.4.x, if secure vault is enabled, then at the
 server startup, it will ask for a single password which it uses for both
 the Keystore and private key password.

>>>
>>> In https://docs.wso2.com/display/ADMIN44x/Using+Asymmetric+Encryption,
>>> it says that "You must have the same password for both keystore and
>>> private key due to a Tomcat limitation"
>>> and therefore, it seems not because of secure vault.
>>>
>>
>> I was referring to the limitation on the same password to be used at the
>> server started which uses the secure vault JKS which is used to decrypt the
>> passwords. With regard to this, you need to check the tomcat documentation
>> and verify this. Anyway here if we have separate JKS for secure vault and
>> tomcat ssl we can have separate passwords for both JKS. Any particular
>> reason as to why you need to have a separate keystore password and private
>> key password for SSL which is in an isolated JKS?
>>
>>
>>>
>>>
 IMO since this is only for secure vault, we can have the same password.
 In-addition AFAIK we can have multiple private key here. In 4.4.x, the JKS
 for ssl has been moved to catalina-server.xml. Therefore a separate
 keystore can be maintained for this. These two configuration are mentioned
 in [2].

> Thanks.
> *Dilan U. Ariyaratne*
> Senior Software Engineer
> WSO2 Inc. 
> Mobile: +94766405580 <%2B94766405580>
> lean . enterprise . middleware
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
 [1] -
 
 
 ${carbon.home}/repos
 itory/resources/security/wso2carbon.jks
 
 JKS
 
 wso2carbon
 
 wso2carbon
 
 wso2carbon
 

 [2] - https://docs.wso2.com/display/ADMIN44x/Configuring+Keystor
 es+in+WSO2+Products

 Regards,
 Nira

 --


 *Niranjan Karunanandham*
 Associate Technical Lead - WSO2 Inc.
 WSO2 Inc.: http://www.wso2.com


>>>
>> [1] - https://docs.wso2.com/display/ADMIN44x/Carbon+Secure+
>> Vault+Implementation
>>
>> Regards,
>> Nira
>>
>> --
>>
>>
>> *Niranjan

Re: [Dev] [Carbon] Clarifications about keystores in WSO2 Products

2017-05-23 Thread Niranjan Karunanandham 
Hi Dilan,

On Tue, May 23, 2017 at 3:32 PM, Dilan Udara Ariyaratne 
wrote:

>
> On Mon, May 22, 2017 at 5:46 PM, Niranjan Karunanandham  > wrote:
>
>> Hi Dilan,
>>
>> On Mon, May 22, 2017 at 5:27 PM, Dilan Udara Ariyaratne 
>> wrote:
>>
>>> And also there is a concept called encrypting registry data.
>>> Is this feature supported in carbon 4.4.x and if "YES", is this done via
>>> the keystore configured in carbon.xml ? I could not find proper
>>> documentation for this.
>>>
>> Can you explain about this please? Are you referring to data being
>> encrypted when added to the registry from the UI say password field. If so,
>> then this uses the secure vault.
>>
>
> Yes, I was referring to encrypting registry resources such as scripts,
> configuration files and etc, but not passwords.
>

If these resources are being encrypted, then the recommended approach is to
use the secure vault for the encryption and decryption. You will have to
check the source code of those respective components.


>
>
>>
>>> Thanks,
>>> Dilan.
>>>
>>>
>>> *Dilan U. Ariyaratne*
>>> Senior Software Engineer
>>> WSO2 Inc. 
>>> Mobile: +94766405580 <%2B94766405580>
>>> lean . enterprise . middleware
>>>
>>>
>>> On Mon, May 22, 2017 at 5:11 PM, Dilan Udara Ariyaratne >> > wrote:
>>>
 Hi Niranjan,

 On Mon, May 22, 2017 at 2:48 PM, Niranjan Karunanandham <
 niran...@wso2.com> wrote:

> Hi Dilan,
>
> On Fri, May 5, 2017 at 7:15 PM, Dilan Udara Ariyaratne <
> dil...@wso2.com> wrote:
>
>> Hi Folks,
>>
>> Following conceptions are still there regarding keystores used in
>> WSO2 products.
>>
>>1. Primary KeyStore must contain only one private key. There can
>>not be two private keys. (This is due to some issue in WSO2 products 
>> which
>>may be fixed in future).
>>2. Primary KeyStore must contain *same* password as KeyStore
>>password and private key password. (This is due to some issue in WSO2
>>products which may be fixed in future)
>>
>> Are these conceptions still valid or have these issues been already
>> fixed ?
>>
>
> In WSO2 Carbon there are multiple keystores. I believe the above
> keystore that you have mentioned is only the Keystore [1] in carbon.xml. 
> In
> 4.4.x, this keystore is only used for secure vault only.
>

 Aren't those secure vault configurations for keystores configured in 
 secret-conf.properties
 ?

 As you have mentioned, in 4.4.x, if secure vault is enabled, then at
> the server startup, it will ask for a single password which it uses for
> both the Keystore and private key password.
>

 In https://docs.wso2.com/display/ADMIN44x/Using+Asymmetric+Encryption,
 it says that "You must have the same password for both keystore and
 private key due to a Tomcat limitation"
 and therefore, it seems not because of secure vault.


