1) Syncope's REST API
Apache Syncope exposes its functionality via a rich REST API. Apache Syncope 1.1 features a new REST API, which is powered by Apache CXF. The new API has been created with the aim of applying RESTful best practices.
2) Querying Syncope's REST API
I've created some simple test-cases (hosted on github) based around a CXF SOAP client/service invocation, which show how to use Syncope's REST API for authentication and authorization.
a) Authentication
The Authentication test uses Syncope as an IDM for authentication. A CXF client sends a SOAP UsernameToken to a CXF Endpoint. The CXF Endpoint has been configured to validate the UsernameToken via the SyncopeUTValidator, which dispatches the username/passwords to Syncope for authentication via Syncope's REST API. Run the test via:
- git clone git://github.com/coheigea/cxf-syncope.git
- cd cxf-syncope
- mvn test -Dtest=AuthenticationTest
b) Authorization
The Authorization test uses Syncope as an IDM for authorization. It exploits the fact that we synchronized User's Roles into Syncope in tutorial IV. A CXF client sends a SOAP UsernameToken to a CXF Endpoint. The CXF Endpoint has configured the SyncopeRolesInterceptor, which authenticates the Username/Password to Syncope as per the authentication test. If authentication is successful, it then gets the roles of the user and populates a CXF SecurityContext with the user's name + roles.
The CXF Endpoint has also configured the SimpleAuthorizingInterceptor, which reads the current Subject's roles from the SecurityContext, and requires that a user must have role "boss" to access the "doubleIt" operation ("alice" has this role, "bob" does not). Run the test via:
- git clone git://github.com/coheigea/cxf-syncope.git
- cd cxf-syncope
- mvn test -Dtest=AuthorizationTest
Hi Colm,
ReplyDeletethanks for your excellent article and source code example. In Apache Syncope project I have seen there is a module called syncope-client.
It seams it implements client Java API to access to Syncope wrapping rest calls.
What's the best way you suggest to integrate with syncope? REST API or syncope-client?
Thanks,
Denis.
Hi Denis,
ReplyDeleteI would say that if the "syncope-client" module meets your needs then use that. In the source code I linked to on github, it just uses the REST API directly, mainly to show how a third party can invoke on Syncope.
Colm.
Hi i am working with identity and access control and just want to know how can i use syncope in my application to implement ws-federaion with single signOn.
ReplyDelete
ReplyDeleteSyncope does not offer WS-Federation or SSO. Instead you should look at Apache CXF Fediz:
http://cxf.apache.org/fediz
Colm.
Thanks Colm so this Apache CXF will do this for me means it will implement ws-federation for me.
DeleteHi Colm,
ReplyDeleteI've tried this example but github.com/coheigea/cxf-syncope.git is no longer avalaible. I got the code from github.com/coheigea/testcases/tree/master/apache/cxf/cxf-syncope but, when i execute mvn test -Dtest=AuthenticationTest, it throws me an error about the pom.xml file: "Non-parseable POM /home/ubuntu/cxf/pom.xml: Expected root element 'project' but found 'html' " Any help here?
Thanks a lot,
Javi.
What happens if you do "git clone https://github.com/coheigea/testcases.git", and then a "mvn clean install" from the apache/cxf directory?
ReplyDeleteColm.
Hi Colm,
ReplyDeleteI followed the steps 1-3 of the tutorial, and managed to setup and load the databases to Syncope. But the AuthenticationTest does not work for me. It sends "alice:security" in the HTTP Authorization parameter, and Syncope returns HTTP 401. It only works if I send "admin:password" instead. I am not sure if this is the right way to use the Syncope REST API. Is not it possible that the Authorization HTTP param should be used to authenticate to Syncope, and the user:password to be queried goes somewhere in the HTTP body?
Thanks,
Ivan
Hi Ivan,
ReplyDeleteAre you sure that user "alice" has been synced into Syncope? So for example, when you log onto the Syncope UI, do you see the user "alice" in the Users tab?
Colm.
Hi Colm,
ReplyDeleteI guess the users are correctly synchronized to Syncope. Please have a look at this:
curl -u admin:password http://localhost:8080/syncope/cxf/users?username=alice
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user>
<attributes>
<attribute>
<readonly>false</readonly>
<schema>surname</schema>
<value>smith</value>
</attribute>
</attributes>
<derivedAttributes/>
<id>152</id>
<propagationStatuses/>
<resources/>
<virtualAttributes/>
<creationDate>2014-07-06T00:29:41+02:00</creationDate>
<failedLogins>14</failedLogins>
<memberships>
<membership>
<attributes/>
<derivedAttributes/>
<id>100</id>
<propagationStatuses/>
<resources/>
<virtualAttributes/>
<resources/>
<roleId>100</roleId>
<roleName>boss</roleName>
</membership>
<membership>
<attributes/>
<derivedAttributes/>
<id>101</id>
<propagationStatuses/>
<resources/>
<virtualAttributes/>
<resources/>
<roleId>101</roleId>
<roleName>employee</roleName>
</membership>
</memberships>
<password>C8A14DACDCB64CEAD6D7766A9DD02BBD1D57FFCF</password>
<status>active</status>
<username>alice</username>
</user>
But then the /user/self (what your test is doing) is not working for me:
curl -u alice:security http://localhost:8080/syncope/cxf/users/self
... <body><h1>HTTP Status 401 - User alice not authenticated</h1>...
Hi Colm. Likely this is a bug in Syncope. During testing it I found a few strange issues. Please dont waste time with it. Thanks for the excellent tutorials, I followed many of them.
ReplyDeleteThank you for valuable tutorials on syncope.
ReplyDeleteHi Colm, not sure if you still happen to look at this. I was trying to see what your thoughts are on using forge rock IDM against the syncope.
ReplyDelete