Unable to authenticate user on development server although it is working on the local machine

Cuba version 6.10.11

Unable to Authorize user from REST API deployed to development server , although able to do it on local machine.

created user resetclient assigned to new created role with permission
Use REST API so he will be only allowed to call the rest end points.

the same user assigned permission Login to client just for validating the user is able to login to the system with the created username and password will be removed after able to authorize the user from the rest api

strange behavior after removing this permission still the user is able to login to the web portal

user authentication through rest API using postman with only assigned permission using rest api

trying to do the same behavior on the development server
receiving Bad credentials

please support urgently regarding this as i’m trying to do this for last 2 days and it is not working and even the logs for the application is not showing any request response regarding calling service for authentication only when the user is authenticated on the local it is showing that the user has been authenticated and log the token this behavior i saw it only on local.

if any more details is required please let me know

The issue was with passing the correct value of the encoded client id and encoded password

cuba.rest.client.id = 
cuba.rest.client.secret =

clientId:cleintsecret Base64 encoded

the client id and secret is not equal to the user credentials

Steps to use REST API for Authentication

/oauth/token

1. Define user who will be allowed to use your application from the administration and grant Role with specific permissions
2. set the client.id and client.secret at web-app.properties
3. Call your end point with below

Request Header

Authentication value = encoded Base 64 [clientId:clientsecret]
Accept = Application/json
content_type = application/x-www-form-urlencoded

Body

grant_type = password
username = created user name for the application
password = password of the created user

_Note:_

The only concern here is the user who granted access to the REST API is still able to login to the home page of the application on portal needs clarification

The only concern here is the user who granted access to the REST API is still able to login to the home page of the application on portal needs clarification.

Hello @abd.ibrahim.allam

Could you clarify the question?

Regards,
Daniil

I will give full example with steps

from CUBA Administration

1. create user with username : xyz and password : xyzpassword
2. create Role REST-API with granted permission only user rest api
3. expected behavior the user will be only able to use REST API end points without being able to login to web client and if he tries to login , web client localhost:8080/app error message should appear with message ,you are not authorized to use web portal
4. current behavior , user is able to login to web client but with blank home page and also able to call REST API

One more Concern Regarding REST APIs

if user is calling permissions API the end point is returning misleading permissions see below example for only user granted permission user rest client

[
{
    "type": "SCREEN",
    "target": "filterSelect",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "groupConditionFrame",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "customConditionEditor",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "editWindowActions",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "filterEditor",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "layoutAnalyzer",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "saveSetInFolder",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "mainWindow",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "backgroundWorkProgressWindow",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "addCondition",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "saveFilter",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "multiuploadDialog",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "backgroundWorkWindow",
    "value": "ALLOW",
    "intValue": 1
},
{
   "type": "SCREEN",
    "target": "fileUploadDialog",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "propertyConditionFrame",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "dynamicAttributesConditionEditor",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "runtimePropertiesFrame",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "extendedEditWindowActions",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "dynamicAttributesConditionFrame",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "customConditionFrame",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "ENTITY_OP",
    "target": "sec$Filter:read",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SPECIFIC",
    "target": "cuba.gui.loginToClient",
    "value": "ALLOW",
    "intValue": 1
}]

is their is any possibility to expose swagger documentation for my defined reset quires and reset services

I suggest you to use denying role with enabled permission for REST API and disabled permission to login to client:

I already did this but it is still able to login to the client with Empty home page ,

You can try it your own and you will see that the user is still able to login to the web portal with empty home page.

Hello @abd.ibrahim.allam

Could you clarify the client you’re talking about - web client or portal client?

Regards,
Daniil

Hello Daniil ,

I’m speaking about portal client

localhost:8080/app

It is a web client. Could you create a demo project to investigate the problem and share it with hsqldb directory located in project_root/deploy?

Hello Daniil ,

Ok , i will do it and share with you ?

Thanks for your support

Yes, you’re right.

You can upload into some storage and send a link to private messages if DB has sensitive data.

Regards,
Daniil

Hi Daniil ,

Thanks for your support , currently as mentioned from your side previously to deny login to client and enable only REST API Access , That is cool and working fine with me

but how can i customize the message for the end user to show him

user are not authorized to login use the application instead of below

Also one more thing regarding user permissions as i mentioned previously ,
below is the response for calling

http://localhost:8080/app/rest/v2/permissions

Why all this permissions are returning although only one permission is assigned to the user

[
{
    "type": "SCREEN",
    "target": "filterSelect",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "groupConditionFrame",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "customConditionEditor",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "editWindowActions",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "filterEditor",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "layoutAnalyzer",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "saveSetInFolder",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "mainWindow",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "backgroundWorkProgressWindow",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "addCondition",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "saveFilter",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "multiuploadDialog",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "backgroundWorkWindow",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "fileUploadDialog",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "propertyConditionFrame",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "dynamicAttributesConditionEditor",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "runtimePropertiesFrame",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "extendedEditWindowActions",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "dynamicAttributesConditionFrame",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SCREEN",
    "target": "customConditionFrame",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "ENTITY_OP",
    "target": "sec$Filter:read",
    "value": "ALLOW",
    "intValue": 1
},
{
    "type": "SPECIFIC",
    "target": "cuba.gui.loginToClient",
    "value": "ALLOW",
    "intValue": 1
}

]

To customize error message you should add custom localization for the LoginException.InvalidLoginOrPassword key.

Why all this permissions are returning although only one permission is assigned to the user

It’s due to default permissions applied for all users.

Regards,
Daniil

Thanks Daniil For your support i will check that