Thats great - this has a level of detail that really needs to be explicit in the documentation.
>From a IDE perspective though, I cant see how to translate instructions about tomcat/users to the equivalent for setting up users in the IDE hosted TBL server ? Also, it is not clear how tomcat users magically appear in the EDG configurations - there is stuff about permission by roles, but then segues into statements like "the selected permission for the selected user or for an entire security role" - does EDG know about individual users in the ACL or is there somewhere else these need to be created? On Thursday, 11 October 2018 01:10:48 UTC+11, Richard Cyganiak wrote: > > I would first try calling the service in the browser while logged in as > admin. > > If that works, I would try calling the service in the browser while logged > in as some other user that is supposed to be able to call the service. > > If that works, I would try calling the service with an HTTP client program > like curl or Postman, to figure out how the credentials need to be sent. > > If that works, I would try calling the service from my SPARQLMotion > script, with credentials in the script. > > If that works, I would try calling the service from my SPARQLMotion > script, with credentials in secure storage. > > > For CreateProjectService specifically, any user that can create new asset > collections can also invoke that service. So if “Create new Taxonomy” shows > up on the Taxonomies page when that user is logged in, then the user has > permission to invoke the service. A user can create new asset collections > if they belong to a Security Role that has the CREATE right on the > Repositories project (Server Administration > Rights Management). See here: > > http://wiki.topquadrant.com/display/TBS60/Access+Control#AccessControl-RightsManagement > > > Secure Storage is a lookup table that stores passwords for username+url > pairs. This can be seen on the Password Management page in the EDG Server > Administration. > > To use Secure Storage with sml:ImportTextFromURL, add a new username+url > pair on that page. The URL is arbitrary in this case, it just serves as a > lookup key. One could for example use the URI of the SPARQLMotion script. > > In the SM script, set: > > - url: the request URL for the service call > - userName: the username to be used for the request > - securePasswordURL: the lookup key URL in secure storage (as a string) > - password: leave blank > > The effect is that instead of using the password argument, the password > will be looked up in the secure storage under the > userName+securePasswordURL pair. > > Richard > > > > On 10 Oct 2018, at 02:18, Rob Atkinson <robatki...@gmail.com <javascript:>> > wrote: > > Ouch - so there is a different method for each possible deployment - > making it pretty hard to test locally then deploy. > > I tried setting up a user and password in the secure store and using that > - but it didnt seem to work - maybe because there disnt seem to be any > meaningful way to assign the user to permissions on the > CreateProjectService. (Its no use to set permissions on individual > coillections manually - both because we are creating a collection and the > scalability of such a solution would be broken. > > The text for securePasswordURL say "if it has a value" but there is no > documentation about that value - although the name suggest a URL, the value > type appears to be string... but if I put "true" it asks for connection for > batch@true > > so i set securePasswordURL with the target URL (instead of arg:url) and > it complains arg:url is not set ... > > so i set them both - and it returns a 500 error with another NPE - even > though the url works in an authenticated browser session > > A 500 error for authentication failure is a bug - it should be 401 or 403 > - (although at this stage 418 is perhaps appropriate) > > > > > > > So now I have three problems, irreconcilable in combination: > 1) checking i have set up the EDg permissions correctly > 2) checking my script configuration sets permissions correctly > 3) working out how different future deployments might behave > > > There needs to be a step by step testable methodology for setting up and > testing access control. > > > > On Tuesday, 9 October 2018 18:01:30 UTC+11, Rob Atkinson wrote: >> >> AFIACT if I want to invoke a EDG service without pasting into a browser I >> need to provide authentication - possibly however thats via a session >> cookie? >> >> I have tried using the SPARQLmotion "import text from URL" as the only >> obvious way i can see to invoke a URL inside SPARQLmotion - but its not >> obvious how access control to web services is handled. >> >> The most comprehensive overview I can find is >> https://www.topquadrant.com/2015/07/24/web-services-and-topquadrant-products/ >> >> but this is completely silent on access control. >> >> If I use a browser not logged into EDG i get the same result I get from >> TBC - another Null pointer exception. >> >> 1) Is there a better way of invoking an EDG service within TBC? >> 2) what are the EDG user/permissions/roles etc needed to provide password >> controlled access to services? >> 3) Is there a way to avoid putting passwords into SparqlMotion scripts >> (perhaps a SPIN template to retrieve them from EDG configuration somehow?) >> >> > -- > You received this message because you are subscribed to the Google Groups > "TopBraid Suite Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to topbraid-user...@googlegroups.com <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > > -- You received this message because you are subscribed to the Google Groups "TopBraid Suite Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to topbraid-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
