Re: Self Registration help

Fri, 17 Mar 2017 01:43:30 -0700 

On 16/03/2017 22:27, Vlad Zelenko wrote:
Hey all. I am evaluating syncope as IMS, and want to test the REST API. For starters, I am using Swagger UI to test self-registration. 

Hi Vlad,
glad of your interest in Apache Syncope.


1.  (POST /users/self)  When I execute it from the browser, I 
invariably receive CODE 403 with message "Access to the specified 
resource has been forbidden."



Question: what is the value of the 'selfRegistration.allowed' 
configuration parameter [1] in your Syncope deployment? (You can find it 
out from Admin Console under Configuration > Parameters).

E.g. was self-registration enabled at all?


When enabled, the "POST /users/self" endpoint requires to be invoked 
anonymously, e.g. without any 'Authorization' HTTP header.
Are you sure that you did not populate the username / password fields in 
the Swagger UI when attempting the "POST /users/self" invocation?



2.  When I use the suggested 'curl' line 
(http://localhost:8080/syncope/rest/users/self?storePassword=true, 
etc.), 'Access Denied' is seen in 'core-rest.log' of the application, 
but nothing comes back to the STDOUT of cURL.



Use "curl -v" and you will get all the response headers, including 
X-Application-Error-Code and X-Application-Error-Info.

More on available REST headers at [2].


3. When I use regular create user in Swagger UI (POST /users) with the 
same UserTO payload (see below), the user is created in syncope, code 
201 is returned with a Generated Key.


PAYLOAD:
{"username":"test","password":"12SomeComplex!!!Pwd","realm":"/","securityQuestion":"","securityAnswer":"","plainAttrs":[{"schema":"email","values":[]}],"derAttrs":[],"virAttrs":[],"resources":[],"auxClasses":[],"memberships":[],"@class":"org.apache.syncope.common.lib.to.UserTO"}



My question is, what is the correct way of performing 
Self-registration using REST API (I need this for our web 
application?)  Losing my mind over this...



It seems - for very valid reasons, I presume - that you are not 
interested in the Enduser application [3] nor in using the Java client 
library [4] for communicating via REST with Core (architectural 
reference available at [5]).
I would invite you anyway to carefully consider all the related security 
aspects: you can read from [6] how we did tackle them in the Enduser 
application.


Regards.


[1] 
https://syncope.apache.org/docs/reference-guide.html#configuration-parameters

[2] https://syncope.apache.org/docs/reference-guide.html#rest-headers

[3] 
https://syncope.apache.org/docs/reference-guide.html#customization-enduser

[4] https://syncope.apache.org/docs/reference-guide.html#client-library
[5] https://syncope.apache.org/docs/reference-guide.html#architecture
[6] http://blog.tirasa.net/syncope-enduser-security-features.html

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/























					Reply via email to