Shop

Your Notifications (0)

There are currently no notifications. You're all set!

Demos Trials
Knowledge Base
ChemDraw and ChemOffice+ Products Signals Notebook E-Notebook and ChemBioOffice Enterprise Spotfire and Signals Spotfire Products Columbus Signals Image Artist
Downloads
Downloads
Community
Support Forums Ideas Portal Product Basics
About Support
Legal Resources Support and Maintenance Plans Product Life Cycle Support News
Contact Support

TIBCO Spotfire Server SOAP Web Services fail to execute with an Unauthorized error

Rich Talbot
  • Updated
Date Posted:
Product: TIBCO Spotfire®

Problem:

TIBCO Spotfire Server SOAP Web Services fail to execute with an Unauthorized error


Solution:

When executing a web service like LibraryService, UpdateAnalysisService or any other it may fail and return an Unauthorized error in the soap response as below. 

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
      <soap:Fault>
         <faultcode>soap:Server</faultcode>
         <faultstring>Unauthorized</faultstring>
      </soap:Fault>
   </soap:Body>
</soap:Envelope>

We can also observe the below log entries in server.log 
DEBUG 2019-06-12T10:58:34,900-0400 [a205cfaef7f15119c2fd01a972062d35.oauth-clients.spotfire.tibco.com@SPOTFIREOAUTH2, #-, #1852] ws.security.CxfSecurityInterceptor: Denying access to web method UpdateAnalysisServiceImpl.loadAnalysis(com.spotfire.ws.pub.UpdateAnalysis) (in the service at /api/soap/UpdateAnalysisService), because the user does not have any of the required roles: [], nor any of the required scopes: [api.soap.update-analysis-service]
WARN 2019-06-12T10:58:34,904-0400 [a205cfaef7f15119c2fd01a972062d35.oauth-clients.spotfire.tibco.com@SPOTFIREOAUTH2, #-, #1852] cxf.phase.PhaseInterceptorChain: Interceptor for {http://spotfire.tibco.com/ws/2015/08/externalScheduledUpdate.xsd}UpdateAnalysisServiceImplService#{http://spotfire.tibco.com/ws/2015/08/externalScheduledUpdate.xsd}loadAnalysis has thrown exception, unwinding now
org.apache.cxf.interceptor.security.AccessDeniedException: Unauthorized
    at org.apache.cxf.interceptor.security.AbstractAuthorizingInInterceptor.handleMessage(AbstractAuthorizingInInterceptor.java:60) ~[cxf-core.jar:3.3.0]
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core.jar:3.3.0]
    at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[cxf-core.jar:3.3.0]
    ...

  This issue occurs when the AccessToken generated to authorize the user uses a different scope from the one required.

Starting with Spotfire 7.13, the Spotfire Server SOAP webservices now use OAuth 2.0 protocol for authentication and authorization. To authorize we need to generate an access token by making a request to the Token Endpoint at: http[s]://<host>[:<port>]/spotfire/oauth2/token and the access token is only valid for the services and operations described in the scope parameter provided when obtaining the access token.

Thus if you have generated an AccessToken using scope "api.soap.library-service" and try to execute the loadAnalysis operation of the UpdateAnalysisService webservice then this will fail because the required scope in this case is "api.soap.update-analysis-service"

To resolve the issue make sure to generate the AccessToken with the right scope required to access the services and operations as below. You can find the required scope in the documentation for each service. 
User-added image Doc: Spotfire Server Web Services API Reference

Related articles