I am getting permission denied issue in 1.9 with REST API even though added all required Roles and Permissions.
Its working for guest users and getting the JSON result.
I can take customers via url api/rest/products?limit=1 without any authentication if i enabled Guest permission.
Same time its working with oAuth for a valid admin used.
But if i disabled guest permissions its not working for a valid admin user, showing the permission denied message.
When i check the access log, i can see like below
exception 'Mage_Api2_Exception' with message 'Access denied' in /var/www/html/app/code/core/Mage/Api2/Model/Server.php:217
Stack trace: #0 var/www/html/app/code/core/Mage/Api2/Model/Server.php(106): Mage_Api2_Model_Server->_allow(Object(Mage_Api2_Model_Request), Object(Mage_Api2_Model_Auth_User_Guest))
#1 /var/www/html/api.php(73): Mage_Api2_Model_Server->run()
is it because each API request via oAuth treats in Guest mode ?
How are you testing? Are you absolutely sure that you are indeed running an authorised request when disabling guest permission?
Maybe you can do some step-by-step debug in the class method _allow of Mage_Api2_Model_Server.
Related
I'm working on Restful API for Post shipment. When I am checking it on Postman It showing me Access Denied Error. Can Anyone Help me ?
https://api.postshipping.com/api2/tracks?ReferenceNumber=************
enter image description here
Most likely you are missing a session cookie / authentication at all to access this endpoint. Please check, if there is any authentication required and if so, if the user has enough rights to access this data.
After changed password of user "admin", i can't login to device manager.
Welcome screen it turning and then tell me that there is an error :
[2017-10-23 10:11:41,401] [IoT-Core] ERROR {org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl} - Invalid OAuth Token : Invalid access token
[2017-10-23 10:11:41,401] [IoT-Core] ERROR {org.wso2.carbon.apimgt.rest.api.util.impl.WebAppAuthenticatorImpl} - Authentication failed. Please check your username/password
[2017-10-23 10:11:41,401] [IoT-Core] WARN {org.apache.cxf.phase.PhaseInterceptorChain} - Interceptor for {http://store.api.rest.apimgt.carbon.wso2.org/}SwaggerJsonApi has thrown exception, unwinding now
org.apache.cxf.interceptor.security.AuthenticationException: Unauthenticated request
It seems to have a fix (https://github.com/wso2/product-iots/issues/1033) but how can i fix it in 3.1.0?
Edit : I've changed db from H2 to mysql and now i can't change admin password in device management console.
i cant add user anymore too.
error in user management :
DataTables warning: table id=user-grid - Ajax error. For more information about this error, please see http://datatables.net/tn/7
error when i try to change admin password showed in browser:
900908Resource
forbidden Access failure for API:
/api/device-mgt/v1.0/users/1.0.0, version: 1.0.0 status: (900908) -
Resource forbidden
Backed to H2 DB for this part, still no luck. When admin password changed, device manager in not accessible for super admin.
Edit2 :
I've found a trick.
Backed to H2 for user management, i've created another user with all roles.
Then i've changed admin password to "disable" it.
It works, my new admin have all roles.
But when admin password is changed, access to store is forbidden.
this article says it fixed : https://wso2.org/jira/browse/EMM-1295
I've rechanged admin pass, no message. Maybe i made a mistake.
Thanks.
Regards,
Alex.
After searches, i found this :
https://docs.wso2.com/display/IoTS310/Changing+the+Super+Administrator+Username+and+Password
Tested and OK.
YOu have to change password on the webinterface carbon.
And follow the instruction on link above.
We are getting this exception from RestoreMostRecentFromCacheOrAuthenticateUserAsync() on the MsaAuthenticationProvider object from the OneDrive authentication sdk. When we use AuthenticateUserAsync() we are presented with a login prompt requesting email address and password as though it's not recognizing the locally authenticated account on the machine. Only once we authenticate using AuthenticateUserAsync() and grant permissions are we able to use RestoreMostRecentFromCacheOrAuthenticateUserAsync() to authenticate the user. I don't know when this problem started, I just know that we've recently gotten a complaint from a user that changed their password for their Microsoft account, and suddenly encountered the generalException. For test purposes, we removed granted permissions for the app and a few minutes later we encountered the generalException. When we first implemented and tested this sdk, everything worked perfectly.
Is this a problem with the sdk or on the service end? When can we expect resolution?
I'm trying to use wso2 APPM (vers 1.10.0) with an external ldap as authentication without real success.
I'll try to be as factual as possible to let it be testable:
I've unzip the wso2appm zip file under linux
I've setup the java_home var
I've start the wso2server.sh ==> no problem displayed in the log, at this step I must precise I'm using the default database of wso2.
