Failed on reading a species list just created by spatial-hub

[qifeng-bai]

The species list is created successfully, but the spatial-hub get 401 error when it tries to retrieve it For example, the fellowing list was created by spatial-hub, however, when spatial-hub failed to load it https://lists-test.ala.org.au/ws/speciesListItems/dr22265?max=1

[qifeng-bai]

@adam-collins found new species-list will not let just anyone download a private lis

[qifeng-bai]

What @adam-collins found: I need some help with service authentication that is not working. Is there a security annotation that will authenticate a Authentication: Bearer ... header if it is present and continue without validating the user if not? https://lists-test.ala.org.au/ws/speciesListItems/dr18755 requires no authentication, working https://lists-test.ala.org.au/ws/speciesListItems/dr22250 requires authentication (cookie auth works, I presume session) but does not work with a valid Authentication: Bearer... For the failure case, authService.getUserId() returns null because Pac4jAuthService.profileManager.authenticated == false . Additional testing includes: @RequireApiKey cannot be used because it returns 401 when no authentication is provided @SSO(gateway = true) cannot be used because it redirects to login when no authentication is provided SSO cannot be used because it redirects to login when no authentication is provided security.cas.authenticateOnlyIfLoggedInFilterPattern cannot be used because when Authentication: Bearer... is present it intercepts the request and returns an empty response with status 200. This one is odd. @AlaSecured(anonymous = true) ignores Authentication. AlaSecured cannot be used because it returns 403 when no authentication is provided At this time the only option I can think of is to create a new webservice with @RequireApiKey because that will work when Authentication: Bearer... is present.

[qifeng-bai]

@sbearcsiro 's answer: as you've discovered, this is not supported currently... agreed that the best place to add this is probably adding an optional=true param to @RequireApiKey but I haven't looked too closely yet

[qifeng-bai]

Some thoughts regarding user token and webservice token? When a user creates a list via spatial hub: 1, A user sends the list creation request with its user token, SP verifies the token and collects the user details. And next step, SP forwards/sends the request to the species-list with its webservice Token. In this case, the species-list cannot fetch the user details via the webservice token.

2, Since SP creates a private list, when SP require the created list, the request is denied by the species-list because the species-list needs to verify if the user has the right to read this list. However, Biocollect works because Biocollect creates a public list

[adam-collins]

spatial-hub pull request https://github.com/AtlasOfLivingAustralia/spatial-hub/pull/463 specieslist pull request https://github.com/AtlasOfLivingAustralia/specieslist-webapp/pull/297

[adam-collins]

Are we still waiting on biocollect?