Multiple service operations and CRUD on server

GOMEZEL_DINO · March 29, 2022, 12:30pm

Hi!

I'll try to describe my problem, It's a bit complicated to explain, but I'll try.

I have an XData server that has several Service Operations + CRUD access:

ILoginService - used to login an get the JWT that will be used for other services. Based on the login, the user gets two different scopes "easy" (for the app) and "webshop" (for the IWebShopService)

IWebShopService - for webshop access - only a few functions. User must have the "webshop" scope
IEasyService - for operations acces - only for scope "easy".

I also want to have direct CRUD access (only List and Get) for my own applications (scope must be "easy"). I've set the XDataServer.DefaultEntitySetPermissions to [List,Get]. So CRUD must be visible only to logged users with the "easy" scope.

The login and JWT works OK, I marked the IWebShopService like this

  [ServiceContract]
  [Authorize]
  [AuthorizeScopes('webshop')]
  IWebShopService = interface(IProtectedService)

so it's reachable only for users with the correct scope.

The problem is that I can't manage to get the CRUD functions only to the "easy" scope.

My entities are marked like this

  [Entity]
  [EntityAuthorizeScopes('easy', EntitySetPermissionsAll]
  [Table('users')]
  [Id('FLogin', TIdGenerator.None)]
  TUser = class
  ...

But even if correctly logged (withe the "easy" scope) I get 403 (forbidden).

Any hint what I'm doing wrong..?

wlandgraf · March 30, 2022, 12:42pm

Some guesses:

Are you pretty sure the "easy" scope is in the token?
What happens if you remove the EntityAuthorizeScopes from the entity? Does it work?

GOMEZEL_DINO · March 31, 2022, 8:42am

I've set a breakpoint and it's hit, I think getting the scope "easy" is OK.
Yes, it works. Even more - it works also unlogged user - it seems like the EntityAuthorizeScopes is ignored.

I can send you the code and a dump of the MySQL database if it helps. Could be a problem, because I create a "main" dataset module and then a Dataset module for each DB... I don't know. All the security around CRUD and Service operations it's working weirdly... Probably my fault, but I can't find it where

wlandgraf · March 31, 2022, 10:28pm

I don't understand. First you said the service doesn't work (returns 403 forbidden). Now you say it works, it's even hit by a breakpoint. What is the real, detailed situation?

Aren't you getting "Unknown custom attribute" warning? Have you added XData.Security.Attributes unit to your uses clause?

GOMEZEL_DINO · April 26, 2022, 9:20am

I finally managed all the mess :) It was a combination of errors, so I just write them here, so anyone could get some help from my experience.I experimented so much with the attributes that I messed up claims, scopes an everything.

About CRUD: I forgot to add XData.Security.Attributes, I tought aurelius.Mapping.Attributes was enough.

About service operations: I mistakenly saved scopes in the wrong claim

Wrong claims:
JWT.Claims.SetClaimOfType('type', Scopes);

Right claims;
JWT.Claims.SetClaimOfType('scope', Scopes);

After that all worked perfectly.

system · April 26, 2022, 10:21am

This topic was automatically closed 60 minutes after the last reply. New replies are no longer allowed.