> IMO since this is only for secure vault, we can have the same
> password. In-addition AFAIK we can have multiple private key here. In
> 4.4.x, the JKS for ssl has been moved to catalina-server.xml. Therefore a
> separate keystore can be maintained for this. These two configuration are
> mentioned in [2].
>
>> Thanks.
>> *Dilan U. Ariyaratne*
>> Senior Software Engineer
>> WSO2 Inc. 
>> Mobile: +94766405580 <%2B94766405580>
>> lean . enterprise . middleware
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
> [1] -
> 
> 
> ${carbon.home}/repos
> itory/resources/security/wso2carbon.jks
> 
> JKS
> 
> wso2carbon
> 
> wso2carbon
> 
> wso2carbon
> 
>
> [2] - https://docs.wso2.com/display/ADMIN44x/Configuring+Keystor
> es+in+WSO2+Products
>
> Regards,
> Nira
>
> --
>
>
> *Niranjan Karunanandham*
> Associate Technical Lead - WSO2 Inc.
> WSO2 Inc.: http://www.wso2.com
>
>

>>>
>>
>>
>> --
>>
>>
>> *Niranjan Karunanandham*
>> Associate Technical Lead - WSO2 Inc.
>> WSO2 Inc.: http://www.wso2.com
>>
>>
>
Regards,
Nira

-- 


*Niranjan Karunanandham*
Associate Technical Lead - WSO2 Inc.
WSO2 Inc.: http://www.wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Integrity constraint violation when revoking multiple entries from access token table

2017-05-23 Thread Sathya Bandara 
Hi,

This issue occurred since I was using the same TOKEN_STATE_ID and
TOKEN_STATE in the batch update operation of access tokens which creates
duplicate entries violating the unique constraint on CON_APP_KEY index.

This was resolved with the following approach;

UPDATE IDN_OAUTH2_ACCESS_TOKEN SET TOKEN_STATE= "REVOKED", TOKEN_STATE_ID=
"78c4e5cc-382a-4af0-8bb1-bef58a7c824a" WHERE TOKEN_STATE="ACTIVE" AND
CONSUMER_KEY_ID = (SELECT ID FROM IDN_OAUTH_CONSUMER_APPS WHERE
CONSUMER_KEY = "OazCSjIjOw2wHp9uhf7x2wJbfxga" ) AND TENANT_ID != -1234

Through this way I'm only revoking the tokens in active state(only a single
entry is updated to 'revoked' state) which avoids setting duplicate entries
of access tokens in revoked state with the same state ID.


Best regards,
Sathya

On Tue, May 23, 2017 at 1:24 PM, Danushka Fernando 
wrote:

> Hi Sathya
>
> Please find my comments inline.
>
> On Tue, May 23, 2017 at 12:29 PM, Sathya Bandara  wrote:
>
>> Hi all,
>>
>> It is required to alter the state of  access tokens from 'active' to
>> 'revoked' of multiple entries in the IDN_OAUTH2_ACCESS_TOKEN table for the
>> scenario where access tokens issued to other tenants by a saas application,
>> need to be revoked when saas is disabled. I used the following query to
>> achieve this;
>>
>> "UPDATE IDN_OAUTH2_ACCESS_TOKEN SET TOKEN_STATE=?, TOKEN_STATE_ID=? WHERE
>> CONSUMER_KEY_ID = (SELECT ID FROM IDN_OAUTH_CONSUMER_APPS WHERE
>> CONSUMER_KEY = ? ) AND TENANT_ID != ? "
>>
>> Have you tested this query directly in some sql console? So is it giving
> the same error when you do that?
>
>>
>>- Parameter 1(Access token state): REVOKED
>>- Parameter 2(Token state id): if access token is in active state the
>>state id should be 'NONE' if in revoked state it should be updated with a
>>unique string
>>- Parameter 3(consumer key): client ID of oauth application
>>- Parameter 4(tenant id): application tenant ID
>>
>>
>> This gives 
>> com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException:
>> Duplicate entry '1-admin-1-PRIMARY-APPLICATION
>> _USER-369db21a386ae433e65c0ff34d357' for key 'CON_APP_KEY' exception
>> which occurs because of the unique constraint violation on CON_APP_KEY
>> index;
>>
> Here it says duplicate entry. So did you check whether your database
> contains any values similar to what you are trying to update?
>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *Index: CON_APP_KEYDefinition:TypeBTREEUniqueYesColumns
>> CONSUMER_KEY_ID AUTHZ_USERTENANT_IDUSER_DOMAINUSER_TYPE
>> TOKEN_SCOPE_HASHTOKEN_STATETOKEN_STATE_ID*
>>
>> Is it possible to perform multiple entry update operations without having
>> to update a single entry at a time in Access token table? Appreciate your
>> help on this.
>>
>> Best regards,
>> Sathya
>>
>> --
>> Sathya Bandara
>> Software Engineer
>> WSO2 Inc. http://wso2.com
>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>
>> <+94%2071%20411%205032>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>> Thanks & Regards
> Danushka Fernando
> Associate Tech Lead
> WSO2 inc. http://wso2.com/
> Mobile : +94716332729 <+94%2071%20633%202729>
>
>


-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Carbon] Clarifications about keystores in WSO2 Products

2017-05-23 Thread Dilan Udara Ariyaratne 
Hi Niranjan,

On Mon, May 22, 2017 at 5:54 PM, Niranjan Karunanandham 
wrote:

> Hi Dilan,
>
> On Mon, May 22, 2017 at 5:11 PM, Dilan Udara Ariyaratne 
> wrote:
>
>> Hi Niranjan,
>>
>> On Mon, May 22, 2017 at 2:48 PM, Niranjan Karunanandham <
>> niran...@wso2.com> wrote:
>>
>>> Hi Dilan,
>>>
>>> On Fri, May 5, 2017 at 7:15 PM, Dilan Udara Ariyaratne 
>>> wrote:
>>>
 Hi Folks,

 Following conceptions are still there regarding keystores used in WSO2
 products.

