I would first try calling the service in the browser while logged in as admin.
If that works, I would try calling the service in the browser while logged in as some other user that is supposed to be able to call the service. If that works, I would try calling the service with an HTTP client program like curl or Postman, to figure out how the credentials need to be sent. If that works, I would try calling the service from my SPARQLMotion script, with credentials in the script. If that works, I would try calling the service from my SPARQLMotion script, with credentials in secure storage. For CreateProjectService specifically, any user that can create new asset collections can also invoke that service. So if “Create new Taxonomy” shows up on the Taxonomies page when that user is logged in, then the user has permission to invoke the service. A user can create new asset collections if they belong to a Security Role that has the CREATE right on the Repositories project (Server Administration > Rights Management). See here: http://wiki.topquadrant.com/display/TBS60/Access+Control#AccessControl-RightsManagement Secure Storage is a lookup table that stores passwords for username+url pairs. This can be seen on the Password Management page in the EDG Server Administration. To use Secure Storage with sml:ImportTextFromURL, add a new username+url pair on that page. The URL is arbitrary in this case, it just serves as a lookup key. One could for example use the URI of the SPARQLMotion script. In the SM script, set: - url: the request URL for the service call - userName: the username to be used for the request - securePasswordURL: the lookup key URL in secure storage (as a string) - password: leave blank The effect is that instead of using the password argument, the password will be looked up in the secure storage under the userName+securePasswordURL pair. Richard > On 10 Oct 2018, at 02:18, Rob Atkinson <robatkinson...@gmail.com> wrote: > > Ouch - so there is a different method for each possible deployment - making > it pretty hard to test locally then deploy. > > I tried setting up a user and password in the secure store and using that - > but it didnt seem to work - maybe because there disnt seem to be any > meaningful way to assign the user to permissions on the CreateProjectService. > (Its no use to set permissions on individual coillections manually - both > because we are creating a collection and the scalability of such a solution > would be broken. > > The text for securePasswordURL say "if it has a value" but there is no > documentation about that value - although the name suggest a URL, the value > type appears to be string... but if I put "true" it asks for connection for > batch@true > > so i set securePasswordURL with the target URL (instead of arg:url) and it > complains arg:url is not set ... > > so i set them both - and it returns a 500 error with another NPE - even > though the url works in an authenticated browser session > > A 500 error for authentication failure is a bug - it should be 401 or 403 - > (although at this stage 418 is perhaps appropriate) > > > > > > > So now I have three problems, irreconcilable in combination: > 1) checking i have set up the EDg permissions correctly > 2) checking my script configuration sets permissions correctly > 3) working out how different future deployments might behave > > > There needs to be a step by step testable methodology for setting up and > testing access control. > > > > On Tuesday, 9 October 2018 18:01:30 UTC+11, Rob Atkinson wrote: > AFIACT if I want to invoke a EDG service without pasting into a browser I > need to provide authentication - possibly however thats via a session cookie? > > I have tried using the SPARQLmotion "import text from URL" as the only > obvious way i can see to invoke a URL inside SPARQLmotion - but its not > obvious how access control to web services is handled. > > The most comprehensive overview I can find is > https://www.topquadrant.com/2015/07/24/web-services-and-topquadrant-products/ > <https://www.topquadrant.com/2015/07/24/web-services-and-topquadrant-products/> > but this is completely silent on access control. > > If I use a browser not logged into EDG i get the same result I get from TBC - > another Null pointer exception. > > 1) Is there a better way of invoking an EDG service within TBC? > 2) what are the EDG user/permissions/roles etc needed to provide password > controlled access to services? > 3) Is there a way to avoid putting passwords into SparqlMotion scripts > (perhaps a SPIN template to retrieve them from EDG configuration somehow?) > > > -- > You received this message because you are subscribed to the Google Groups > "TopBraid Suite Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to topbraid-users+unsubscr...@googlegroups.com > <mailto:topbraid-users+unsubscr...@googlegroups.com>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "TopBraid Suite Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to topbraid-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.