On 25/07/2018 20:58, Wyllys Ingersoll wrote:
When I create a user with a role that has all of the entitlements and
attempt to login to the console, it fails and this error is in the
console.log:
Hi,
the log below is not very explicative, it is hard to guess the actual
problem: maybe you have users pending approval?
Otherwise, please track down the stacktrace until some '*RestClient
class is mentioned.
Regards.
18:52:24.186 ERROR
org.apache.syncope.client.console.SyncopeConsoleRequestCycleListener -
Exception found
org.apache.wicket.WicketRuntimeException: An error occurred while
getting the model object for Component: [Component id = alerts, page =
org.apache.syncope.client.console.pages.Dashboard, path =
body:approvalsWidget:alerts, type =
org.apache.wicket.markup.html.basic.Label, isVisible = true,
isVersioned = true, markup = [markup =
jar:file:/var/lib/tomcat8/webapps/syncope-console/WEB-INF/lib/syncope-client-console-2.1.1-SNAPSHOT.jar!/org/apache/syncope/client/console/widgets/AlertWidget.html
<span class="label label-danger" wicket:id="alerts"></span>, index =
0, current = '<span class="label label-danger" wicket:id="alerts">'
(line 0, column 0)]]
at org.apache.wicket.Component.getDefaultModelObject(Component.java:1581)
~[wicket-core-8.0.0.jar:8.0.0]
at
org.apache.syncope.client.console.widgets.AlertWidget$3.onComponentTag(AlertWidget.java:86)
~[syncope-client-console-2.1.1-SNAPSHOT.jar:2.1.1-SNAPSHOT]
at org.apache.wicket.Component.internalRenderComponent(Component.java:2428)
~[wicket-core-8.0.0.jar:8.0.0]
at org.apache.wicket.markup.html.WebComponent.onRender(WebComponent.java:60)
~[wicket-core-8.0.0.jar:8.0.0]
at org.apache.wicket.Component.internalRender(Component.java:2287)
~[wicket-core-8.0.0.jar:8.0.0]
...
When I create another user with no special entitlements, I can login
to the console UI with no problems.
On Wed, Jul 25, 2018 at 4:27 AM, Francesco Chicchiriccò
<[email protected]> wrote:
On 24/07/2018 15:03, Wyllys Ingersoll wrote:
Thanks, I got it to work by giving my "Admin" role a subset of the
complete list of entitlements.
It seems that granting the entire list of entitlements to a role or a
user makes it unauthorized to access the UI, which is
counter-intuitive, IMO.
Not sure what to you mean here: I have just created a Role with all
entitlements against Realm /, assigned to a user and then logged in with
that user with no issues.
All this in syncope-vm, with domain Two, naturally.
Its also not clear what entitlements are in effect for administering
roles. I granted all of the ROLE_* entitlements to a user but when I
try to use that user to manage roles, it logs me out and says "Access
is Denied" and the core.log shows messages like this:
Unfortunately, the process of selecting the right set of Entitlements to
grant for Delegated Administration is not straightforward,.
The point is that Entitlements are fine-grained and mostly matching the
corresponding REST endpoints, but Admin Console often does much more, in
order to provide a better UX.
In your example above, once assigned all ROLE_* entitlements and being
forcibly logged out, look more carefully at the logs to find out the actual
REST service which that user was not granted to invoke, then add the
corresponding entitlement(s) to the Role, and try again.
HTH
Regards.
On Tue, Jul 24, 2018 at 3:42 AM, Francesco Chicchiriccò
<[email protected]> wrote:
On 23/07/2018 22:59, Wyllys Ingersoll wrote:
Using the 2.1.1-SNAPSHOT build, I am now able to login to the 2nd
domain as the default "admin" account, but I cannot login using any
other accounts even if those accounts are assigned a role with all of
the privileges.
You can see the same error on the demo vm using login
"testadm/password2" in domain "Two".
Hi,
since the demo is redeployed every few hours, and persistence gets
cleared,
such user is not there any more.
However, I went to syncope-vm.apache.org, logged in as admin in the Two
domain, created an user 'ilgrosso' with password 'Password123' and no
roles.
After logging out as admin, I was able to log in again as ilgrosso, in
the
Two domain of course, as expected - see
https://snag.gy/mrUpi4.jpg
When using roles, I'd suggest to take a look at
http://syncope.apache.org/docs/reference-guide.html#delegated-administration-console
to see how to define the 'minimal set' of entitlements to grant (you'll
need
to temporary add GROUP_SEARCH to such set, at least until my latest
commit
gets deployed).
Regards.
On Sun, Jul 22, 2018 at 3:00 PM, Wyllys Ingersoll
<[email protected]> wrote:
Done - https://issues.apache.org/jira/browse/SYNCOPE-1342
thanks for confirming this, I thought I was just doing something
stupid or the documentation was missing a step or 2.
On Sun, Jul 22, 2018 at 1:25 PM, Francesco Chicchiriccò
<[email protected]> wrote:
Hi,
I have replicated your Docker-based setup, with two domains and
2.1.1-SNAPSHOT, found the same issue.
...that could be easily replicated by attempting to log in on the
public
demo:
http://syncope-vm.apache.org:9080/syncope-console
on the Two domain, with credentials admin / password2 - working via
REST.
Please raise an issue on JIRA: it seems that the Admin Console's login
form
does not take into account the value selected in the 'Domain' combo.
I have verified that the problem only affects 2.1.0, as 2.0.9 works as
expected - this means that there was something missing in the
migration
to
Wicket 8.
Regards.
On 22/07/2018 17:35, Wyllys Ingersoll wrote:
I created a role in the 2nd domain and granted it all of the
entitlements using the REST api, then assigned that role to a user
("admin2") in the 2nd domain. Now when I attempt to login to the 2nd
domain on the console UI, I get the following errors in the core.log
file:
Its basically complaining about the connector not having privileges
to
authenticate anyone. Not sure how to fix this since I cant manage
the
domain with the UI yet (chicken and egg problem?).