1. Primary KeyStore must contain only one private key. There can
not be two private keys. (This is due to some issue in WSO2 products 
 which
may be fixed in future).
2. Primary KeyStore must contain *same* password as KeyStore
password and private key password. (This is due to some issue in WSO2
products which may be fixed in future)

 Are these conceptions still valid or have these issues been already
 fixed ?

>>>
>>> In WSO2 Carbon there are multiple keystores. I believe the above
>>> keystore that you have mentioned is only the Keystore [1] in carbon.xml. In
>>> 4.4.x, this keystore is only used for secure vault only.
>>>
>>
>> Aren't those secure vault configurations for keystores configured in 
>> secret-conf.properties
>> ?
>>
>
> This file is created by the cipher tool script file. It reads the
> carbon.xml and creates this file. You can find info on these files in [1].
>

Yes, it's true that secret-conf.properties file is created once you run
cipher tool. But from a user's point of view, if someone wants to configure
a keystore for secure-vault, file to configure that is secret-conf.properties,
right ?


>
>
>>
>>
>> As you have mentioned, in 4.4.x, if secure vault is enabled, then at the
>>> server startup, it will ask for a single password which it uses for both
>>> the Keystore and private key password.
>>>
>>
>> In https://docs.wso2.com/display/ADMIN44x/Using+Asymmetric+Encryption,
>> it says that "You must have the same password for both keystore and
>> private key due to a Tomcat limitation"
>> and therefore, it seems not because of secure vault.
>>
>
> I was referring to the limitation on the same password to be used at the
> server started which uses the secure vault JKS which is used to decrypt the
> passwords. With regard to this, you need to check the tomcat documentation
> and verify this. Anyway here if we have separate JKS for secure vault and
> tomcat ssl we can have separate passwords for both JKS. Any particular
> reason as to why you need to have a separate keystore password and private
> key password for SSL which is in an isolated JKS?
>
>
>>
>>
>>> IMO since this is only for secure vault, we can have the same password.
>>> In-addition AFAIK we can have multiple private key here. In 4.4.x, the JKS
>>> for ssl has been moved to catalina-server.xml. Therefore a separate
>>> keystore can be maintained for this. These two configuration are mentioned
>>> in [2].
>>>
 Thanks.
 *Dilan U. Ariyaratne*
 Senior Software Engineer
 WSO2 Inc. 
 Mobile: +94766405580 <%2B94766405580>
 lean . enterprise . middleware


 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev


>>> [1] -
>>> 
>>> 
>>> ${carbon.home}/repository/resources/security/wso2c
>>> arbon.jks
>>> 
>>> JKS
>>> 
>>> wso2carbon
>>> 
>>> wso2carbon
>>> 
>>> wso2carbon
>>> 
>>>
>>> [2] - https://docs.wso2.com/display/ADMIN44x/Configuring+Keystor
>>> es+in+WSO2+Products
>>>
>>> Regards,
>>> Nira
>>>
>>> --
>>>
>>>
>>> *Niranjan Karunanandham*
>>> Associate Technical Lead - WSO2 Inc.
>>> WSO2 Inc.: http://www.wso2.com
>>>
>>>
>>
> [1] - https://docs.wso2.com/display/ADMIN44x/Carbon+
> Secure+Vault+Implementation
>
> Regards,
> Nira
>
> --
>
>
> *Niranjan Karunanandham*
> Associate Technical Lead - WSO2 Inc.
> WSO2 Inc.: http://www.wso2.com
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Carbon] Clarifications about keystores in WSO2 Products

2017-05-23 Thread Dilan Udara Ariyaratne 
On Mon, May 22, 2017 at 5:46 PM, Niranjan Karunanandham 
wrote:

> Hi Dilan,
>
> On Mon, May 22, 2017 at 5:27 PM, Dilan Udara Ariyaratne 
> wrote:
>
>> And also there is a concept called encrypting registry data.
>> Is this feature supported in carbon 4.4.x and if "YES", is this done via
>> the keystore configured in carbon.xml ? I could not find proper
>> documentation for this.
>>
> Can you explain about this please? Are you referring to data being
> encrypted when added to the registry from the UI say password field. If so,
> then this uses the secure vault.
>

Yes, I was referring to encrypting registry resources such as scripts,
configuration files and etc, but not passwords.


