Re: REST API authentication in 2.0.0

Thu, 30 Jun 2016 08:00:45 -0700 

Hi,
so it seems my memory isn't that good, after all :-)
I could not find any valid reason supporting the status quo - most likely some errors during the code migration and refactoring from 1_2_X to master.
Anyway, I am working right now on SYNCOPE-883, fix should be available soon, implementing the general policy of returning: 

 * 403 for authenticated users not allowed to invoke a given REST endpoint
* 401 for anonymous users attempting to access a given REST endpoint which requires authentication 

Regards.

On 29/06/2016 08:12, Francesco Chicchiriccò wrote:

Hi Colm,
I remember there was some good reason supporting this change (possibly as part 
of one of initial 2.0.0 issues): I'll investigate tomorrow and report.

Regards.

On 28 June 2016 16:40:49 CEST, Colm O hEigeartaigh <cohei...@apache.org> wrote:

Hi,

Just wanted to check before filing a JIRA. With the latest
2.0.0-SNAPSHOT,
I noticed that accessing the REST API without supplying a
username/password
returns 403 as opposed to the old 401.

wget http://localhost:9080/syncope/rest/users

--2016-06-28 15:40:01--  http://localhost:9080/syncope/rest/users
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:9080... connected.
HTTP request sent, awaiting response... 403
2016-06-28 15:40:01 ERROR 403: (no description).

Whereas with 1.2.7:

wget http://localhost:9080/syncope/rest/users
--2016-06-28 15:29:42--  http://localhost:9080/syncope/rest/users
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:9080... connected.
HTTP request sent, awaiting response... 401 Unauthorized

Username/Password Authentication Failed.

This means that if you open up a web browser and try to access say:

http://localhost:9080/syncope/rest/users

a pop-up windows does not appear for the user to enter the
user/password.
Was there a reason for this change or will I file a bug?

Thanks,

Colm.


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC,
CXF Committer, OpenJPA Committer, PonyMail PPMC
http://home.apache.org/~ilgrosso/

Reply via email to