Re: [Dev] SSL issue in EI while using Entitlement mediator with IS

2017-10-27 Thread Dilshani Subasinghe 
Hi Tharindu,

Thanks for pointing out methods to identify root cause through SSL logs.

It was identified that EI 6.1.1 had an issue with the expired private key
and issue fixed when I use the latest pack with WUM update.

Thank you,
Dilshani

On Fri, Oct 27, 2017 at 5:23 AM, Tharindu Edirisinghe 
wrote:

> By the way, shouldn't we BCC (instead of CC) the internal mailing lists
> when mailing to public mailing lists like Dev ?
>
> Hi Dilshani,
>
> Disabling hostname verification to bypass this issue would not be a good
> practice.
>
> This error message can come due to several certificate related issues.
> Therefore, to isolate the exact issue, would you be able to start EI with
> enabling SSL debug logs for handshake.
>
> -Djavax.net.debug=ssl:handshake
>
> You'll have to append the SSL debug logs to a file as it would just print
> to terminal without appending to carbon log.
>
> sh integrator.sh -Djavax.net.debug=ssl:handshake > ssl.log
>
> Once EI is running, try out the same flow and check (or share) the SSL
> debug log. Then you should be able to identify the root cause
>
> Thanks,
> TharinduE
>
>
>
>
>
>
> On Thu, Oct 26, 2017 at 10:16 PM, Dilshani Subasinghe 
> wrote:
>
>> Hi all,
>>
>> I implemented "Fine-grained access control for SOAP services" (Refer 25th
>> pattern in this blog [1]) pattern using WSO2 EI 6.1.1 and WSO2 IS 5.3.0. I
>> was able to implement the pattern locally and tested it successfully. While
>> I'm moving to cloud setup, I got some errors while EI going to make the
>> connection with IS.
>>
>> I got an error as follows:
>>
>> [*2017-10-26 18:52:05,406] [EI-Core]  INFO - HTTPSender Unable to
>> sendViaPost to url[https://192.168.57.251/services/EntitlementService
>> ]*
>> *javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname
>> validation for name: null*
>> * at org.opensaml.ws.soap.client.ht
>> tp.TLSProtocolSocketFactory.ve
>> rifyHostname(TLSProtocolSocketFactory.java:233)*
>> * at org.opensaml.ws.soap.client.ht
>> tp.TLSProtocolSocketFactory.cr
>> eateSocket(TLSProtocolSocketFactory.java:186)*
>> * at
>> org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)*
>>
>> After referring some docs and emails, found out we need to add following
>> property in the integrator.sh script.
>>
>> *-Dorg.opensaml.httpclient.https.disableHostnameVerification=true \*
>>
>> After adding that, again got an error as follows:
>>
>> [2017-10-26 20:19:16,448] [EI-Core]  INFO - HTTPSender Unable to
>> sendViaPost to url[https://is.dev.wso2.org/services/EntitlementService]
>> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>> at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessi
>> onImpl.java:431)
>> at org.apache.commons.httpclient.protocol.SSLProtocolSocketFact
>> ory.verifyHostName(SSLProtocolSocketFactory.java:259)
>> at org.apache.commons.httpclient.protocol.SSLProtocolSocketFact
>> ory.createSocket(SSLProtocolSocketFactory.java:158)
>>
>> Any idea on fixing this issue?
>>
>> [1] https://medium.facilelogin.com/thirty-solution-patterns-
>> with-the-wso2-identity-server-16f9fd0c0389
>>
>> --
>> Best Regards,
>>
>> Dilshani Subasinghe
>> Software Engineer - QA *|* WSO2
>> lean *|* enterprise *|* middleware
>>
>> Mobile : +94773375185 <+94%2077%20337%205185>
>> Blog: dilshani.me
>>
>> 
>>
>
>
>
> --
>
> Tharindu Edirisinghe
> Senior Software Engineer | WSO2 Inc
> Platform Security Team
> Blog : http://tharindue.blogspot.com
> mobile : +94 775181586 <+94%2077%20518%201586>
>



-- 
Best Regards,

Dilshani Subasinghe
Software Engineer - QA *|* WSO2
lean *|* enterprise *|* middleware

Mobile : +94773375185
Blog: dilshani.me


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] UserAccountAssociationService having “/permission/admin/login” permissions in some operations

2017-10-27 Thread Mushthaq Rumy 
Hi Thanuja,

Thanks for the clarification. One more thing. Is there a way that we can
avoid specific users to login to the Management Console who has "
permission/admin/login" permission?

