I have some webservices which only logged on users can use. However, I need one to allow public access and to non-registered members to use as well.
I have given my DNN module permissions to be viewed by Unauthorized and All users and my webmethod as such:
<HttpGet>
Public Function FindSomeone(q As String) As HttpResponseMessage
Try
Return Request.CreateResponse(HttpStatusCode.OK, "ok".ToJson)
Catch exc As Exception
Return Request.CreateErrorResponse(HttpStatusCode.InternalServerError, exc)
End Try
End Function
I have tried adding:
<DnnModuleAuthorize(AccessLevel:=SecurityAccessLevel.View)>
and
<DnnModuleAuthorize(AccessLevel:=SecurityAccessLevel.Anonymous)>
but it still doesn't work for users who are not logged on.
Any ideas?
To make the services completely open, add the <AllowAnonymous> attribute.
Related
I have done an installation of WSO2 API Manager 2.5.0.
I am customizing the Publisher portal by creating a new subtheme and editing .jag files. Everything is OK until here.
I would like to show elements depending on user role.
My first question is: Can I get the rol of the user logged in Publisher portal in jag files?
I couldnt find the way, so I have thought a walkaround: send a request to the RESTful API for WSO2 API Manager - Publisher.
The problem is I cannot find (on the documentation) a method that return the roles of a user.
My second question is: There is some method to return the roles of a user?
I know the solution of use Publisher APIS, but they are deprecated, and anyway I have tested it, and it always return true even when the user has not assigned the role.
Ask me more information if you need.
Thanks in advance.
One possible solution is to invoke a java method exposed from the APIUtil class. The method you are looking from this util class would be the getListOfRoles method which has the following signature.
public static String[] getListOfRoles(String username) throws APIManagementException;
Or alternatively you can use the below method which does not throw any error, but rather return an empty array on an error situation.
public static String[] getListOfRolesQuietly(String username);
So to use this method in your jaggery file, you can use this using the following approach
var roleList = Packages.org.wso2.carbon.apimgt.impl.utils.APIUtil.getListOfRoles(userName);
The above should return a string array of roles in your jaggery file using which you could proceed with next steps. If you check other jaggery files found in Store or Publisher apps, the above approach is how you import a java class into the jaggery file and use it.
The APIUtil class is available in here : https://github.com/wso2/carbon-apimgt/blob/1.2.5/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/utils/APIUtil.java#L2420
I have a webservice (OSGi application) which on failure returns the error as HTML, which seems to be the Domino standard.
I know I can use the error codes provided, but would like to return a JSON formatted error instead.
Anyone who knows how to?
Ove
To handle the 401 response in the REST Service database you need to allow the Anonymous users to access the REST service and then in the REST Service respond if the user is Anonymous. This can be done without opening the database to significant access by Anonymous users by keeping the ACL for Anonymous at No Access BUT allowing it to Read Public Documents. Then your XPage that contains the REST service is flagged as Available for Public Access users.
I am trying to use the Google Contacts API and the Python / GDATA client handlers to access Contacts via OAuth 2.0 for users in the domain. I'm ultimately wanting to create a web service to add contacts for users, but the first step is getting this test working.
I can access my own Contacts just fine if I use the default URI. However, when I pass in the email address to construct the URI for another user, I can't seem to access the other user's Contacts. Here is the code that I'm using:
client.GetContacts(uri=client.GetFeedUri(contact_list=userEmail))
A 403 error is returned when I execute this.
gdata.client.RequestError: Server responded with: 403
Your client does not have permission to get URL /m8/feeds/contacts/<userEmail>/full from this server.
Mostly just trying to understand if what I'm attempting here is even possible. In the Email Settings API, for example, you can get authenticated to the domain and pass in a user's email to list their labels, add filters, etc. So, I would anticipate that the Contacts API would work the same, though handled slightly differently, i.e. modifying the URI, instead of just passing in an argument to the client handler. Please let me know if I am wrong in that presumption.
For authorization, I'm getting the details using flow_from_clientsecrets, then getting the token to authorize the ContactsClient for the domain. Again, I can access my own contacts fine, so authorization seems OK, but I can't access other users' contacts.
client = token.authorize(ContactsClient(domain=domain))
Seems like I'm missing something with respect to accessing other users. Is anybody able to assist me over this hump? Here are some things that I've checked / confirmed:
Contacts API is enabled for the project
Scopes have been authorized for the Client ID in the control panel > Manage 3rd party access
I am a Super Admin in the domain.
Thanks for your time!
I figured out the answer here from another post with exceptional detail:
Domain-Wide Access to Google GDATA APIs
You need to use "Service Account" authentication. For some reason, I was thinking that would only work with the newer discovery-based APIs. But, service account access also works for GDATA APIs. I can access all the Contacts for users in the domain now.
I want a simple mobile app to be able to read a public facebook feed. I do not want to challenge the user for a username and password. Is this possible without writing/communicating with a 3rd party service?
I found this:
Facebook API without client authentication for public content
But it looks like things have changed slightly...
I admit that I'm a bit confuse about your question, however to read a public facebook content like the public info of a page you have just to do something like: http://graph.facebook.com/19292868552/
With NO access token required.
But if you want to read a public feed of a page or something then you actually need the access token ( http://developers.facebook.com/tools/explorer/?method=GET&path=19292868552%2Ffeed ).
So, how to read stream without authentication from client-side? Well, the 1st thing I can think is to get only one access token with offline_access permission and use only this token for each client (ugly but it works) this kind of token never expires, anyway the offline access permission is being deprecated, so I'm a bit stuck in here, you can, anyway, handle the token (extending expiration or request another one) from your custom server (if you have one), or if you are using native SDK, Android for instance, I think you can use this
I have a web application that needs to allow users using different webclients (browser, native mobile app, etc) to register. After signing in they can access restricted content or their own content (like entries they create, etc).
What I did so far: I created a jax-rs rest webservice (I'm hosting my application on glassfish) that exposes the following methods:
register - user POST's his desired username/password/email/etc; if username/email is unique, an entry for this user is created in the database (I'm using Hibernate for persistence)
login - user POST's username and password. If they are ok a UUID is created and returned to the user (this will be used as a token for future requests). I have a table called logedusers, with userID, token, validSince as columns.
Here is where it gets confusing for me.
Let's say that I have another method, getUserEntries, that should return all the entries made by the user. To make this clearer, there will be a Entry table with the following fields: entryId, userId, text.
What is the best approach here?
What i do now, is I make a get request and pass in the token like this:
localhost:8080/myApp/getUserEntries?token=erf34c34
Afterwards, if the token is valid, I get the userID from the logedusers table and based on that userId, get all the entries and return them as json.
Something like this:
#GET
#Path("getUserEntries")
#Produces(MediaType.APPLICATION_JSON)
public Response getUserEntries(#QueryParam("token") String token) {
String userId=getUserIdFromToken(token);
if (userId == null){
return Response.status(Response.Status.UNAUTHORIZED).build();
} else {
//get some data associated with that userId, put it in the response object and send it back
return Response.ok().entity(response).build();
}
}
However, what happens if I have more methods that provide data if they are called by a valid user?
I'd have to do this check at the beginning of every method.
I want to make this authorization process transparent
So, two major questions here:
Is this design ok? The whole authenticate with user/pass, server creates and stores and sends token to the user, user sends token on future requests.
What do I do if i have many endpoints that need to determine the identity of the calling user? Can I mark them with some annotations, use some sort of security provider / authenticator (where I can add my own logic for validating - eg check to see if the token isn't older than 5 days, etc).
Thanks
Is this design ok? The whole authenticate with user/pass, server creates and stores and sends token to the user, user sends token on future requests.
It's somewhat OK. The conceptual level isn't too bad (provided you're OK with self-registration at all) but the interface needs a lot of tweaking. While yes, POST to register and login is correct, for the rest of your webapp you should be pulling the identity information out of the context if you need it, and using role-based access control at the method level where you can.
Note that your container has a whole set of authentication and authorization-support mechanisms built in. Use them.
What do I do if i have many endpoints that need to determine the identity of the calling user? Can I mark them with some annotations, use some sort of security provider / authenticator (where I can add my own logic for validating - eg check to see if the token isn't older than 5 days, etc).
Do they need the identity? Or do they just need to know that the user is allowed to access them? If the latter, the easiest method is to put a suitable #RolesAllowed annotation on the method, at which point (with suitable configuration; see the JEE5 security docs). If the former, you need to get the HttpServletRequest object for the current action and call its getUserPrincipal() method to get the user's identity (or null if they've not logged in yet). This SO question describes how to go about getting the request object; there are a few possible ways to do it but I recommend injection via a #Resource annotation.
What I wouldn't do is allow users to normally provide their own identity via a #QueryParam; that's just wildly open to abuse. You can allow them to ask about other users that way, but then you need to decide whether you are going to tell them anything or not based on whether the current user is permitted to know anything about the other user. That's the sort of complex security problem that comes up in a real app, and is a good point for needing the current verified user identity.