FAIRDataTeam
403 when creating a metadata schema draft using the API
What is your question?
When POSTing a metadata schema using the /metadata-schemas I get a 403 Access is denied error. I've provided a Bearer token in the Authorization header (for the admin user), and the body is exactly the same as the client produces. The log output is not showing anything beyond the 403 error either. How can I best proceed from here?
EDIT: based on this comment, below is a different problem with similar outcome
Reproduced something similar on develop branch on localhost (with default dev db):
...
2024-10-29 14:56:10,012 25292 [http-nio-8080-exec-1] INFO org.springframework.web.servlet.DispatcherServlet - Completed initialization in 2 ms
2024-10-29 14:56:10,036 25316 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - Securing POST /metadata-schemas
2024-10-29 14:56:10,052 25332 [http-nio-8080-exec-1] INFO org.fairdatapoint.api.filter.LoggingFilter - http://localhost:8080/metadata-schemas
2024-10-29 14:56:10,116 25396 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - Secured POST /metadata-schemas
2024-10-29 14:56:10,224 25504 [http-nio-8080-exec-1] DEBUG org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor - Failed to authorize ReflectiveMethodInvocation: public org.springframework.http.ResponseEntity org.fairdatapoint.api.controller.schema.MetadataSchemaController.createSchemaDraft(org.fairdatapoint.api.dto.schema.MetadataSchemaChangeDTO); target is of class [org.fairdatapoint.api.controller.schema.MetadataSchemaController] with attributes [[authorize: 'hasRole('ADMIN')', filter: 'null', filterTarget: 'null']]
2024-10-29 14:56:10,226 25506 [http-nio-8080-exec-1] ERROR org.fairdatapoint.api.controller.exception.ExceptionControllerAdvice - Access is denied
So we're authenticated, but not authorized.
More detail:
...
2024-10-29 15:40:37,089 37848 [http-nio-8080-exec-1] TRACE org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor - Did not re-authenticate UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=7e64818d-6276-46fb-8bb1-732e6e09f7e9, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, CredentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[ROLE_USER]] before authorizing
2024-10-29 15:40:37,090 37849 [http-nio-8080-exec-1] TRACE org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor - Authorizing ReflectiveMethodInvocation: public org.springframework.http.ResponseEntity org.fairdatapoint.api.controller.schema.MetadataSchemaController.createSchemaDraft(org.fairdatapoint.api.dto.schema.MetadataSchemaChangeDTO); target is of class [org.fairdatapoint.api.controller.schema.MetadataSchemaController] with attributes [[authorize: 'hasRole('ADMIN')', filter: 'null', filterTarget: 'null']]
2024-10-29 15:40:37,094 37853 [http-nio-8080-exec-1] TRACE org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor - Failed to authorize ReflectiveMethodInvocation: public org.springframework.http.ResponseEntity org.fairdatapoint.api.controller.schema.MetadataSchemaController.createSchemaDraft(org.fairdatapoint.api.dto.schema.MetadataSchemaChangeDTO); target is of class [org.fairdatapoint.api.controller.schema.MetadataSchemaController] with attributes [[authorize: 'hasRole('ADMIN')', filter: 'null', filterTarget: 'null']] using AffirmativeBased
...
Note the Granted Authorities=[ROLE_USER].
POST /metadata-schemas requires the ADMIN role, but GET /users/current returns
{
"uuid": "7e64818d-6276-46fb-8bb1-732e6e09f7e9",
"firstName": "Albert",
"lastName": "Einstein",
"email": "[email protected]",
"role": "USER"
}
Note the "role": "USER".
This holds for both Albert Einstein and Nikola Tesla, even though the readme says Albert is ADMIN:
https://github.com/FAIRDataTeam/FAIRDataPoint/blob/1e33bfdbdd10673370fc5a3a7e819401eb62b685/README.md?plain=1#L106-L110
The dev db migrations show there is a new admin in town (actually einstein has not been admin since v1.0.0, see c1ff8df6):
https://github.com/FAIRDataTeam/FAIRDataPoint/blob/1e33bfdbdd10673370fc5a3a7e819401eb62b685/src/main/resources/dev/db/migration/V0001.1__dev-data-users.sql#L25-L32
Using a token for [email protected], POST /metadata-schemas works as expected (using develop branch on localhost with the default dev db).
@kburger were you also using the local dev db with default users, or were you using a custom db with real users?
@MarekSuchanek I can try to fix the inconsistency between migration and readme, but how do you wish to proceed?
- either add a db migration to reinstate Einstein as admin
- or update the readme to reflect Einstein's demotion to normal user, in favor of the new admin user
@kburger were you also using the local dev db with default users, or were you using a custom db with real users?
Default users, but also a confirmed ADMIN user on a 'real' FDP.
[...] but also a confirmed ADMIN user on a 'real' FDP.
Hi @kburger, does the "real" FDP run the develop image or one of the v1.17.x images?
(assuming you are running one of the Docker images)
They're all running tagged docker images, mostly the 1.16.2 version to work around the bugs in 1.17.
I can use API to insert/update shacl and release them.
It does work but it's bit fragile and the error message are not very helpful.
@kburger I'm still having trouble reproducing this.
Could you reproduce it using e.g. this compose file, and paste the full request, including path, query (if any), headers and body?
(of course after redacting the token content, if necessary)