Re: Groups memberships

2017-09-21 Thread Francesco Chicchiriccò 

On 18/09/2017 13:23, Filipe Silva wrote:

Hi

In 
https://syncope.apache.org/docs/reference-guide.html#users-groups-and-any-objects 
we read:


"A User or an Any Object can be members of Groups in the same realm or 
in one of the sub-realms."


But it appear that a user in a realm B in defined as /A/B only "sees" 
the groups in / , A and B and not a group in C defined as a sub-realm 
of B (as in /A/B/C).


Am I understanding this correctly? 


Hi Filipe,
thanks for reporting.

I have just fixed the text in the reference guide: you can see it at

https://ci.apache.org/projects/syncope/reference-guide.html#realms

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Call /self API with invalid credentials

2017-09-21 Thread Francesco Chicchiriccò 

Hi Adrian,
sorry for late response.

Not sure if the (CXF's) RestServiceExceptionMapper takes place here: as 
fas as I've understood, in case of invalid credentials the request does 
not even come to CXF, and the error is completely managed by Spring 
Security.


It seems also to me to remember that it is not obvious how to alter the 
Spring Security error handling without breaking the authentication chain 
- remember that Basic Authentication is used either as such (for all 
services) and to obtain a JWT instance which can be then used to access 
all services.


Anyway, if you find some time to work on this, I'd recommend a PR rather 
than a Java file attached via e-mail (it looks so 90ties..) :-)


Regards.

On 15/09/2017 17:08, Adrian Gonzalez wrote:

Hi Francesco,

I'll try something - not sure if next week or the one after.
In the meantime I've quickly developed this class (attached).

It really needs more polishing:
 - I'd like to do a bridge to RestServiceExceptionMapper so we have a 
central place for error handlig (but it's JAX-RS and I'm at servlet 
layer here).

 - I'd need to add types and codes in ClientExceptionType
 - I'd need to add the same customisation for syncopeAccessDeniedHandler

Thanks,
Adrian

Le vendredi 15 septembre 2017 à 15:28:56 UTC+2, Francesco Chicchiriccò 
 a écrit :



On 15/09/2017 15:17, Adrian Gonzalez wrote:

Hello,

I'm using Syncope 2.0.5.
I'm calling /self REST API with invalid credentials 
(withcontent-type: application/json .)

/self returns HTML code and not a JSON message body.

i.e.
```
curl -X GET \
http://localhost:9080/syncope/rest/users/self \
  -H 'authorization: Basic YmVsbGluaTpiZWxsaW5pNjY1' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -H 'postman-token: 477ebc5a-6350-4ba5-a8a2-4d6ecea31712'
```

Returns an HTML error page i.e;
HTTP Status 401 – 
Unauthorized...Message User bellini not 
authenticatedDescription The request has not been 
applied because it lacks valid authentication credentials for the 
target resource.Apache 
Tomcat/8.5.20


Shouldn't it be valid json (since I requested json ?)

The pb is that when I use the syncope client REST API, I get:
2017-09-15 11:17:13.625 -ERROR [http-apr-9080-exec-6] 
org.apache.cxf.jaxrs.utils.JAXRSUtils    : No message body reader has 
been found for class java.util.List, ContentType: text/html;charset=utf-8
2017-09-15 11:17:13.626 -DEBUG [http-apr-9080-exec-6] 
o.a.s.c.lib.RestClientExceptionMapper    : Could not read 
org.apache.syncope.common.lib.to.ErrorTO list, attempting to read 
headers...
javax.ws.rs.client.ResponseProcessingException: No message body 
reader has been found for class java.util.List, ContentType: 
text/html;charset=utf-8
at 
org.apache.cxf.jaxrs.impl.ResponseImpl.reportMessageHandlerProblem(ResponseImpl.java:439)
at 
org.apache.cxf.jaxrs.impl.ResponseImpl.doReadEntity(ResponseImpl.java:390)
at 
org.apache.cxf.jaxrs.impl.ResponseImpl.readEntity(ResponseImpl.java:326)
at 
org.apache.cxf.jaxrs.impl.ResponseImpl.readEntity(ResponseImpl.java:314)
at 
org.apache.syncope.client.lib.RestClientExceptionMapper.checkSyncopeClientCompositeException(RestClientExceptionMapper.java:98)
at 
org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:53)
at 
org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42)
at 
org.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:313)
at 
org.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:876)
at 
org.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:789)
at 
org.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:235)

at com.sun.proxy.$Proxy641.read(Unknown Source)
at 
org.apache.syncope.client.lib.SyncopeClient.self(SyncopeClient.java:132)


Should we modify 
the org.apache.syncope.core.spring.security.SyncopeBasicAuthenticationEntryPoint 
? (not super because we'd need to handle manually XML and JSON 
formatting)


Hi Adrian,
your proposal makes sense but I remember (not well enough, 
unfortunately) that there were some related issues when attempting to 
change the AuthenticationEntryPoint due to some Spring Security internals.


Anyway, your contribution is more than welcome, as usual!

Regards.


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/