Project

General

Profile

Issue when calling HTTP API with a custom domain

Peter Rajcani
Added about 4 years ago

We noticed that when we use a custom XMPP domain, the http component uses the host name as its domain rather than the custom domain. As a result, we are getting unathorized access error when we try to create a pubsub node. We resolved this problem by adding the http component with the host domain to the admin list. Is this a bug or is this expected behavior?

Here is our init.properties file:

--comp-class-1 = tigase.muc.MUCComponent
--virt-hosts = *mydomain.com*
--user-db-uri = jdbc:derby:/opt/tigase-5.2.3-defaultdb/tigasedb
--user-db = derby
--admins = admin@mydomain.com,http@mydomain.com,pubsub@mydomain.com, *http@hostname.com*
--comp-name-4 = message-archive
--comp-name-3 = proxy
config-type = --gen-config-def
--comp-name-2 = pubsub
--comp-name-1 = muc
--cluster-mode = true
--sm-plugins = +message-archive-xep-0136
--debug = server
--comp-class-4 = tigase.archive.MessageArchiveComponent
--comp-class-3 = tigase.socks5.Socks5ProxyComponent
--comp-class-2 = tigase.pubsub.PubSubComponent
--comp-name-5=rest
--comp-class-5=tigase.http.rest.RestMessageReceiver
--api-keys=open_access

Create node request / response:

POST http://127.0.0.1:8080/rest/pubsub/pubsub@mydomain.com/create-node
Accept: application/xml
Content-Type: text/xml
Username: admin@mydomain.com
<data>
    <node>pubsub_test</node>
    <owner>admin@mydomain.com</owner>
    <pubsub prefix="true">
        <node_type>leaf</node_type>
    </pubsub>
</data>
 -- response --
200 OK
Transfer-Encoding:  chunked
Date:  Mon, 29 Dec 2014 21:08:08 GMT
Cache-Control:  proxy-revalidate
Connection:  Keep-Alive

<error code="403" type="auth"><forbidden xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/><text xml:lang="en" xmlns="urn:ietf:params:xml:ns:xmpp-stanzas">Only Administrator can call the command.</text></error>@

Here is the log:
2014-12-29 15:17:45.568 [in_5-message-router]  MessageRouter.processPacket()  FINEST:   1. Packet will be processed by: http@hostname.com, from=pubsub@mydomain.com, to=http@hostname.com/2966e880-abfb-4e64-8132-524df8d9d152, DATA=<iq type="error" to="http@hostname.com/2966e880-abfb-4e64-8132-524df8d9d152" from="pubsub@mydomain.com" xmlns="jabber:client" id="a17d7273-6f17-44ba-a097-ac3effd9a39f"><command xmlns="http://jabber.org/protocol/commands" node="create-node"><x type="submit" xmlns="jabber:x:data"><field var="node"><value>pubsub_test</value></field><field var="owner"><value>admin@mydomain.com</value></field><field var="pubsub#node_type"><value>leaf</value></field></x></command><error code="403" type="auth"><forbidden xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/><text xml:lang="en" xmlns="urn:ietf:params:xml:ns:xmpp-stanzas">Only Administrator can call the command.</text></error></iq>, SIZE=700, XMLNS=jabber:client, PRIORITY=NORMAL, PERMISSION=NONE, TYPE=error

Replies (6)

Added by Wojciech Kapcia TigaseTeam about 4 years ago

Peter Rajcani wrote:

We noticed that when we use a custom XMPP domain, the http component uses the host name as its domain rather than the custom domain. As a result, we are getting unathorized access error when we try to create a pubsub node. We resolved this problem by adding the http component with the host domain to the admin list. Is this a bug or is this expected behavior?

From the PubSub REST API documentation:

It is also required that jid of Tigase HTTP API Component is added to list of service admin jids to allow execution of ad-hoc commands.

Hence - it's correct and expected behavior.

Added by Peter Rajcani about 4 years ago

We are aware that the http component JID needs to be added to the admin list. However, we think that is that the JID of the HTTP component is using wrong XMPP domain name. During installation, we specified a custom domain:

--virt-hosts = mydomain.com

we would expect that the http component JID would be: http@mydomain.com rather than http@hostname.com

Added by Andrzej Wójcik IoT 1 CloudTigaseTeam about 4 years ago

Tigase components have JIDs generated automatically based on server name on which Tigase XMPP Server is running and short name of component so for server named xmpp1.example.com HTTP component configured with name http will have JID http@xmpp1.example.com@. This is internal JID of Tigase component used by this component (every Tigase component has internal JID generated this way) when it send stanzas to other components or users and it needs to be generated in this way so we could identify proper instance of component (in this case HTTP component) in cluster where JID @http@mydomain.com would identify not particular instance in cluster but any instance of HTTP component in cluster and we need to identify particular instance to be able to send response to proper instance which will have HTTP connection which generated XMPP request to other component so we will be able to send result.

Added by Peter Rajcani about 4 years ago

I see. Thanks for the explanation. So if the Tigase server runs on 2 different clusters that have different internal JIDs - for example http@xmpp1.example.com and http@xmpp2.example.com do both of these have to be added to the admin list in init.properties?

Added by Andrzej Wójcik IoT 1 CloudTigaseTeam about 4 years ago

Right now - yes, you need to add JID for every cluster node on which HTTP component will be running, but we are thinking how to solve it this in better way.

Added by Peter Rajcani about 4 years ago

I see. Thanks!

    (1-6/6)