[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Handle-info] Secret Key authentication in Java



You need to set resReq.ignoreRestrictedValues = false.  By default, resolution requests have that flag set true.  The flag means "public values only".

Robert

On Mar 2, 2017, at 8:42 AM, Ruiz-Zafra, Angel <a.ruiz-zafra@ucl.ac.uk> wrote:

Finally the error was in the config file. As I have been testing with Handle, I had "anonymous_admin_full_access" ="yes". Thats why Handle didn't ask for any permission.

Now I have another question. Supposedly I'm able to authenticate, I tryed to authenticate to create a new Handle and it works when the password is correct.

However, when I try to resolve a handle, none authentication is required. If I put a wrong password, return data field anyway. I tryed to disable public permissions (write-read), but now handle returns "VALUES not found".

The authentication to resolve a handle should be done in a different way?. 

This is my source code:

handleid is the handle to resolve (e.g. 55555/example)
Admin and token are the handle and the password, for example : 55555/ADMIN with password "pass1"

Regardless of the password and admin id, the response code is always 200 (values not found). So supposedly is not checking the authentication at all.

Thanks and best regards!

public String resolve(String handleid,String admin,String token) throws Exception {
HandleResolver resolver = new HandleResolver();

byte[] handle = Util.encodeString(local_prefix+"/"+handleid);
byte[][] types = { Util.encodeString("URL") };
int[] indexes = new int[0];
AuthenticationInfo authInfo = new SecretKeyAuthenticationInfo((local_prefix+"/"+admin).getBytes(Common.DEFAULT_ENCODING),
300, Encoder.encodeSecretKey(token.getBytes(Common.DEFAULT_ENCODING),true));

ResolutionRequest resReq = new ResolutionRequest(handle, types, indexes, authInfo);


try {
AbstractResponse response = resolver.processRequest(resReq);
String msg = AbstractMessage.getResponseCodeMessage(response.responseCode);
Functions.print("response code from Handle request: " + msg);

if (response.responseCode == AbstractMessage.RC_HANDLE_NOT_FOUND) {
throw new Exception("handle " + handleid + " does not exist");
}

if (response.responseCode == AbstractMessage.RC_VALUES_NOT_FOUND) {
throw new Exception("handle " + handleid + " does not have any URL");
}

if (response.responseCode != AbstractMessage.RC_SUCCESS) {
throw new Exception(msg);
}

HandleValue[] values = ((ResolutionResponse)response).getHandleValues();
return values[0].getDataAsString();
} catch (net.handle.hdllib.HandleException e) {
if (e.getCode() == net.handle.hdllib.HandleException.SERVICE_NOT_FOUND) {
throw new Exception("prefix of handle " + handleid + " does not exist");
} else {
String message = "tried to resolve handle " + handleid + " but failed: " + e.getMessage();
throw new Exception(message, e);
}
}
}


De: handle-info-bounces@cnri.reston.va.us <handle-info-bounces@cnri.reston.va.us> en nombre de Ruiz-Zafra, Angel <a.ruiz-zafra@ucl.ac.uk>
Enviado: jueves, 2 de marzo de 2017 11:32:53
Para: handle-info@cnri.reston.va.us
Asunto: [Handle-info] Secret Key authentication in Java
 
Hey there!.

I'm trying to implement a username-password authentication system using Handle, however, I didn't find in the documentation the way to do it in a native Java implementation.

That is what I get or what I'm trying to do:

First of all I created a handle called "user1" that represent a username, with the password "password1":
55555/user1
      HS_ADMIN:100  --> 300:55555/
      HS_SECKEY:300 --> <"password1" encoded> (I encoded using Encoder.encodeSecretKey method)

Having this, I create a new handle in order to know that only user1 could access to handle information. This handle is called "example" and the password/secretkey is "passexample"
55555/example
     HS_ADMIN:100 --> 300:55555/
     HS_ADMIN:101 --> 300:55555/user1
     HS_SECKEY:300 --> <"passwordexample" encoded>

So, now, I would like to do, in Java (not using REST api), is a small piece of source code to verify that the authorization works fine. That is, try to resolve 55555/example handle and get null, empty or unauthorized message, and after that implements the authentication method (I guess is using SecretAuthenticationKeyInfo.authenticate() method, but I'm not sure) and try to resolve again (using this credentials) 55555/example, and get data field.

Although I defined HS_SECKEY handle-index, I could resolve Handle without any credentials (in Java as well as using the REST api), so I guess the authorization is not working :P.

Because permissions are rwr- everybody could get handle information. If I change to rw-- no one could get the information (obviously), so I'm not pretty sure which are the correct way to define permissions in this case. I guess rw-- but I'm not pretty sure.

Any ideas? Has anyone already implemented something similar or know how to do it or where I made mistakes? :D.

Thanks in advance and best regards!
_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info

_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info