>
>> Thanks,
>> Dilan.
>>
>>
>> *Dilan U. Ariyaratne*
>> Senior Software Engineer
>> WSO2 Inc. 
>> Mobile: +94766405580 <%2B94766405580>
>> lean . enterprise . middleware
>>
>>
>> On Mon, May 22, 2017 at 5:11 PM, Dilan Udara Ariyaratne 
>> wrote:
>>
>>> Hi Niranjan,
>>>
>>> On Mon, May 22, 2017 at 2:48 PM, Niranjan Karunanandham <
>>> niran...@wso2.com> wrote:
>>>
 Hi Dilan,

 On Fri, May 5, 2017 at 7:15 PM, Dilan Udara Ariyaratne  wrote:

> Hi Folks,
>
> Following conceptions are still there regarding keystores used in WSO2
> products.
>
>1. Primary KeyStore must contain only one private key. There can
>not be two private keys. (This is due to some issue in WSO2 products 
> which
>may be fixed in future).
>2. Primary KeyStore must contain *same* password as KeyStore
>password and private key password. (This is due to some issue in WSO2
>products which may be fixed in future)
>
> Are these conceptions still valid or have these issues been already
> fixed ?
>

 In WSO2 Carbon there are multiple keystores. I believe the above
 keystore that you have mentioned is only the Keystore [1] in carbon.xml. In
 4.4.x, this keystore is only used for secure vault only.

>>>
>>> Aren't those secure vault configurations for keystores configured in 
>>> secret-conf.properties
>>> ?
>>>
>>> As you have mentioned, in 4.4.x, if secure vault is enabled, then at the
 server startup, it will ask for a single password which it uses for both
 the Keystore and private key password.

>>>
>>> In https://docs.wso2.com/display/ADMIN44x/Using+Asymmetric+Encryption,
>>> it says that "You must have the same password for both keystore and
>>> private key due to a Tomcat limitation"
>>> and therefore, it seems not because of secure vault.
>>>
>>>
 IMO since this is only for secure vault, we can have the same password.
 In-addition AFAIK we can have multiple private key here. In 4.4.x, the JKS
 for ssl has been moved to catalina-server.xml. Therefore a separate
 keystore can be maintained for this. These two configuration are mentioned
 in [2].

> Thanks.
> *Dilan U. Ariyaratne*
> Senior Software Engineer
> WSO2 Inc. 
> Mobile: +94766405580 <%2B94766405580>
> lean . enterprise . middleware
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
 [1] -
 
 
 ${carbon.home}/repos
 itory/resources/security/wso2carbon.jks
 
 JKS
 
 wso2carbon
 
 wso2carbon
 
 wso2carbon
 

 [2] - https://docs.wso2.com/display/ADMIN44x/Configuring+Keystor
 es+in+WSO2+Products

 Regards,
 Nira

 --


 *Niranjan Karunanandham*
 Associate Technical Lead - WSO2 Inc.
 WSO2 Inc.: http://www.wso2.com


>>>
>>
>
>
> --
>
>
> *Niranjan Karunanandham*
> Associate Technical Lead - WSO2 Inc.
> WSO2 Inc.: http://www.wso2.com
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [IMPORTANT] Planned down time for public Jira (https://wso2.org/jira) - 2017/05/25 5PM-7PM

2017-05-23 Thread Chamara Thilina 
HI All,

As a part of moving production critical systems to US data center now we
have selected public Jira for this.  So please refer the $subject.


Sorry for the inconvenience caused.

Regards,
ChamaraT




-- 
Chamara Thilina Samarakoon
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware
On Call Number: +94 (76) 8414562
Mobile : +94 (77) 2929487
blog: http://mageconfig.blogspot.com/
linkedin: https://www.linkedin.com/pub/chamara-samarakoon
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Oauth2 token introspection URL Access

2017-05-23 Thread Dimuthu De Lanerolle 
Hi Kawas,

I hope you can get some idea on the permission level with the following
doc[1]

[1]
https://docs.wso2.com/display/IS530/Invoke+the+OAuth+Introspection+Endpoint

Regards
DimuthuD

On Tue, May 23, 2017 at 2:51 PM, kawas  wrote:

> Hello,
>
> I would like to have a precision about the permission a user should have
> to access the OAuth2 token introspection URL
> ex: https://my-wso2-server:9443/oauth2/introspect
>
> It seems to work fine with admin/admin
> but failed for regular user even if I set identity > Application
> Management > View permission.
> I keep getting 403 forbidden
>
> I am using WSO2 IS 5.3.0
> - Could you tell me the proper permission to assign to a regular user to
> access this introspect endpoint ?
>
> Regards,
>
> Kawas
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Dimuthu De Lanerolle
Software Engineer
WSO2 Inc.
lean . enterprise . middlewear.
http://wso2.com/
Tel. : +94 11 2145345  Fax : +94 11 2145300  email : dimut...@wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [IS] Oauth2 token introspection URL Access

2017-05-23 Thread kawas 
Hello,

I would like to have a precision about the permission a user should have to
access the OAuth2 token introspection URL
ex: https://my-wso2-server:9443/oauth2/introspect

It seems to work fine with admin/admin
but failed for regular user even if I set identity > Application Management
> View permission.
I keep getting 403 forbidden

I am using WSO2 IS 5.3.0
- Could you tell me the proper permission to assign to a regular user to
access this introspect endpoint ?

Regards,

Kawas
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [APIM][Docker] Problems in worker, manager node when changing admin username and password

2017-05-23 Thread Chamara Philips 
Hi Imesh,

Can we share the synapse configs between the nodes in the cluster using
vloume mount?

