[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Handle-info] Secret Key authentication in Java

Hello.


Yes exactly, the authorization of a Handle that itself is in HS_VLIST instead HS_ADMIN doesn't work  (Error 400 - Invalid Admin) unless HS_VLIST has public-read permissions enabled


The first that I did was create several HS_ADMIN fields for the different administrators, however and because my scenario maybe could exist many of them (from index 100 to ¿115?¿110?), I tryed to put them all in HS_VLIST. 


Anyway, I'll go back to the HS_ADMIN indeces while HS_VLIST authentication is solved!.


Thanks for your help!

De: Robert R Tupelo-Schneck <schneck@cnri.reston.va.us>
Enviado: martes, 7 de marzo de 2017 16:33:48
Para: Ruiz-Zafra, Angel
Cc: handle-info@cnri.reston.va.us
Asunto: Re: [Handle-info] Secret Key authentication in Java
 
Ah.  Are you saying that authorization doesn't work using an HS_VLIST that is itself secret?

If so, I suspect we should consider it a bug in the server.

The only workaround I can see is to include the administrator identity directly in an HS_ADMIN value, which as far as I can tell can be secret.

Robert

On Mar 7, 2017, at 10:09 AM, Ruiz-Zafra, Angel <a.ruiz-zafra@ucl.ac.uk> wrote:

Using this Thread, with a similar issue:

If I have a handle, 55555/test, with the 200:HS_VLIST that contains 300:55555/user , Why should I define HS_VLIST with public-read permissions to authenticate as 55555/user?. 
Any solution such as "ignoreRestrictedValues" to authenticate but keep admin-list hidden?. I was checking the different parameters but didn't find it..

Thanks in advance!
De: Robert R Tupelo-Schneck <schneck@cnri.reston.va.us>
Enviado: jueves, 2 de marzo de 2017 17:09:40
Para: Ruiz-Zafra, Angel
Cc: handle-info@cnri.reston.va.us
Asunto: Re: [Handle-info] Secret Key authentication in Java
 
You need to set resReq.ignoreRestrictedValues = false.  By default, resolution requests have that flag set true.  The flag means "public values only".

Robert

On Mar 2, 2017, at 8:42 AM, Ruiz-Zafra, Angel <a.ruiz-zafra@ucl.ac.uk> wrote:

Finally the error was in the config file. As I have been testing with Handle, I had "anonymous_admin_full_access" ="yes". Thats why Handle didn't ask for any permission.

Now I have another question. Supposedly I'm able to authenticate, I tryed to authenticate to create a new Handle and it works when the password is correct.

However, when I try to resolve a handle, none authentication is required. If I put a wrong password, return data field anyway. I tryed to disable public permissions (write-read), but now handle returns "VALUES not found".

The authentication to resolve a handle should be done in a different way?. 

This is my source code:

handleid is the handle to resolve (e.g. 55555/example)
Admin and token are the handle and the password, for example : 55555/ADMIN with password "pass1"

Regardless of the password and admin id, the response code is always 200 (values not found). So supposedly is not checking the authentication at all.

Thanks and best regards!

public String resolve(String handleid,String admin,String token) throws Exception {
   HandleResolver resolver = new HandleResolver();

    byte[] handle = Util.encodeString(local_prefix+"/"+handleid);
    byte[][] types = { Util.encodeString("URL") };
    int[] indexes = new int[0];
    AuthenticationInfo authInfo = new SecretKeyAuthenticationInfo((local_prefix+"/"+admin).getBytes(Common.DEFAULT_ENCODING),
            300, Encoder.encodeSecretKey(token.getBytes(Common.DEFAULT_ENCODING),true));

    ResolutionRequest resReq = new ResolutionRequest(handle, types, indexes, authInfo);
    

    try {
        AbstractResponse response = resolver.processRequest(resReq);
        String msg = AbstractMessage.getResponseCodeMessage(response.responseCode);
        Functions.print("response code from Handle request: " + msg);

        if (response.responseCode == AbstractMessage.RC_HANDLE_NOT_FOUND) {
            throw new Exception("handle " + handleid + " does not exist");
        }

        if (response.responseCode == AbstractMessage.RC_VALUES_NOT_FOUND) {
            throw new Exception("handle " + handleid + " does not have any URL");
        }

        if (response.responseCode != AbstractMessage.RC_SUCCESS) {
            throw new Exception(msg);
        }

        HandleValue[] values = ((ResolutionResponse)response).getHandleValues();
        return values[0].getDataAsString();
    } catch (net.handle.hdllib.HandleException e) {
        if (e.getCode() == net.handle.hdllib.HandleException.SERVICE_NOT_FOUND) {
            throw new Exception("prefix of handle " + handleid + " does not exist");
        } else {
            String message = "tried to resolve handle " + handleid + " but failed: " + e.getMessage();
            throw new Exception(message, e);
        }
    }
}

De: handle-info-bounces@cnri.reston.va.us <handle-info-bounces@cnri.reston.va.us> en nombre de Ruiz-Zafra, Angel <a.ruiz-zafra@ucl.ac.uk>
Enviado: jueves, 2 de marzo de 2017 11:32:53
Para: handle-info@cnri.reston.va.us
Asunto: [Handle-info] Secret Key authentication in Java
 
Hey there!.

I'm trying to implement a username-password authentication system using Handle, however, I didn't find in the documentation the way to do it in a native Java implementation.

That is what I get or what I'm trying to do:

First of all I created a handle called "user1" that represent a username, with the password "password1":
55555/user1
      HS_ADMIN:100  --> 300:55555/
      HS_SECKEY:300 --> <"password1" encoded> (I encoded using Encoder.encodeSecretKey method)

Having this, I create a new handle in order to know that only user1 could access to handle information. This handle is called "example" and the password/secretkey is "passexample"
55555/example
     HS_ADMIN:100 --> 300:55555/
     HS_ADMIN:101 --> 300:55555/user1
     HS_SECKEY:300 --> <"passwordexample" encoded>

So, now, I would like to do, in Java (not using REST api), is a small piece of source code to verify that the authorization works fine. That is, try to resolve 55555/example handle and get null, empty or unauthorized message, and after that implements the authentication method (I guess is using SecretAuthenticationKeyInfo.authenticate() method, but I'm not sure) and try to resolve again (using this credentials) 55555/example, and get data field.

Although I defined HS_SECKEY handle-index, I could resolve Handle without any credentials (in Java as well as using the REST api), so I guess the authorization is not working :P.

Because permissions are rwr- everybody could get handle information. If I change to rw-- no one could get the information (obviously), so I'm not pretty sure which are the correct way to define permissions in this case. I guess rw-- but I'm not pretty sure.

Any ideas? Has anyone already implemented something similar or know how to do it or where I made mistakes? :D.

Thanks in advance and best regards!
_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info

_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info