Thanks & Regards,
Mushthaq

On Thu, Oct 26, 2017 at 7:28 PM, Thanuja Jayasinghe 
wrote:

> Hi Mushthaq,
>
> UserAccountAssociationService.switchLoggedInUser() service method is only
> useful for users who has logged in session. Because this feature provides
> support for switch between associated user accounts in that logged in
> session. In order to create a session we need to call A
> uthenticationAdmin.login() and in this service method, we do check
> whether the user has permission/admin/login permission[1]. So it is a
> must to have permission/admin/login permission for any user who is using
> switchLoggedInUser method.
>
> I think this gives the rationality for other methods which have the same
> permission level.
>
> [1] - https://github.com/wso2/carbon-kernel/blob/4.4.x/core/
> org.wso2.carbon.core.services/src/main/java/org/wso2/carbon/
> core/services/authentication/AuthenticationAdmin.java#L110
>
> Thanks,
> Thanuja
>
> On Thu, Oct 26, 2017 at 6:18 PM, Mushthaq Rumy  wrote:
>
>> Hi All,
>>
>> Is there a specific reason to have "/permission/admin/login" in some of
>> the operations in UserAccountAssociationService?
>>
>> This permission will allow the users to login to the Management Console
>> and In case, if someone wants to use these operations of
>> UserAccountAssociationService in a separate client application and he/she
>> does not want to the users of this application to login to the Management
>> Console, what would be the work around and how can we solve this?
>>
>> Your thoughts on this is highly appreciated.
>>
>> Thanks & Regards,
>> Mushthaq
>> --
>> Mushthaq Rumy
>> *Software Engineer*
>> Mobile : +94 (0) 779 492140 <%2B94%20%280%29%20773%20451194>
>> Email : musht...@wso2.com
>> WSO2, Inc.; http://wso2.com/
>> lean . enterprise . middleware.
>>
>> 
>>
>
>
>
> --
> *Thanuja Lakmal*
> Associate Technical Lead
> WSO2 Inc. http://wso2.com/
> *lean.enterprise.middleware*
> Mobile: +94715979891
>



-- 
Mushthaq Rumy
*Software Engineer*
Mobile : +94 (0) 779 492140 <%2B94%20%280%29%20773%20451194>
Email : musht...@wso2.com
WSO2, Inc.; http://wso2.com/
lean . enterprise . middleware.


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Enrich mediator Issue with Json in wso2 esb

2017-10-27 Thread Sudharma Subasinghe 
Hi Aditya,

This has been fixed with[1] and you can try with latest WSO2 Enterprise
Integrator(WSO2 EI), integrator profile. There you can avoid above both
issues by enabling *synapse.json.to.xml.processing.instruction.enable *in
synapse.properties file.

Please refer[2] for more info about using EI.

[1] https://wso2.org/jira/browse/ESBJAVA-4721
[2] https://docs.wso2.com/display/EI611/

Thanks
Sudharma

On Thu, Oct 26, 2017 at 3:00 PM, aditya shivankar <
shivankar.adit...@gmail.com> wrote:

> Hi,
>
> Few more similar things, I found regarding this same flow .
> If the request consists of an empty. It gets disappeared in response
> completely.
> For E.g.
>
> Request :
>{
> "id" : "3",
> "parts" : ["Screen"],
> "test" : [],
> "numberTest" : 40
> }
>
>
> Actual Response :
> {
> "id": "3",
> "parts": "Screen",
> "numberTest": "40",
> "make": "Tamsung"
>}
>
> Desired Response :
> {
>"id": "3",
>"parts": ["Screen"],
>"test" : [],
>"numberTest": "40",
>"make": "Tamsung"
> }
>
>
> Issue :
>
>   In the actual response , the empty array named "test" is missing.
>
>   So overall there are two issues scenarios.
> 1. When there is a array in request , with a single(one) element in it .
> 2. When there is an empty array in request.
>
>
> With Regards,
> Aditya
> 
> 
> ---
>
> On Wed, Oct 25, 2017 at 5:37 PM, aditya shivankar <
> shivankar.adit...@gmail.com> wrote:
>
>> Hi,
>>
>> Let me reformat(summarize) the remaining issue now, as one issue is
>> resolved.
>> The issue which still needs to be addressed is.
>>
>>
>> Below is the sample service I have created to Highlight the issue I am
>> facing in my project(In actual project service, the request and response
>> are very big, dynamic and this issue is repeating at many places).
>>
>> Request : { "id" : "3", "parts" : ["Screen"] }
>>
>> Actual Response : { "id": "3", "parts": "Screen", "make": "Tamsung" }
>>
>> Desired Response :
>>
>> { "id": "3", "parts": ["Screen"], "make": "Tamsung" }
>> --
>>
>> Issue :
>>
>>1.
>>
>>"parts": "Screen",
>>
>>should have been like below
>>
>>"parts": ["Screen"],
>>
>>i.e. it does not remain array anymore. I understand the array consist
>>only one element. But the third party system to which the output of this
>>service is sent as input(request) expects the element as array. So I need
>>it to be as array.
>>
>> 
>> 
>>
>> I think , I cannot recreate the message using payloadFactory  because,
>>" the message(payload) I am modifying with enrich mediator is a "huge
>> and dynamic response from Third party service". This response I need to
>> modify/enrich at many places in my service and send it to another third
>> party service as input.
>>
>>With "Dynamic" :  I mean, some things in the message(payload) are
>> different(change) everytime service receives the request, depending on some
>> factors in the request received by the third party service whose output is
>> input message to this service.
>>
>>so I think I cannot recreate message using payloadFactory like this
>>
>>
>>  {"id" : $1, "parts" : $2, "make" : "Tamsung"}
>>   
>>  
>>  
>>   
>> 
>>
>>as it will be dynamic response from a third party service.
>> So we cannot recreate the message in payloadFactory it being not static.
>>
>> 
>> 
>>
>> arrayTest.xml :
>>
>> 
>> http://ws.apache.org/ns
>> /synapse">
>> 
>> 
>>
>> 
>> 
>> Tamsung
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>
>> 
>> 
>> 
>> 
>> 
>> 
>>
>> 
>> 
>> --
>>
>> Please guide...
>>
>> With Regards,
>> Aditya
>>
>
>


-- 
Sudharma Subasinghe,
Software Engineer,
WSO2 Inc.
Email: sudhar...@wso2.com 
Mobile : +94 710 565 157 <%2B94%20718%20210%20200>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Getting the roles of tenant users through UserAdmin admin service by using super-tenant admin's credentials

2017-10-27 Thread Megala Uthayakumar 
Hi All,

I am working on implementing a new store REST API, to get all the scopes
relevant to particular application and to filter the scopes based on the
roles of the user. Since this is a store API, I am calling the key
manager's UserAdmin admin service to get the roles of a particular user.
Basic Authentication is used for this purpose and the keyManager's
super-tenant user name and password are extracted from api-manager.xml.

While doing the testing, I found that, that UserAdmin admin service will
only return the roles of the users from the tenant which the particular
request is authenticated for. @Farasath confirmed the same through offline.
I tried with the RemoteUserStoreManagerService admin service as well. The
results seems to be same. Is there any way to achieve this through the
admin services(i.e. to get the roles of a user from different tenant by
using the super-tenant's credentials)?

Thanks.

Regards,
Megala
-- 
Megala Uthayakumar

Software Engineer
Mobile : 0779967122
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Getting the roles of tenant users through UserAdmin admin service by using super-tenant admin's credentials

2017-10-27 Thread Isura Karunaratne 
Hi Megala,

This cannot be done using the existing Admin services. You can do this by
using *SCIM2* APIs with cross-tenancy feature.  Add following cross-tenant="
true" in identity.xml file. Note that only SCIM2 supports cross tenancy
feature.