Thanks

On Thu, May 18, 2017 at 11:36 AM, Imesh Gunaratne  wrote:

> On Wed, Apr 5, 2017 at 10:07 PM, Pubudu Gunatilaka 
> wrote:
>
>>
>> We recently introduced rsync for the gateway nodes in docker-compose and
>> I think that change has introduced the user as root [1].
>>
>
> ​May be this can be simplified using a volume mount instead of using rsync.
>
> Thanks
> ​
>
>> Yes, this is not good for the deployment and it is always better use a
>> non-sudo user. This has to be fixed and thank you for pointing this out.
>>
>> Suggested approach regarding the admin credential change is also
>> acceptable and please refer the official doc on password change [2]. You
>> need to change the jndi.properties file as well.
>>
>> [1] - https://github.com/wso2/docker-apim/blob/v2.1.0/docker-com
>> pose/pattern-3/gateway-manager/Dockerfile#L20
>> [2] - https://docs.wso2.com/display/AM210/Maintaining+Logins+and
>> +Passwords#MaintainingLoginsandPasswords-Changingthesuperadminpassword
>>
>> Thank you!
>>
>> On Wed, Apr 5, 2017 at 3:18 PM, Chamara Philips > > wrote:
>>
>>> [Adding Sanjeewa]
>>>
>>> On Wed, Apr 5, 2017 at 3:17 PM, Chamara Philips <
>>> chcphilips@gmail.com> wrote:
>>>
 Hi devs,

 I fixed (temporarily) this by changing the
 supervisord-gateway-manager/worker.conf.
 The reason is that init.sh script is running as root. But the file is
 owned by wso2user and other users can't write to it.

 When changed the *user=root in *above conf files, it worked. But this
 is not good for deployment.

 Any idea about the root cause of this?

 Apart from this, there were few issues which I fixed by changing the
 docker file adding following lines under *USER root.*

 RUN chmod 755 /mnt/wso2-artifacts/bin
 RUN chmod -R 755 /mnt/wso2-artifacts/repository

 Additionally, in the gateway manager, worker docker files had to add

 *RUN rm -r /mnt/wso2*

 If not this line [1]
 ,
 override the changes from wso2-artifacts.

 [1] https://github.com/wso2/dockerfiles/blob/master/common/s
 cripts/entrypoint.sh#L107

 Regards,

 On Wed, Apr 5, 2017 at 12:24 PM, Chamara Philips <
 chcphilips@gmail.com> wrote:

> Hi devs,
>
> When trying to deploy an APIM cluster with the pattern-3, the
> wso2server.sh in wso2-artifacts/bin of worker and manager nodes, are not
> copied to the container/wso2-apim/bin as expected. However other
> configurations in wso2-artifacts/repository are copied.
>
> Is there any known reason for that?
>
> Worker, Manager nodes are not started with the expected profiles due
> to this reason. In both nodes, *workerNode=false* and *profile is not
> assigned*.
>
>
> Additionally what is the preferred way of changing the admin username
> and password when following the pattern-3? At the moment I am using the
> following approach.
>
> In wso2server.sh =>
> added
>
> -Dwso2.admin.username="$WSO2_ADMIN_USERNAME" \
> -Dwso2.admin.password="$WSO2_ADMIN_PASSWORD" \
> to the JAVA_OPTS.
>
> Then in user-mgt.xml =>
>
> 
> ${wso2.admin.username}
> ${wso2.admin.password}
> 
>
> Then in the docker-compose, gave the environment variable for
> $WSO2_ADMIN_USERNAME, "$WSO2_ADMIN_PASSWORD. This works fine in the
> keymanager, publisher, store nodes. But not in worker, manager since the
> wso2server.sh doesn't get copied at all. I have added user-mgt.xml into
> wso2-artifacts/repository/conf. And they get copied as expected in
> worker and manager.
>
>
> Is this approach correct for changing the admin username, password in
> a cluster? Or is there any other way?
>
> Regards
> --
> --
> Hareendra Chamara Philips (BSc.Eng(Hons))
> Sysco acceleration,
> SyscoLabs(Pvt) Ltd
> Mobile : +94 (0) 767 184161 <94767184161>
>



 --
 --
 Hareendra Chamara Philips (BSc.Eng(Hons))
 Sysco acceleration,
 SyscoLabs(Pvt) Ltd
 Mobile : +94 (0) 767 184161 <94767184161> | +65 (9) 425 2874
 <6594252874>

>>>
>>>
>>>
>>> --
>>> --
>>> Hareendra Chamara Philips (BSc.Eng(Hons))
>>> Sysco acceleration,
>>> SyscoLabs(Pvt) Ltd
>>> Mobile : +94 (0) 767 184161 <94767184161> | +65 (9) 425 2874
>>> <6594252874>
>>>
>>
>>
>>
>> --
>> *Pubudu Gunatilaka*
>> Committer and PMC Member - Apache Stratos
>> Software Engineer
>> WSO2, Inc.: http://wso2.com
>> mobile : +94774078049 <%2B94772207163>
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
>

Re: [Dev] [CARBON][APIM] Replicating sessions in a API manager cluster

2017-05-23 Thread Chamara Philips 
Hi all,

We were able to cluster the store and publisher using the
CarbonTomcatSessionReplicationValve

[1].
But couldn't do the same with carbon itself since the session is not
serializable to send over the carbon cluster.

