Open bambamboole opened 9 years ago
Try now
Same issue on GET /api/v1/users.json with removed @Secure(roles="ROLE_API") in UserRestController.
respoonse header:
403 Forbidden
Date: Sat, 13 Jun 2015 14:04:03 GMT X-Debug-Token-Link: /app_dev.php/_profiler/237598 Allow: GET, POST Server: nginx/1.8.0 Transfer-Encoding: chunked Content-Type: application/json Cache-Control: no-cache Connection: keep-alive X-Debug-Token: 237598
my development environment is a vagrant/homestead vm
Update:
Now I tried random salt and the POST /api/v1/tokens.{_format} works.
But when I Add a header to another request with key: X-WSSE value: UsernameToken Username="admin", PasswordDigest="NdACxnR5GYgNMKyfyz3csELriwA=", Nonce="ZGY5ZDEyZTI5YjUyZmM4Mg==", Created="2015-06-13T21:25:25Z"
I only get back:
401 WSSE authentication failed.
Date: Sat, 13 Jun 2015 21:25:57 GMT X-Debug-Token-Link: /app_dev.php/_profiler/95e38b Allow: GET, POST Server: nginx/1.8.0 Transfer-Encoding: chunked Content-Type: application/json Cache-Control: no-cache Connection: keep-alive X-Debug-Token: 95e38b
I don't know whats my error...
How do you get the usernameToken ?
Can you post your security.yml?
security.yml `
security: encoders: FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_API, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
wsse_secured:
pattern: ^/api/v1/((?!tokens))
context: user
stateless: true
wsse:
nonce_dir: null
provider: fos_userbundle
lifetime: 600
anonymous: false
access_control:
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
`
I got the token with the POST /api/v1/tokens.{_format} route and username: admin password: password salt : random string 22 characters
Generate your token in the client side. Use this : http://www.teria.com/~koseki/tools/wssegen/ for testing
The pattern applied is an example, you could for example replace wsse_secured: pattern: ^/api/v1/(?!tokens|salt)([a-z0-9]+)$
And then SALT resource and TOKENS will be available without authentication. The thing is that POST USER is not under this pattern so you could not access due to HTTP/1.1 401 WSSE authentication failed.
You can play with this, or we may expose SALT, TOKENS and POST USER in a "public" URL so it can be accesible outside the firewall.
Yeah, now I can get the salt.
But get list of all users still don't work with x-wsse request header.
And how can I make POST User(register new user) accesible outside the firewall? In my opinion it doesn't make sense to put the register new user service behind a firewall, so that only registered user can access it or?
Generated X-WSSE-Header(http://www.teria.com/~koseki/tools/wssegen/):
X-WSSE: UsernameToken Username="admin", PasswordDigest="U0pduqVyf51X2upww1sZf/qDH6s=", Nonce="MmQ2NzU1MDVjNmNiYjNmNw==", Created="2015-06-14T16:30:53Z"
apidoc response:
´ Request URL GET /api/v1/users.json
Response Headers 401 Unauthorized
Date: Sun, 14 Jun 2015 16:44:56 GMT X-Debug-Token-Link: /app_dev.php/_profiler/356d9f Allow: GET, POST Server: nginx/1.8.0 Transfer-Encoding: chunked Content-Type: application/json Cache-Control: no-cache Connection: keep-alive X-Debug-Token: 356d9f
Response Body { "code": 401, "message": "You are not authenticated" }
´
Sorry, but I have to ask again:
I tried almost everything to solve this problem...
That doesnt works...
everytime I get a 401.
Please help me :-(
You use nelmio for you test ?
Yes!
I had the same problem. Its work if you resend the post with the good wsse header by firebug or chrome rest plugin.
Hi,
I only get 403 forbidden with the sandbox requests.
Same error also with the POST /api/v1/users.{_format} for creating a new user.
I only cloned repo, did composer install and travis.sh
And another question,
From where do I get the salt for the POST /api/v1/tokens.{_format} ?