liferay 7
I have a remote service for one of my service builder entity and I would like to create a method accessible without any authentication (no p_auth parameter or authentication header).
I added the #AccessControlled(guestAccessEnabled = true) to my method but it does not seem to work as it should. When I click "Execute" button I got an exception :
"Access denied to package.classname#methodName"
Is it a known bug?
Thank you!
Could you please try to navigate to your Liferay Portal’s Control Panel and click on Service Access Policy under the Configuration heading. Here, you can see the default service access policies and you can add new ones.
This step helped me in solving a very similar case where I faced the "Access denied" error.
For more information please visit:
[https://help.liferay.com/hc/en-us/articles/360017896072-Service-Access-Policies]
I hope you will find all this useful,
Best Regards,
Peter
Related
I'm trying to make social login using Google, Facebook, and LinkedIn on my website
the last two works very well but Google always gives me error like this :
Forbidden
You don't have permission to access /test/login/google/callback on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
I don't know why it's only appearing with Google, can anyone help me?
The reason for getting this error is because Google+ API is not enabled
go on google console account and enable Google+ API. If you haven't known how to enable Google+ services then follow this steps:
First Open your Google Console Account from Here: console.developers.google.com
Then Go to -> library -> select Google+ API -> Enable
If you have any configuration related problem then see my GitHub code for Socialite
I'm doing PoC of some GSuite custom solution which needs to listen to changes on users resource. I've created a GSuite account, linked it (and verified) with mytestdomain.com. It's also verified in API console. Basically followed instructions from https://developers.google.com/admin-sdk/directory/v1/guides/push
and fulfilled all requirements from there.
Unfortunately when I try to register my web hook I'm getting following error:
Watch request denied by backend [403]
Errors [
Message[Watch request denied by backend] Location[ - ] Reason[watchDenied] Domain[push]
]
I stuck with it and don't know where too look for more details about that error.
I'm using a certificate generated by Let's encrypt, but tested it with https://www.ssllabs.com/ssltest/ and got rank A. How to check if Google API treats Let's Encrypt as trusted CA?
Problem wasn't anyhow related to Let's Encrypt certificates. They're working just fine with Google's push notifications. I've contacted with Google support and with their help I've established that sending a request with showDeleted parameter set to true was a root cause of above problem.
Support guy claimed that documentation was copied from list method and that parameter cannot be used with watch method and they're going to update docs of watch method in API reference. (However it's still there).
Getting Following Error when trying to log-in into API Manager- Publisher module, i can log-in to Administrator(Carbon) using admin privileges but cannot log-in to Publisher.
HTTPSender Unable to sendViaPost to url[https: //localhost:9443/services/AuthenticationAdmin] java.net.SocketException: Permission denied: connect
Did you change your admin username/password? If so, you have to provide correct username/password in the api-manger.xml at configuration
Posting an answer after long time the question was asked!
I faced the same error. I realized that I was connected to my clint's VPN before I started wso2 api manager. As soon as I disconnected from the client's VPN, I was able to login to store and publisher. I guess there is some security issue related to networks when it comes to Wso2.
Please check if this was the case with you too.
Hope it helps someone!
I have a web service which the home page is displayed and runs if I turn on Integrated Windows authentication. Now if I turn that off and Anonymous Access is on I can not even get to the wsdl page. I get the error
Access is denied.
Description: An error occurred while accessing the resources required to serve
this request. The server may not be configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server configuration.
Verify that you have permission to view this directory or page based on the
credentials you supplied and the authentication methods enabled on the Web server.
Contact the Web server's administrator for additional assistance.
Version Information: Microsoft .NET Framework Version:2.0.50727.3625; ASP.NET
Version:2.0.50727.3634
The IIS I am working with is 5.1
I gave IUSER access to the directory, full control for now.
I am out of ideas. Thank you for your help
The root cause of this issue had to do with the website requiring Windows Authentication but the switch for HTTP-keep alive in the IIS Manager was unchecked.
We're having a hard time figuring how these credentials objects work. In fact, they may not work how we expected them to work. Here's an explanation of the current issue.
We got 2 servers that needs to talk with each other through webservices. The first one (let's call it Server01) has a Windows Service running as the NetworkService account. The other one Server02 has ReportingServices running with IIS 6.0. The Windows Service on Server01 is trying to use the Server02 ReportingServices WebService to generate reports and send them by email.
So, here's what we tried so far.
Setting the credentials at runtime (This works perfectly fine):
rs.Credentials = new NetworkCredentials("user", "pass", "domain");
Now, if we could use a generic user all would be fine, however... we are not allowed to. So, we are trying to use the DefaultCredetials or DefaultNetworkCredentials and pass it to the RS Webservice:
rs.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials
Or:
rs.Credentials = System.Net.CredentialCache.DefaultCredentials
Either way won't work. We're always getting 401 Unauthrorized from IIS. Now, what we know is that if we want to give access to a resource logged as NetworkService, we need to grant it to DOMAIN\MachineName$ (http://msdn.microsoft.com/en-us/library/ms998320.aspx):
Granting Access to a Remote SQL Server
If you are accessing a database on another server in the same domain (or in a trusted domain), the Network Service account's network credentials are used to authenticate to the database. The Network Service account's credentials are of the form DomainName\AspNetServer$, where DomainName is the domain of the ASP.NET server and AspNetServer is your Web server name.
For example, if your ASP.NET application runs on a server named SVR1 in the domain CONTOSO, the SQL Server sees a database access request from CONTOSO\SVR1$.
We assumed that granting access the same way with IIS would work. However, it does not. Or at least, something is not set properly for it to authenticate correctly.
So, here are some questions:
We've read about "Impersonating Users" somewhere, do we need to set this somewhere in the Windows Service ?
Is it possible to grant access to the NetworkService built-in account to a remote IIS server ?
Thanks for reading!
All details you need are included in this very old article
In short, when you find it confusing to troubleshoot issues like this, you should first review the technical details behind ASP.NET impersonation carefully.
Here are some things you could check out:
- set an SPN (Service Principal Name) for the reporting service; you can find good examples in google;
- Allow delegation (ClientCredentials.Windows.AllowImpersonationLevel)
Is the problem that you're failing to authenticate to IIS, or failing to authenticate to SSRS? The DOMAIN\MachineName$ account may need to be granted permission in SSRS to run the report you're trying to automate.
SSRS usually does a pretty good job of getting IIS configured correctly, so you shouldn't need to mess with those settings. I double-checked my installation (which is SSRS 2005, things may have worked differently in SSRS 2000 and you didn't say which version you're running), and it's set to use Windows authentication and has impersonation enabled. That means IIS should basically just be authenticating your credentials (validating a correct username/password), not authorizing (determining whether that user has permission to run the report in question). IIS then passes the credentials on to SSRS, which has its own settings for determining what accounts have permission to view reports.
Also, you can automate sending reports on a scheduled basis directly in SSRS, so you may not need the Windows service at all if your scheduling is fairly basic (i.e., daily, weekly, etc.).