AgentAuthorizationFilter and the SimpleAgent

[Christopher Johnson]

Hi,

I am studying the authentication modules now.  I have a basic question about the AgentAuthorizationFilter and the SimpleAgent service.  Assuming that a request with the header

Authorization: Bearer + JWT

is made with a valid JWT for a user "http://localhost/test-user" with the matching key, a Principal should be set by the JWT Authenticator, correct?  

If I run the JwtAuthenticatorTest.testAuthenticateToken() with this token, the assertion passes.   

However, I see 

DEBUG [2018-02-22 12:33:29,101] org.trellisldp.http.AgentAuthorizationFilter: Checking security context: null

Is there more configuration required for this?  I do see that one can pass a list of administrators to the filter.  I tried that, yet it returns the same null context.  

I guess that without a authenticated session WebAC will not work (and no authorization can be applied), so a request to http://localhost/some/resource?ext=acl will return a 404.  The test objective is to make this request for acls work on a non-root resource.

Thanks again!

-Christopher

[Aaron Coburn]

Hi Christopher,

Most likely there is a bug in the authorization filter. There are not yet any end-to-end tests for authorization workflows yet, just a lot of unit tests. I will add an issue for this.

On a side note, you will generally find that the `?ext=acl` resources return a 404, since they don't, by default, exist. To create a new ACL for a particular resource, you can use PUT or PATCH (with sparql-update) on the ?ext=acl resource URL.

Thanks,

Aaron

--
You received this message because you are subscribed to the Google Groups "Trellis LDP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to trellis-ldp...@googlegroups.com.
To post to this group, send email to trell...@googlegroups.com.
Visit this group at https://groups.google.com/group/trellis-ldp.
To view this discussion on the web visit https://groups.google.com/d/msgid/trellis-ldp/521fb07a-9bfa-4fd3-89e0-30d2fd960c10%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Aaron Coburn]

Hello again,

There was, indeed, a bug in the code, such that the security principal was being set before the authentication filters were run (this had to do with a JAX-RS @PreMatching annotation). I have fixed this in master. I have manually tested JWT and Basic auth scenarios with the new code, and I have also added an issue to add more tests for these sorts of authentication scenarios.

Thanks again for your work testing out Trellis.

Regards,

Aaron

To view this discussion on the web visit https://groups.google.com/d/msgid/trellis-ldp/B7EDC3FE-D77D-4559-A1D8-F02167DBFB44%40amherst.edu.