[OpenAM] 401 Unauthorized response on checking Entitlements using REST interface - Email found in subject

Morris, Paul pmorris at nmh.org
Tue Oct 4 14:25:34 BST 2011


Also, just to level set, you're:

1) SHA1 hashing the token
2) Base64 encoding the hash. 
3) URL encoding the Base64 encoded string. 

Right?

Paul Morris

On Oct 4, 2011, at 7:25 AM, "Marco Beelen" <MBeelen at iprofs.nl> wrote:

> Hello Paul (and others),
> 
> Using the '/identity/authorize'-URL I do get a proper response with indicates whether or not the policy allow access. This provides a usefull starting point.
> 
> Besides this I would to be able to get access to the '/ws/1/entitlement/....' URL's, since they provide options to allow return attributes about the user and resource in the response. The 'identity/authorize' just returns true or false...
> 
> So the original question for me still is: How can I solve the problem with the 401 on the '/ws/1/entitlement/decide' interface...
> 
> 
> With kind regards,
>    Marco
> 
> 
> Marco Beelen
> Software Architect
> M +31 655 145 554
> _______________________
> 
> iPROFS
> Wagenweg 208
> 2012 NM Haarlem
> T +31 23 547 6369
> F +31 23 547 6370
> I  www.iprofs.nl
> _______________________
> 
> Great Place to Work
> Beste ICT werkgever
> Masters of Java
> Website van het jaar
> ________________________________________
> From: openam-bounces at forgerock.org [openam-bounces at forgerock.org] On Behalf Of Morris, Paul [pmorris at nmh.org]
> Sent: Tuesday, October 04, 2011 12:45 PM
> To: Users
> Subject: Re: [OpenAM] 401 Unauthorized response on checking Entitlements using REST interface - Email found in subject
> 
> Try /identity/authorize with the following params:
> 
> uri
> subjectid
> action
> 
> Also, make sure you're not double-encoding the token or something weird like that. I've done it before ;-) .
> 
> Paul Morris
> 
> On Oct 4, 2011, at 5:35 AM, "Marco Beelen" <MBeelen at iprofs.nl<mailto:MBeelen at iprofs.nl>> wrote:
> 
> Hello,
> 
> I'm trying to use the Entitlement Service of OpenAM as a Policy Decision Point.
> In order to test various scenarios for Policy Rules I would like to use the REST interface to verify if the correct decision will be made for my users.
> I wrote a little Java program, which will send HTTP requests to the REST interface using Apache HTTP Client.
> I'm able to use the Identity REST interface to authenticate and validate the received token.
> 
> After the authentication I send a request to the entitlements decision URL (/openam/ws/1/entitlement/decision).
> I add the 'raw' token as an 'iPlanetDirectoryPro'-cookie and encode the the same token to a subject and add that as a request parameter. (Like described on the page: Introducing the OpenSSO Express 9 Entitlements Service REST<http://wikis.sun.com/display/OpenSSO/Introducing+the+OpenSSO+Express+9+Entitlements+Service+REST+Interfaces>)
> I add an additional parameter for the action (GET) and a resource (Some URL in my test scenarios.)
> 
> The server respondes with an HTTP1/1 401 Unauthorized.
> I don't see any warnings or errors in the logs of the server.
> 
> Could anybody explain / give some insight in what I need to change to receive a proper decision?
> 
> I have read the comment of 'dumoulin' @ <http://wikis.sun.com/display/OpenSSO/Introducing+the+OpenSSO+Express+9+Entitlements+Service+REST+Interfaces#comments> http://wikis.sun.com/display/OpenSSO/Introducing+the+OpenSSO+Express+9+Entitlements+Service+REST+Interfaces#comments
> about the custom X-Query-Parameter, but since the value of the cookie and encoded subject reference the same user I don't think I need that header.
> 
> With kind regards,
>    Marco Beelen
> 
> 
> 
> 
> 
> 
> 
> 
> Marco Beelen
> Software Architect
> M +31 655 145 554
> _______________________
> 
> iPROFS
> Wagenweg 208
> 2012 NM Haarlem
> T +31 23 547 6369
> F +31 23 547 6370
> I  www.iprofs.nl<http://www.iprofs.nl/>
> _______________________
> 
> Great Place to Work
> Beste ICT werkgever
> Masters of Java
> Website van het jaar
> 
> _______________________________________________
> OpenAM mailing list
> OpenAM at forgerock.org<mailto:OpenAM at forgerock.org>
> https://lists.forgerock.org/mailman/listinfo/openam
> This message and any included attachments are intended only for the addressee. The information contained in this message is confidential and may constitute proprietary or non-public information under international, federal, or state laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail.
> _______________________________________________
> OpenAM mailing list
> OpenAM at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
> _______________________________________________
> OpenAM mailing list
> OpenAM at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
This message and any included attachments are intended only for the addressee. The information contained in this message is confidential and may constitute proprietary or non-public information under international, federal, or state laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail.




More information about the OpenAM mailing list