11:21:39.265 INFO
org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy -
Authenticate was attempted, although the connector only has these
capabilities: [SEARCH, DELETE, SYNC, UPDATE]. No action.
I can get a token for this user with the REST api and validate the
token and see that it does indeed have all of the required
entitlements, the problem seems to be with the console UI and how it
authenticates/authorizes users since going directly to the core for
authentication via REST works as expected.
Full stack trace:
java.util.concurrent.ExecutionException:
org.identityconnectors.framework.common.exceptions.InvalidCredentialException:
Authentication failed for "admin2"
at java.util.concurrent.FutureTask.report(FutureTask.java:122)
~[?:1.8.0_171]
at java.util.concurrent.FutureTask.get(FutureTask.java:206)
~[?:1.8.0_171]
at
org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy.authenticate(ConnectorFacadeProxy.java:141)
~[syncope-core-provisioning-java-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:255)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:218)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.AuthDataAccessor$$FastClassBySpringCGLIB$$b4b63ada.invoke(<generated>)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
~[spring-core-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:746)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294)
~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98)
~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.apache.syncope.core.persistence.jpa.spring.DomainTransactionInterceptor.invoke(DomainTransactionInterceptor.java:60)
~[syncope-core-persistence-jpa-2.1.0.jar:2.1.0]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:688)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.apache.syncope.core.spring.security.AuthDataAccessor$$EnhancerBySpringCGLIB$$fea6d20d.authenticate(<generated>)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.UsernamePasswordAuthenticationProvider.lambda$authenticate$1(UsernamePasswordAuthenticationProvider.java:123)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.AuthContextUtils.execWithAuthContext(AuthContextUtils.java:126)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.spring.security.UsernamePasswordAuthenticationProvider.authenticate(UsernamePasswordAuthenticationProvider.java:123)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)
~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:180)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.apache.syncope.core.spring.security.JWTAuthenticationFilter.doFilterInternal(JWTAuthenticationFilter.java:90)
~[syncope-core-spring-2.1.0.jar:2.1.0]
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:624)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
~[tomcat8-catalina-8.5.14.jar:8.5.14]
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799)
~[tomcat8-coyote-8.5.14.jar:8.5.14]
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
~[tomcat8-coyote-8.5.14.jar:8.5.14]
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861)
~[tomcat8-coyote-8.5.14.jar:8.5.14]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)
~[tomcat8-coyote-8.5.14.jar:8.5.14]
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
~[tomcat8-coyote-8.5.14.jar:8.5.14]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
~[?:1.8.0_171]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
~[?:1.8.0_171]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
~[tomcat8-util-8.5.14.jar:8.5.14]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]
Caused by:
org.identityconnectors.framework.common.exceptions.InvalidCredentialException:
Authentication failed for "admin2"
at
net.tirasa.connid.bundles.ad.authentication.ADAuthenticate.authenticate(ADAuthenticate.java:74)
~[?:?]
at
net.tirasa.connid.bundles.ad.ADConnector.authenticate(ADConnector.java:243)
~[?:?]
at
org.identityconnectors.framework.impl.api.local.operations.AuthenticationImpl.authenticate(AuthenticationImpl.java:85)
~[connector-framework-internal-1.4.4.0.jar:?]
at sun.reflect.GeneratedMethodAccessor655.invoke(Unknown Source)
~[?:?]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_171]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171]
at
org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:98)
~[connector-framework-internal-1.4.4.0.jar:?]
at com.sun.proxy.$Proxy278.authenticate(Unknown Source) ~[?:?]
at sun.reflect.GeneratedMethodAccessor655.invoke(Unknown Source)
~[?:?]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_171]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171]
at
org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
~[connector-framework-internal-1.4.4.0.jar:?]
at com.sun.proxy.$Proxy278.authenticate(Unknown Source) ~[?:?]
at sun.reflect.GeneratedMethodAccessor655.invoke(Unknown Source)
~[?:?]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_171]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171]
at
org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:99)
~[connector-framework-internal-1.4.4.0.jar:?]
at com.sun.proxy.$Proxy278.authenticate(Unknown Source) ~[?:?]
at sun.reflect.GeneratedMethodAccessor655.invoke(Unknown Source)
~[?:?]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_171]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171]
at
org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:83)
~[connector-framework-internal-1.4.4.0.jar:?]
at com.sun.proxy.$Proxy278.authenticate(Unknown Source) ~[?:?]
at
org.identityconnectors.framework.impl.api.AbstractConnectorFacade.authenticate(AbstractConnectorFacade.java:235)
~[connector-framework-internal-1.4.4.0.jar:?]
at
org.apache.syncope.core.provisioning.java.AsyncConnectorFacade.authenticate(AsyncConnectorFacade.java:56)
~[syncope-core-provisioning-java-2.1.0.jar:2.1.0]
at
org.apache.syncope.core.provisioning.java.AsyncConnectorFacade$$FastClassBySpringCGLIB$$886ae36a.invoke(<generated>)
~[syncope-core-provisioning-java-2.1.0.jar:2.1.0]
at
org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
~[spring-core-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:746)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at
org.springframework.aop.interceptor.AsyncExecutionInterceptor.lambda$invoke$0(AsyncExecutionInterceptor.java:115)
~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE]
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
~[?:1.8.0_171]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
~[?:1.8.0_171]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
~[?:1.8.0_171]
... 1 more
11:21:39.265 INFO
org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy -
Authenticate was attempted, although the connector only has these
capabilities: [SEARCH, DELETE, SYNC, UPDATE]. No action.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