Then logging to carbon gui, and adding a new userstore management setting up to a read-only external ldap.
after few seconds, the ldap users appears in the user list.
then selecting me in the list and adding the internal/store role.
opening the store url, and trying to login with the login / password of my user
Then having a message to inform me that the user has not the store profile.
If I log into carbon with my ldap user, it's working.
The same use case with the API looks fine to log into the store.
Any fix or ideas are welcome.
BR,
jfv
By the looks of it I suspect your issue is, the privileges are not set correctly for your ldap user store roles. Please make sure that you have assigned the internal/subscriber role to the relevant user in your permission tree. You can find more details about this at JIRA ticket [1]
[1] https://wso2.org/jira/browse/APPM-279
Cheers,
Pubudu
Hi and thank your for your answer,
first: I've checked this morning the solution you've proposed, and there is no change.
In a second time, I've tryied to add all privileges without more success
but if I create a new user manually, this one can login.
The following error in the log are shown when I try to login with an ldap user.
[2016-05-09 07:48:54,272] INFO - ReadOnlyLDAPUserStoreManager LDAP connection created successfully in read-only mode
[2016-05-09 07:48:54,283] INFO - UserStoreDeploymentManager Realm configuration of tenant:-1234 modified with /opt/wso2appm/repository/deployment/server/userstores/orange_com.xml
[2016-05-09 07:50:18,187] WARN - CarbonAuthenticationUtil Failed Administrator login attempt 'admin[-1234]' at [2016-05-09 07:50:18,187+0200]
[2016-05-09 07:50:18,189] WARN - AuthenticationHandler Illegal access attempt at [2016-05-09 07:50:18,0188] from IP address 10.199.210.37 while trying to authenticate access to service RemoteAuthorizationManagerService
[2016-05-09 07:50:18,189] ERROR - AUDIT_LOG Illegal access attempt at [2016-05-09 07:50:18,0188] from IP address 10.199.210.37 while trying to authenticate access to service RemoteAuthorizationManagerService
[2016-05-09 07:50:18,221] WARN - acs:jag User jaav7491 does not have permission to access the store application. Make sure the user has the store role.
the login is "jaav7491"
Thank you for your ideas,
BR,
jfv
I want to get started with the Office365 Unified API , so I decided to register a new web app to our azure directory.
In the section: "permissions to other applications" , I select Office365 unified API(preview)
I only get set delegated permission (I don't have all admin powers in our tenant), so I choose the ones I need (user profiles, sign-in , the exact number does not matter).
When I save the configuration I get the message
Could not update the configuration for app ""
Information tells me:
Unauthorized. You do not have sufficient permissions to access this resource.
The strange is , that when I log out and return to the application in the Azure Portal, I do see those modification in the configuration ?!
Finally when I try to call the REST endpoint (with valid Accesstoken etc..) I get this message:
{"error":"invalid_grant","error_description":"AADSTS65001: No permission to access user information is configured for 'f1299649-ea20-4cf6-9cd6-afb69d9b5760' application, or it is expired or revoked.\r\nTrace ID: 69ab1a6c-eeda-4351-8e1e-2b774c19a5a0\r\nCorrelation ID: 968a962e-d851-48bb-ad6f-3f05ea7b8efe\r\nTimestamp: 2015-06-18 20:12:15Z","error_codes":[65001],"timestamp":"2015-06-18 20:12:15Z","trace_id":"69ab1a6c-eeda-4351-8e1e-2b774c19a5a0","correlation_id":"968a962e-d851-48bb-ad6f-3f05ea7b8efe","submit_url":null,"context":null}
So maybe the Azure Portal UI is right the first time and those permissions where never stored with the app ?
the application details in https://portal.office.com/myapps tell me this:
Permissions
This app works with data in your documents. It will be able to:
Read directory data
Sign you in and read your profile
Read all users'basic profiles
Access the directory as you
Read directory data
Sign-in as you and read your profile
What would be the next step to take to get this to work ?
What is your app trying to do (in terms of access to users, groups etc)?
Access the directory as you is a permission that requires admin consent. The portal unfortunately has a bug that it appears as though you have the permission, but that's not true. That's because there are 2 elements here - configuring the permissions your app needs which drives the consent experience AND the consent grant. The portal (under the covers) tries to consent the app for the permissions it requires within the developer tenant. A non-admin in this case has permissions to update the app configuration, but not to consent for those permissions in their tenant.
Hope this helps,
It is impossible to set permissions to Office 365 Unified API for your application even if you are tenant administrator due to error. I have tried it. Remember that whole Unified API is in Preview mode so there will definitely be other errors.