Date Posted:
Product: TIBCO Spotfire®
Product: TIBCO Spotfire®
Problem:
TIBCO Spotfire Server SOAP Web Services fail to execute with an Unauthorized error
Solution:
When executing a web service like LibraryService, UpdateAnalysisService or any other it may fail and return an Unauthorized error in the soap response as below.
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Unauthorized</faultstring> </soap:Fault> </soap:Body> </soap:Envelope>
We can also observe the below log entries in server.log
DEBUG 2019-06-12T10:58:34,900-0400 [a205cfaef7f15119c2fd01a972062d35.oauth-clients.spotfire.tibco.com@SPOTFIREOAUTH2, #-, #1852] ws.security.CxfSecurityInterceptor: Denying access to web method UpdateAnalysisServiceImpl.loadAnalysis(com.spotfire.ws.pub.UpdateAnalysis) (in the service at /api/soap/UpdateAnalysisService), because the user does not have any of the required roles: [], nor any of the required scopes: [api.soap.update-analysis-service] WARN 2019-06-12T10:58:34,904-0400 [a205cfaef7f15119c2fd01a972062d35.oauth-clients.spotfire.tibco.com@SPOTFIREOAUTH2, #-, #1852] cxf.phase.PhaseInterceptorChain: Interceptor for {http://spotfire.tibco.com/ws/2015/08/externalScheduledUpdate.xsd}UpdateAnalysisServiceImplService#{http://spotfire.tibco.com/ws/2015/08/externalScheduledUpdate.xsd}loadAnalysis has thrown exception, unwinding now org.apache.cxf.interceptor.security.AccessDeniedException: Unauthorized at org.apache.cxf.interceptor.security.AbstractAuthorizingInInterceptor.handleMessage(AbstractAuthorizingInInterceptor.java:60) ~[cxf-core.jar:3.3.0] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core.jar:3.3.0] at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[cxf-core.jar:3.3.0] ...
This issue occurs when the AccessToken generated to authorize the user uses a different scope from the one required.
Starting with Spotfire 7.13, the Spotfire Server SOAP webservices now use OAuth 2.0 protocol for authentication and authorization. To authorize we need to generate an access token by making a request to the Token Endpoint at: http[s]://<host>[:<port>]/spotfire/oauth2/token and the access token is only valid for the services and operations described in the scope parameter provided when obtaining the access token.
Thus if you have generated an AccessToken using scope "api.soap.library-service" and try to execute the loadAnalysis operation of the UpdateAnalysisService webservice then this will fail because the required scope in this case is "api.soap.update-analysis-service"
To resolve the issue make sure to generate the AccessToken with the right scope required to access the services and operations as below. You can find the required scope in the documentation for each service.
Doc: Spotfire Server Web Services API Reference
Comments
0 comments
Article is closed for comments.