syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Massimiliano Perrone <massimiliano.perr...@tirasa.net>
Subject Re: wrong exception in SecurityQuestion service?
Date Wed, 28 Oct 2015 16:18:14 GMT


Il 28/10/2015 15:01, Francesco Chicchiriccò ha scritto:
> On 28/10/2015 11:38, Massimiliano Perrone wrote:
>> Hi Syncopers,
>> running securityQuestionService.readByUser(username) method from 
>> org.apache.syncope.common.rest.api.service.SecurityQuestionService I 
>> get a wrong exception, I'm supposing..
>>
>> From the log header the URL called is, for instance, 
>> http://localhost:9080/syncope/rest/securityQuestions/byUser/rossini 
>> and, if I tried to run it from the web browser it works because the 
>> response is:
>> <syncope:errorxmlns:syncope="http://syncope.apache.org/2.0">
>> <elements>
>> <element>
>> NotFoundException: Security question for user rossini
>> </element>
>> </elements>
>> <status>404</status>
>> <type>NotFound</type>
>> </syncope:error>
>>
>> but the client return 403 as the header shows:
>> Headers: {Content-Length=[0], Date=[Wed, 28 Oct 2015 10:29:18 GMT], 
>> Server=[Apache-Coyote/1.1], X-Application-Error-Code=[Forbidden], 
>> X-Application-Error-Info=[Access is denied], X-Syncope-Domain=[Master]}
>>
>> The exception is:
>> GRAVE: Problem with reading the data, class 
>> org.apache.syncope.common.lib.to.ErrorTO, ContentType: */*.
>> Exception in thread "main" java.security.AccessControlException: 
>> Access is denied
>>     at 
>> org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:69)
>>     at 
>> org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42)
>>     at 
>> org.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:303)
>>     at 
>> org.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:760)
>>     at 
>> org.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:722)
>>     at 
>> org.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:228)
>>     at com.sun.proxy.$Proxy29.readByUser(Unknown Source)
>>
>> Is it the right behavior or it is a bug?
>
> This is coherent with [1]: only anonymous users are meant to invoke 
> that method (via /securityQuestions/byUser/rossini).
>
> If an admin wants to get to such information, he / she needs to read 
> the given user entry.
>
> Hope this clarifies.

as usual :)

> Regards.
>
> [1] 
> https://github.com/apache/syncope/blob/master/core/logic/src/main/java/org/apache/syncope/core/logic/SecurityQuestionLogic.java#L109
>

-- 
Massimiliano Perrone
Tel +39 393 9121310

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)


Mime
View raw message