Thanks
Isura.

On Fri, Oct 27, 2017 at 5:48 PM, Megala Uthayakumar  wrote:

> Hi All,
>
> I am working on implementing a new store REST API, to get all the scopes
> relevant to particular application and to filter the scopes based on the
> roles of the user. Since this is a store API, I am calling the key
> manager's UserAdmin admin service to get the roles of a particular user.
> Basic Authentication is used for this purpose and the keyManager's
> super-tenant user name and password are extracted from api-manager.xml.
>
> While doing the testing, I found that, that UserAdmin admin service will
> only return the roles of the users from the tenant which the particular
> request is authenticated for. @Farasath confirmed the same through offline.
> I tried with the RemoteUserStoreManagerService admin service as well. The
> results seems to be same. Is there any way to achieve this through the
> admin services(i.e. to get the roles of a user from different tenant by
> using the super-tenant's credentials)?
>
> Thanks.
>
> Regards,
> Megala
> --
> Megala Uthayakumar
>
> Software Engineer
> Mobile : 0779967122
>



-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810 <+94%2077%20225%204810>
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Usage of "tocommonauth" property in OAuth2 Authorize Endpoint

2017-10-27 Thread Isura Karunaratne 
Hi all,

If the "tocommonauth" property value is true, the authentication response
from the login page will forward to the commonauth endpoint through OAuth2
Authorize Endpoint.


   - IIRC, this was done to reduce the number of redirection in OAuth flow,
   but I think it is better to handle all the login response from the
   commonauth endpoint.
   - Do we need to continue supporting this or shall we remove this?


String isToCommonOauth =
request.getParameter(FrameworkConstants.RequestParams.TO_COMMONAUTH);

if ("true".equals(isToCommonOauth) && flowStatus == null) {
try {
return sendRequestToFramework(request, response);
} catch (ServletException | IOException e) {
log.error("Error occurred while sending request to
authentication framework.");
return 
Response.status(HttpServletResponse.SC_INTERNAL_SERVER_ERROR).build();
}
}



Thanks
Isura.

-- 

*Isura Dilhara Karunaratne*
Associate Technical Lead | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Usage of "tocommonauth" property in OAuth2 Authorize Endpoint

2017-10-27 Thread Ishara Karunarathna 
Hi Isura,



On Fri, Oct 27, 2017 at 7:43 PM, Isura Karunaratne  wrote:

> Hi all,
>
> If the "tocommonauth" property value is true, the authentication response
> from the login page will forward to the commonauth endpoint through OAuth2
> Authorize Endpoint.
>
>
>- IIRC, this was done to reduce the number of redirection in OAuth
>flow, but I think it is better to handle all the login response from the
>commonauth endpoint.
>
> This is used in SAML flow as well to reduce the redirections.

>
>- Do we need to continue supporting this or shall we remove this?
>
>
> At the moment In IS components we are not setting this parameter, but
there are some other components Eg App manager using this (may be customers
might have implemented authenticators with this parameter).
Do you see any issues supporting this ?
If not I think its better to keep this.

-Ishara

> String isToCommonOauth = 
> request.getParameter(FrameworkConstants.RequestParams.TO_COMMONAUTH);
>
> if ("true".equals(isToCommonOauth) && flowStatus == null) {
> try {
> return sendRequestToFramework(request, response);
> } catch (ServletException | IOException e) {
> log.error("Error occurred while sending request to authentication 
> framework.");
> return 
> Response.status(HttpServletResponse.SC_INTERNAL_SERVER_ERROR).build();
> }
> }
>
>
>
> Thanks
> Isura.
>
> --
>
> *Isura Dilhara Karunaratne*
> Associate Technical Lead | WSO2
> Email: is...@wso2.com
> Mob : +94 772 254 810 <+94%2077%20225%204810>
> Blog : http://isurad.blogspot.com/
>
>
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev