We use an extension called "Login As Customer", and I'm trying to update its Allow Login as Customer field via API on all customer records.
When creating token access I see "Login As Customer" as an available API to which to grant access (pictured), but when I curl to our /rest/V1/customers/ endpoint, I don't see any extension attributes/data related to this extension. I'm pretty new to extensions and how they work through API, but I've been able to curl and update data before to our catalog, orders and invoices. Thanks for any help
Please check if your extension has an acl.xml file or not please create /etc/acl.xml and add below code for your extension. The extension needs acl.xml in etc folder for the show in roles.
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd">
<acl>
<resources>
<resource id="Magento_Backend::admin">
<resource id="Magento_Backend::stores">
<resource id="Magento_Backend::stores_settings">
<resource id="Magento_Config::config">
<resource id="Companyname_Vendor::config" title="Extension title" />
</resource>
</resource>
</resource>
</resource>
</resources>
</acl>
</config>
Related
my EbooksEntities.xml file
<entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://moqui.org/xsd/entity-definition-2.1.xsd">
<entity entity-name="Ebook" package="moqui.ebook" short-alias="ebooks">
<field name="ebookId" type="id" is-pk="true"><description>primary sequenced ID</description></field>
<field name="md5" type="text-medium"/>
<field name="file" type="binary-very-long" />
</entity>
</entities>
my ebook.rest.xml file
<resource xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://moqui.org/xsd/rest-api-2.1.xsd" name="ebook" displayName="Ebook REST API" version="2.0.0">
<resource name="ebooks">
<method type="get"><entity name="ebooks" operation="list"/></method>
<method type="post"><entity name="ebooks" operation="create"/></method>
</resource>
</resource>
now swagger REST API browser shows file parameter as String. How can I create REST method to post binary file?
You’ll need to write your own service that utilizes the ResourceFacade to copy the file to the DB or file system and then update the entity with the resource location.
You cannot use an entity-auto service, such as the ones listed in your answer, for this type of operation.
My goal is to add the anonymous authentication to Nuxeo web ui.
I followed the steps on https://doc.nuxeo.com/nxdoc/how-to-define-public-pages-viewable-by-anonymous-users/.
Created anonymous-auth-config.xml with the following content:
<component name="org.nuxeo.ecm.platform.login.anonymous.config">
<!-- Add an Anonymous user -->
<extension target="org.nuxeo.ecm.platform.usermanager.UserService"
point="userManager">
<userManager>
<users>
<anonymousUser id="Guest">
<property name="firstName">Guest</property>
<property name="lastName">User</property>
</anonymousUser>
</users>
</userManager>
</extension>
</component>
First I copied the file into the C:\Nuxeo\nxserver\config then try folder C:\Nuxeo\templates\common\config.
Modified nuxeo.conf and set nuxeo.user.anonymous.enable=true.
Restart the application server.
Now I can only enter the web ui as Anonymous user, but can't log in as Administrator or any other valid user.
There is forceAnonymousLogin=true query string in the url now by default.
I'm not sure should I change and how the authenticationChain as stated in another link: https://doc.nuxeo.com/nxdoc/using-anonymous-authentication/
Thanks for your help in advance!
I want to use WSO2EI 6.4.0 as a proxy for SOAP and REST services authentication platform (later maybe authorization).
I found solution in documentation of wso2 (https://docs.wso2.com/display/EI640/Applying+Security+to+an+API), but unfortunately it is not working.
Adding "handler" element into service definition
<handlers>
<handler class="org.wso2.carbon.integrator.core.handler.RESTBasicAuthHandler"/>
</handlers>
results into exception in design time (eclipse):
Invalid mediator <handler class="org.wso2.carbon.integrator.core.handler.RESTBasicAuthHandler"/> 1d6bbce1-08e3-42d5-b550-6a4e224b0028.xml /.tmp/.org.wso2.developerstudio.eclipse.esb line 15 org.wso2.developerstudio.eclipse.gmf.esb.diagram.synapseerror
Ignoring and deploying such API, makes the API stop working.
Could anyone help please?
The way you are trying to add the Basic authentication for API in WSO2EI 6.4.0 is correct. Developer studio will give a warning as you mentioned, but it should not be an issue. Developer studio will allow setting the handler regardless of the warning and you should be able to create a Composite Application which includes the API and deploy it to ESB. Following is a sample API with the RESTBasicAuthHandler.
<?xml version="1.0" encoding="UTF-8"?>
<api context="/testapi" name="testapi" xmlns="http://ws.apache.org/ns/synapse">
<resource methods="POST" protocol="https" url-mapping="/*">
<inSequence>
<send>
<endpoint name="testapi_EP">
<http uri-template="http://localhost:8080/testapi"/>
</endpoint>
</send>
</inSequence>
<outSequence/>
<faultSequence/>
</resource>
<handlers>
<handler class="org.wso2.carbon.integrator.core.handler.RESTBasicAuthHandler"/>
</handlers>
</api>
We had added Handler to WSO2 ESB 4.9.0 api for Basic Authorization but it is not getting saved permanently. When we check from the UI after sometime we are not able to see the handler and The handler is not working.
