Failed on reading a species list just created by spatial-hub

[qifeng-bai]

The species list is created successfully, but the spatial-hub get 401 error when it tries to retrieve it
For example, the fellowing list was created by spatial-hub, however, when spatial-hub failed to load it
https://lists-test.ala.org.au/ws/speciesListItems/dr22265?max=1

[qifeng-bai]

@adam-collins found new species-list will not let just anyone download a private lis

[qifeng-bai]

What @adam-collins found:
I need some help with service authentication that is not working. Is there a security annotation that will authenticate a Authentication: Bearer ... header if it is present and continue without validating the user if not?
https://lists-test.ala.org.au/ws/speciesListItems/dr18755 requires no authentication, working
https://lists-test.ala.org.au/ws/speciesListItems/dr22250 requires authentication (cookie auth works, I presume session) but does not work with a valid Authentication: Bearer...
For the failure case, authService.getUserId() returns null because Pac4jAuthService.profileManager.authenticated == false . Additional testing includes:
@RequireApiKey cannot be used because it returns 401 when no authentication is provided
@sso(gateway = true) cannot be used because it redirects to login when no authentication is provided
SSO cannot be used because it redirects to login when no authentication is provided
security.cas.authenticateOnlyIfLoggedInFilterPattern cannot be used because when Authentication: Bearer... is present it intercepts the request and returns an empty response with status 200. This one is odd.
@AlaSecured(anonymous = true) ignores Authentication.
AlaSecured cannot be used because it returns 403 when no authentication is provided
At this time the only option I can think of is to create a new webservice with @RequireApiKey because that will work when Authentication: Bearer... is present.

[qifeng-bai]

@sbearcsiro 's answer:
as you've discovered, this is not supported currently... agreed that the best place to add this is probably adding an optional=true param to @RequireApiKey but I haven't looked too closely yet

[qifeng-bai]

Some thoughts regarding user token and webservice token?
When a user creates a list via spatial hub:
1, A user sends the list creation request with its user token, SP verifies the token and collects the user details. And next step, SP forwards/sends the request to the species-list with its webservice Token. In this case, the species-list cannot fetch the user details via the webservice token.

2, Since SP creates a private list, when SP require the created list, the request is denied by the species-list because the species-list needs to verify if the user has the right to read this list. However, Biocollect works because Biocollect creates a public list

[adam-collins]

spatial-hub pull request AtlasOfLivingAustralia/spatial-hub#463
specieslist pull request AtlasOfLivingAustralia/specieslist-webapp#297

[adam-collins]

Are we still waiting on biocollect?