search

ntua-unit-of-control-and-informatics / jaqpot-api-archived

JAQPOT Quattro is the 4th version of a YAQP, a RESTful web service which can be used to train machine learning models and use them to obtain toxicological predictions for given chemical compounds or engineered nano materials. The project is written in Java8 and JEE7.
Other
8 stars 4 forks source link

AAService fails when AA token is not obtained at /login #22

Closed alphaville closed 9 years ago

alphaville commented 9 years ago

Assume a user obtains a token on some server other than enanomapper.ntua.gr. Then, having not used the login service of enanomapper.ntua.gr, the following line is never reached:

// in AAService, login, line 141
tokenMap.put(aToken.getAuthToken(), aToken.getUserName());

therefore, the token map does not contain that token and the user fails to get authenticated. Check out this curl command which reproduces the error:

curl -H subjectid:AQIC5wM2LY4SfcwdbhPuhBAKJCwZ6qBGk-blHsnTt0-t7ss.*AAJTSQACMDE.* \
http://enanomapper.ntua.gr:8880/jaqpot/services/algorithm/leverage \
-d datset_uri=http://enanomapper.ntua.gr:8880/jaqpot/services/dataset/ca8da7f6-ee9f-4a61-9ae4-b1d1525cef88 \
-d prediction_feature=property/TOX/UNKNOWN_TOXICITY_SECTION/Total+surface+area++SAtot+/52D93BC3B68F26C8E787CC7A05E5130A23164405/3ed642f9-1b42-387a-9966-dea5b91e5f8a

(where the token has not been obtained on enanomapper.ntua.gr - e.g., obtain a token on your localhost and paste it in the above command).

The response is

{
  "code" : "Unauthorized",
  "actor" : "client",
  "message" : "Please login first!",
  "details" : "The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead. ",
  "httpStatus" : 403,
  "_id" : "ERR5tK6mjSnfR"
}
hampos commented 9 years ago

I thought we discussed this when I implemented it and we decided that the token must come from us or else there is no way to know who the user really is.

-----Original Message----- From: "Sopasakis Pantelis" notifications@github.com Sent: ‎8/‎4/‎2015 21:00 To: "KinkyDesign/JaqpotQuattro" JaqpotQuattro@noreply.github.com Subject: [JaqpotQuattro] AAService fails when AA token is not obtained at/login (#22)

Assume a user obtains a token on some server other than enanomapper.ntua.gr. Then, having not used the login service of enanomapper.ntua.gr, the following line is never reached: // in AAService, login, line 141 tokenMap.put(aToken.getAuthToken(), aToken.getUserName());therefore, the token map does not contain that token and the user fails to get authenticated. Check out this curl command which reproduces the error: curl -H subjectid:AQIC5wM2LY4SfcwdbhPuhBAKJCwZ6qBGk-blHsnTt0-t7ss.AAJTSQACMDE. \ http://enanomapper.ntua.gr:8880/jaqpot/services/algorithm/leverage \ -d datset_uri=http://enanomapper.ntua.gr:8880/jaqpot/services/dataset/ca8da7f6-ee9f-4a61-9ae4-b1d1525cef88 \ -d prediction_feature=property/TOX/UNKNOWN_TOXICITY_SECTION/Total+surface+area++SAtot+/52D93BC3B68F26C8E787CC7A05E5130A23164405/3ed642f9-1b42-387a-9966-dea5b91e5f8a(where the token has not been obtained on enanomapper.ntua.gr - e.g., obtain a token on your localhost and paste it in the above command). The response is { "code" : "Unauthorized", "actor" : "client", "message" : "Please login first!", "details" : "The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead. ", "httpStatus" : 403, "_id" : "ERR5tK6mjSnfR" }— Reply to this email directly or view it on GitHub.

alphaville commented 9 years ago

I don't remember that - I'll modify it a bit anyway. Check out http://opentox.org/dev/data/documents/development/opentoxreports/opentoxreportd33 page 19. Let's talk tomorrow if you have time to agree on how we'll go with tokens and users. I think it's best to not cache anything, but instead use the SSO service to retrieve the users' identity attributes. At the same time we can have our users in the DB with their capabilities, quota etc. I'll push a few changes later (without removing the cache) and we can discuss about it then.

alphaville commented 9 years ago

Fixed - see AuthorizationRequestFilter and AAService.