<resource methods="GET" uri-template="/{Id}/XXXX">
<inSequence>
<sequence key="XXXXSequence"/>
</inSequence>
</resource>
<handlers>
<handler class="XXXX">
<property name="securityToken" value="XXXX"/>
</handler>
</handlers>
</api>
This is a known issue. https://wso2.org/jira/browse/ESBJAVA-3395
And the solution is to use WSO2 Developer Studio. WSO2 does not recommend using the UI to do development, it is mainly used to monitor and view the instance.
I'm trying to write an XACML policy that will utilize a custom attribute. I'm thinking of something like:
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="deny-demo100"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description> </Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule Effect="Deny" RuleId="rule-deny-demo100">
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<Resource>
<AnyResource/>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">customAttribute</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action- id" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
<Rule RuleId="deny-demo100-catch-all" Effect="Permit" />
</Policy>
(We're using Fedora's XACML implementation).
I'm sure I'm missing something really simple and fundamental here, but cannot figure out what. Could someone point me in the right direction please?
What do you mean by custom attribute? What is it you want to express in 'plain old English'?
In XACML you can use any attribute you like such as role, citizenship, clearance, resource classification, time of day... Of course the availability of the attribute depends on the type of app you are protecting. How are you using the Fedora implementation? Is it for access control within Fedora Linux OS?
If you want to compare an attribute to a value e.g. citizenship == Canadian, then use a <Target/>. If you want to compare 2 attributes together e.g. clearance > classification, then use a <Condition>.
I am not sure what you are actually looking for, but I guess you need to do some attribute-based access control.
In XACML there is a component called PIP (Policy Information Point), where you can retrieve attributes from external sources and check authorization.
This may help you: Understanding PIP (Policy Information Point).
If you need to create XACML policies in a easier way, you can follow this: XACML Policy Editor in WSO2 Identity Server.
I have to admit I'm kinda new to XACML and Fedora's implementation of it, but my understanding is you should be able to query any value that appears when checking the user object. The URL on a default Fedora Commons install should be "localhost:8080/fedora/user" and yields the following object on my server after logging in a previously created LDAP user called "Joe User":
<user id="Joe User">
<attribute name="uid">
<value>userj</value>
</attribute>
<attribute name="mail">
<value>UserJ#ldap.test.user.uconn.edu</value>
</attribute>
<attribute name="sn">
<value>User</value>
</attribute>
<attribute name="ou">
<value>DPT</value>
</attribute>
<attribute name="cn">
<value>Joe User</value>
</attribute>
<attribute name="description">
<value>sample user</value>
</attribute>
<attribute name="role"/>
<attribute name="fedoraRole"/>
<attribute name="objectClass">
<value>organizationalPerson</value>
<value>person</value>
<value>inetOrgPerson</value>
<value>top</value>
</attribute>
<attribute name="displayName">
<value>Joe User (LDAP)</value>
</attribute>
</user>
Once a value has been injected into the user object via some JAAS authentication module (as in the above case using the LDAP module) or even an environment variable you should be able to query it. In the example policy below I've set Fedora to grant fedoraAdmin like access to API-M calls if a user has an OU set to "DPT":
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="permit-apim-to-ldap-ou"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
>
<!-- test policy to approve API-M operations if a specific LDAP OU exists -->
<!-- make sure access to API-M in premitted from the current client IP address first (check "deny-apim-if-not-in-list.xml" or "deny-apim-if-not-localhost.xml" ) -->
<Description>note that other policies may provide exceptions to this broad policy. This policy assumes api-m users have to be authenticated</Description>
<Target>
<Subjects>
<Subject>
<!-- specific OU - need to get this working with a range of values -->
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DPT</AttributeValue>
<SubjectAttributeDesignator AttributeId="ou" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule RuleId="1" Effect="Permit"/>
</Policy>
Custom attributes can even be added the Fedora XML User file (not the Tomcat user file) rather than using LDAP. Likely there is a better way to do this, but as I stated before I'm rather new to XACML and don't fully understand it. This rule works on my localhost test server based on the other rules also in place. Your mileage may vary.
Also, as stated in the sample policy file, make sure that the client you are testing from can both be permitted and then later denied API-M access before you put a rule like this in place as debugging XACML policies in Fedora seems to be extremely difficult with little data being written to the log file even in Debug mode (you will see an operation passed or failed but never the name of the rule that caused the pass/fail result to happen).