[1]
https://docs.wso2.com/display/CLUSTER420/Enabling+HTTP+Session+Replication

Thanks & Regards

On Fri, May 12, 2017 at 11:08 AM, Chamara Philips 
wrote:

> Hi all,
>
> The immediate error logs when trying to login to the carbon console with
> the Redis session manager in place as explained above is as follows.
>
> 2017-05-12 10:40:16,916]  INFO - StartupFinalizerServiceComponent WSO2
> Carbon started in 78 sec
> [2017-05-12 10:40:17,213]  INFO - CarbonUIServiceComponent Mgt Console URL
>  : https://172.17.0.1:9443/carbon/
> [2017-05-12 10:40:17,213]  INFO - CarbonUIServiceComponent API Publisher
> Default Context : https://172.17.0.1:9443/publisher
> [2017-05-12 10:40:17,213]  INFO - CarbonUIServiceComponent API Store
> Default Context : https://172.17.0.1:9443/store
> [2017-05-12 10:40:52,616] ERROR - RedisSessionManager org.wso2.carbon.ui.
> MenuAdminClient
> [2017-05-12 10:40:55,685]  INFO - CarbonAuthenticationUtil
> 'admin@carbon.super [-1234]' logged in at [2017-05-12 10:40:55,685+0530]
> [2017-05-12 10:41:09,524] ERROR - RedisSessionManager
> org.wso2.carbon.registry.core.session.UserRegistry
> [2017-05-12 10:41:09,588] ERROR - RedisSessionManager org.wso2.carbon.ui.
> MenuAdminClient
>
> The attached log appears sometime after the server is working.
>
> Thanks & Regards
>
> On Fri, May 12, 2017 at 6:05 AM, Chamara Philips  > wrote:
>
>> Thanks a lot KasunG and Thusitha.
>>
>> As you said, I tried to register the RedisSessionManager under the
>> management element in the repository/conf/tomcat/context.xml. Then the
>> manager seems to be applied only to the webapps.
>>
>> Then as Thusitha has mentioned, I registered the RedisSessionManager
>> under the management element in 
>> repository/conf/tomcat/carbon/META-INF/context.xml.
>> Note that I didn't register the Valve in that, since the valve in
>> repository/conf/tomcat/context.xml seems to be applied globally. With
>> this configuration, the session manager started working for carbon console.
>> There were logs in the redis-cli, with the session id. Also the user
>> authenticated log is there in the WSO2Server console. But the user didn't
>> login to the carbon console. The final logs are attached below.
>>
>> What may be the root cause for this?
>>
>> Thanks & Regards
>>
>> On Thu, May 11, 2017 at 8:31 AM, KasunG Gajasinghe 
>> wrote:
>>
>>>
>>> You need to register the RedisSessionManager under the manager element
>>> [1].
>>>
>>> If you are extending the CarbonTomcat valve, the valve registration
>>> needs to happen by registering a instance as an OSGi service. In that case,
>>> you don't have to add it to catalina-server.xml/context.xml. But, you
>>> can extend tomcat BaseValve and register it via catalina-server.xml with
>>> exact same result.
>>>
>>> [1] https://tomcat.apache.org/tomcat-7.0-doc/config/manager.html
>>>
>>> On Mon, May 8, 2017 at 8:32 PM, Chamara Philips <
>>> chcphilips@gmail.com> wrote:
>>>
 Hi all,

 We were able to cluster the store and publisher without using
 StickySessions in load balancers. We have used 
 CarbonTomcatSessionReplicationValve
 as mentioned in this article
 .
 We would like to know the concerns using this approach to jaggeryapps.
 (publisher, store)

 Still, couldn't resolve the problem with the approach using the Redis
 server [2]
 .
 I tried to implement the Valve extending the CarbonTomcatValve.

 Can't we register the Valves extended by CarbonTomcatValve in the
 context.xml. I got the following erro
 r
 when I tried to do that.

 ERROR {org.apache.tomcat.util.digester.Digester} -  Begin event threw
 exception {org.apache.tomcat.util.digester.Digester}
 java.lang.ClassNotFoundException: com.orangefunction.tomcat.redi
 ssessions.RedisSessionHandlerValve cannot be found by
 org.wso2.carbon.tomcat_4.4.11

 What may be the root cause for this?

 When I extended the RedisSessionHandlerValve from BaseValve the server
 starts successfully. (Note I have registered the Valve and Manager using
 context.xml ) For all the webapps, RedisSessionManagers are successfully
 set in  RedisSessionHandlerValve.  But when I try to log in from carbon
 console, the RedisSessionManager is not set in the RedisSessionHandlerValve
 as expected. I am a bit unclear

[Dev] Fwd: [Carbon][APIM] Unserialisable http session fails session replication

2017-05-23 Thread Chamara Philips 
[Adding Nuwan]
-- Forwarded message --
From: Chamara Philips 
Date: Mon, May 22, 2017 at 3:42 PM
Subject: [Carbon][APIM] Unserialisable http session fails session
replication
To: WSO2 Developers' List , same...@wso2.com, Kishanthan
Thangarajah , Sanjeewa Malalgoda 


Hi all,

As explained in the thread "[CARBON][APIM] Replicating sessions in a API
manager cluster", we did a testing with sharing sessions in a cluster
using CarbonTomcatSessionReplicationValve [1]. For publisher and
store worked as expected.

But for the keymanager node, it didn't work as expected. The root cause for
blocking the approaches described in the above thread and http-session
replication is that the http-session we have in carbon is not serializable.
The session has three objects which are not serializable.

1. org.wso2.carbon.ui.DefaultCarbonAuthenticator
2. org.wso2.carbon.ui.MenuAdminClient
3. org.wso2.carbon.registry.core.session.UserRegistry

I serialized DefaultCarbonAuthenticator, MenuAdminClient with a patch.
But the object tree in the UserRegistry instance under the key "
WSO2RegistryRoot" in the http-session is simply hard to manage by patching.
I tried to do that but it ends up patching 5 components.

1. org.wso2.carbon.ndatasource.rdbms
2. org.wso2.carbon.registry.core
3. org.wso2.carbon.registry.search
4. org.wso2.carbon.ui
5. org.wso2.carbon.user.core

AFAIK, it is a bad practice to keep unserializable objects in the session.
We could use something like Redis session sharing

[2]
if the session was serializable. This could also solve the problem in
depending on the stickiness of load balancers in a clustering environment.
( Additionally, performance issues in using the
CarbonTomcatSessionReplicationValve in stores and publishers could have
been easily solved using the same kind of approach)

Shouldn't we design the session in a serializable manner? What are the
limitations doing so?

[1] https://docs.wso2.com/display/CLUSTER420/Enabling+HTTP+
Session+Replication
[2] https://discuss.pivotal.io/hc/en-us/articles/
206085337-How-to-setup-Redis-Session-Manager-on-tcServer-Tomcat

Thanks & Regards

-- 
-- 
Hareendra Chamara (BSc.Eng(Hons))
Sysco acceleration,
SyscoLabs(Pvt) Ltd
Mobile : +94 (0) 767 184161 <94767184161> | +65 (9) 425 2874 <6594252874>



-- 
-- 
Hareendra Chamara Philips (BSc.Eng(Hons))
Sysco acceleration,
SyscoLabs(Pvt) Ltd
Mobile : +94 (0) 767 184161 <94767184161> | +65 (9) 425 2874 <6594252874>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Improvements to OAuth Dynamic Client Registration

2017-05-23 Thread Abilashini Thiyagarajah 
Hi all,

I am currently working on the issue [1]. Specifically the point 4 in the
description, it has been mentioned as the implementation should allow
multiple locale-specific values for redirect URI. According to my
understanding on the implementation of DCR, if there are any
locale-specific values for the redirect URI in the registration request
(eg. redirect_uris#en), it will be added to the list of redirect URI's
while building the registration request profile. Is that the expected
outcome? Please provide your insights.

[1] https://wso2.org/jira/browse/IDENTITY-5879


*Thiyagarajah Abilashini*
Student
Department of Computer Science and Engineering
University of Moratuwa, Sri Lanka

On 15 May 2017 at 23:51, Maduranga Siriwardena  wrote:

> Thanks Abilashini for the PR. We will review and merge.
>
> In the mean time, please work on the other issue too.
>
> On Fri, May 12, 2017 at 1:30 PM, Abilashini Thiyagarajah <
> abilashini...@cse.mrt.ac.lk> wrote:
>
>> Hi all,
>>
>> Please review - https://github.com/wso2-extensions/identity-inbound-auth-
>> oauth/pull/353
>>
>> Best Regards,
>> Abilashini
>>
>> *Thiyagarajah Abilashini*
>> Student
>> Department of Computer Science and Engineering
>> University of Moratuwa, Sri Lanka
>>
>> On 10 May 2017 at 15:54, Abilashini Thiyagarajah <
>> abilashini...@cse.mrt.ac.lk> wrote:
>>
>>> Hi Dimuthu,
>>>
>>> Thank you for sharing these informative sources.
>>>
>>> Best Regards,
>>>
>>> *Thiyagarajah Abilashini*
>>> Student
>>> Department of Computer Science and Engineering
>>> University of Moratuwa, Sri Lanka
>>>
>>> On 10 May 2017 at 13:45, Dimuthu De Lanerolle  wrote:
>>>
 Hi Abilashini,

 I have attached some info links with might be useful to you.

 [1] https://docs.wso2.com/display/IS530/OpenID+Connect+Dynam
 ic+Client+Registration
 [2] http://openid.net/specs/openid-connect-registration-1_0.html
 [3] Doc Attached. Also you may find more info related to DCR requests
 and responses using previous JIra (eg: IDENTITY-5436, IDENTITY-5435
 etc.)

 Regards
 DimuthuD

 On Wed, May 10, 2017 at 12:59 PM, Abilashini Thiyagarajah <
 abilashini...@cse.mrt.ac.lk> wrote:

> Hi Maduranga,
>
> I will work on it and get back to you soon.
>
> Thanks,
>
> *Thiyagarajah Abilashini*
> Student
> Department of Computer Science and Engineering
> University of Moratuwa, Sri Lanka
>
> On 9 May 2017 at 09:16, Maduranga Siriwardena 
> wrote:
>
>> Hi Abilashini,
>>
>> As discussed can you start working on [1] and [2] to improve the
>> existing DCR functionality. If you need any clarification or help, please
>> get back to us.
>>
>> [1] https://wso2.org/jira/browse/IDENTITY-5529
>> [2] https://wso2.org/jira/browse/IDENTITY-5185
>>
>> Thanks,
>> --
>> Maduranga Siriwardena
>> Senior Software Engineer
>> WSO2 Inc; http://wso2.com/
>>
>> Email: madura...@wso2.com
>> Mobile: +94718990591 <+94%2071%20899%200591>
>> Blog: *https://madurangasiriwardena.wordpress.com/
>> *
>> 
>>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


 --
 Dimuthu De Lanerolle
 Software Engineer
 WSO2 Inc.
 lean . enterprise . middlewear.
 http://wso2.com/
 Tel. : +94 11 2145345  Fax : +94 11 2145300  email : dimut...@wso2.com


>>>
>>
>
>
> --
> Maduranga Siriwardena
> Senior Software Engineer
> WSO2 Inc; http://wso2.com/
>
> Email: madura...@wso2.com
> Mobile: +94718990591 <+94%2071%20899%200591>
> Blog: *https://madurangasiriwardena.wordpress.com/
> *
> 
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Integrity constraint violation when revoking multiple entries from access token table

2017-05-23 Thread Danushka Fernando 
Hi Sathya

Please find my comments inline.

On Tue, May 23, 2017 at 12:29 PM, Sathya Bandara  wrote:

> Hi all,
>
> It is required to alter the state of  access tokens from 'active' to
> 'revoked' of multiple entries in the IDN_OAUTH2_ACCESS_TOKEN table for the
> scenario where access tokens issued to other tenants by a saas application,
> need to be revoked when saas is disabled. I used the following query to
> achieve this;
>
> "UPDATE IDN_OAUTH2_ACCESS_TOKEN SET TOKEN_STATE=?, TOKEN_STATE_ID=? WHERE
> CONSUMER_KEY_ID = (SELECT ID FROM IDN_OAUTH_CONSUMER_APPS WHERE
> CONSUMER_KEY = ? ) AND TENANT_ID != ? "
>
> Have you tested this query directly in some sql console? So is it giving
the same error when you do that?

>
>- Parameter 1(Access token state): REVOKED
>- Parameter 2(Token state id): if access token is in active state the
>state id should be 'NONE' if in revoked state it should be updated with a
>unique string
>- Parameter 3(consumer key): client ID of oauth application
>- Parameter 4(tenant id): application tenant ID
>
>
> This gives 
> com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException:
> Duplicate entry 
> '1-admin-1-PRIMARY-APPLICATION_USER-369db21a386ae433e65c0ff34d357'
> for key 'CON_APP_KEY' exception which occurs because of the unique
> constraint violation on CON_APP_KEY index;
>
Here it says duplicate entry. So did you check whether your database
contains any values similar to what you are trying to update?

>
>
>
>
>
>
>
>
>
>
>
>
>
> *Index: CON_APP_KEYDefinition:TypeBTREEUniqueYesColumns
> CONSUMER_KEY_ID AUTHZ_USERTENANT_IDUSER_DOMAINUSER_TYPE
> TOKEN_SCOPE_HASHTOKEN_STATETOKEN_STATE_ID*
>
> Is it possible to perform multiple entry update operations without having
> to update a single entry at a time in Access token table? Appreciate your
> help on this.
>
> Best regards,
> Sathya
>
> --
> Sathya Bandara
> Software Engineer
> WSO2 Inc. http://wso2.com
> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>
> <+94%2071%20411%205032>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
> Thanks & Regards
Danushka Fernando
Associate Tech Lead
WSO2 inc. http://wso2.com/
Mobile : +94716332729
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [IS] Integrity constraint violation when revoking multiple entries from access token table

2017-05-23 Thread Sathya Bandara 
Hi all,

It is required to alter the state of  access tokens from 'active' to
'revoked' of multiple entries in the IDN_OAUTH2_ACCESS_TOKEN table for the
scenario where access tokens issued to other tenants by a saas application,
need to be revoked when saas is disabled. I used the following query to
achieve this;

"UPDATE IDN_OAUTH2_ACCESS_TOKEN SET TOKEN_STATE=?, TOKEN_STATE_ID=? WHERE
CONSUMER_KEY_ID = (SELECT ID FROM IDN_OAUTH_CONSUMER_APPS WHERE
CONSUMER_KEY = ? ) AND TENANT_ID != ? "


   - Parameter 1(Access token state): REVOKED
   - Parameter 2(Token state id): if access token is in active state the
   state id should be 'NONE' if in revoked state it should be updated with a
   unique string
   - Parameter 3(consumer key): client ID of oauth application
   - Parameter 4(tenant id): application tenant ID


This gives
com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException:
Duplicate entry
'1-admin-1-PRIMARY-APPLICATION_USER-369db21a386ae433e65c0ff34d357' for key
'CON_APP_KEY' exception which occurs because of the unique constraint
violation on CON_APP_KEY index;













*Index: CON_APP_KEYDefinition:TypeBTREEUniqueYesColumns
CONSUMER_KEY_ID AUTHZ_USERTENANT_IDUSER_DOMAINUSER_TYPE
TOKEN_SCOPE_HASHTOKEN_STATETOKEN_STATE_ID*

Is it possible to perform multiple entry update operations without having
to update a single entry at a time in Access token table? Appreciate your
help on this.

Best regards,
Sathya

-- 
Sathya Bandara
Software Engineer
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev