尝试使用图API

时间:2016-11-23 04:41:03

标签: java azure-ad-graph-api

我正在尝试向用户添加角色,如下所示

/**
passing values to addUserToGroup method
**/                                                                                 
addUserToGroup("e5911e4e-3d44-448c-bb42-dd6d51855cd4", "d405c6df-0af8-4e3b-95e4-4d06e542189e", "role");

 private static String addUserToGroup(
        String userId, 
        String groupId, 
        String objectName) throws OfficeException {

    String newKey = null;               

        /**
         * Setup the  JSON Body
         */         
        JSONObject jsonObj=new JSONObject();

        String objectLink = String.format("https://%s/%s/directoryObjects/%s", 
                     AppParameter.getProtectedResourceHostName(),
                     AppParameter.getTenantContextId(),
                     userId);

        try{
        jsonObj.put("url", objectLink);

        /**
         * Convert the JSON object into a string.
         */
        String data = jsonObj.toString();


        if(objectName.equals("roledelete"))
        {

        }
        else if(objectName.equals("role"))
        {
            newKey = handlRequestPostJSON(
                    String.format("/%ss/%s/$links/members", objectName, groupId), 
                    null, 
                    data,
                    "addUserToGroup");

        }

          return newKey;

     }catch(Exception e){
       throw new OfficeException(AppParameter.ErrorCreatingJSON,e.getMessage(), e, null);
       }
}

/ ** handlRequestPostJSON方法** /

    public static String handlRequestPostJSON(String path, String queryOption, String data, String opName){

        URL url = null;
        HttpURLConnection conn = null;
        String queryOptionAdd = "";
        String apiVersion = AppParameter.getDataContractVersion();

        try {
            /**
             * Form the request uri by specifying the individual components of the
             * URI.
             */
            if (queryOption == null)
            {
                queryOptionAdd = apiVersion;                
            }
            else 
            {
                queryOptionAdd = queryOption + "&" + apiVersion;                
            }

            URI uri = new URI(
                    AppParameter.PROTOCOL_NAME, 
                    AppParameter.getRestServiceHost(), 
                    "/" + AppParameter.getTenantContextId() + path,
                    queryOptionAdd, 
                    null);



            /**
             * Open an URL Connection.
             */
            url = uri.toURL();
            conn = (HttpURLConnection) url.openConnection();

            /**
             * Set method to POST.
             */
            conn.setRequestMethod("POST");

            if( opName.equalsIgnoreCase("roledelete"))
            {
                conn.setRequestMethod("DELETE");
            }

            /**
             * Set the appropriate request header fields.
             */
            conn.setRequestProperty(AppParameter.AUTHORIZATION_HEADER, AppParameter.getAccessToken());
            conn.setRequestProperty("Accept", "application/json");

            /**
             * If the request for create an user or update an user, the appropriate content type would
             * be application/json.
             */
            if( opName.equalsIgnoreCase("createUser") || opName.equalsIgnoreCase("updateUser")  ){
            conn.setRequestProperty("Content-Type", "application/json");
            }

            /**
             * If the operation is to add an user to a group/role,
             * the content type should be set to "application/json".
             */
            else if(opName.equalsIgnoreCase("addUserToGroup")){
                conn.setRequestProperty("Content-Type", "application/json");
            }


            /**
             * If the operation is for update user, then we need to send a 
             * PATCH request, not a POST request. Therefore, we use the X-HTTP-METHOD
             * header field to specify that this request is intended to be used as a
             * PATCH request.
             */
            if(opName.equalsIgnoreCase("updateUser")){
                conn.setRequestProperty("X-HTTP-Method", "PATCH");          
            }



            /**
             * Send the http message payload to the server.
             */
            conn.setDoOutput(true);         
            OutputStreamWriter wr = new OutputStreamWriter(conn.getOutputStream());
            wr.write(data);
            wr.flush();


            /**
             * Get the message response from the server.
             */
            BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));           
            String line, response = "";         
            while((line=rd.readLine()) != null){
                response += line;
            }

            /**
             * Close the streams.
             */
            wr.close();
            rd.close();

            int responseCode = conn.getResponseCode();
            System.out.println("Response Code: " + responseCode);       


            return (Integer.toString(responseCode));


        } catch (Exception e2) {

            try {
                int responseCode = conn.getResponseCode();
                System.out.println("Response Code: " + responseCode);
            } catch (IOException e1) {
                // TODO Auto-generated catch block
                e1.printStackTrace();
            }

            /**
             * Get the error stream.
             */
            BufferedReader reader = new BufferedReader(new InputStreamReader(conn.getErrorStream()));
            StringBuffer stringBuf = new StringBuffer();
            String inputLine;
            try {
                while ((inputLine = reader.readLine()) != null) {
                    stringBuf.append(inputLine);
                }
            } catch (IOException e) {
                // TODO HANDLE THE EXCEPTION

            }
            String response = stringBuf.toString();
            System.out.println(response);
            return response;

        }

    }

显示错误如下

{“odata.error”:{“code”:“Authorization_RequestDenied”,“message”:{“lang”:“en”,“value”:“没有足够的权限来完成操作。”},“requestId” : “05318157-1c3b-4410-9be5-ce6c6246514c”, “日期”: “2016-11-23T04:27:53”}}

请帮帮我。提前谢谢。

2 个答案:

答案 0 :(得分:0)

您的应用程序需要在AAD中配置必要的权限。

最好的办法是让它以与登录用户相同的权限访问AAD,然后以Azure AD管理员身份登录该应用程序。

查看经典Azure门户(https://manage.windowsazure.com)中应用程序配置的“其他应用程序权限”选项卡。

答案 1 :(得分:0)

要成功使用委托令牌调用Azure AD图形REST,应该满足两个条件。首先,令牌包含足够的权限来操作资源。第二,登录用户拥有足够的权限来操作资源。

例如,要将群组成员添加到群组,令牌需要包含权限Directory.ReadWrite.AllDirectory.AccessAsUser.All。签名用户还需要拥有操作全局管理员等组的权限。

有关权限和范围的更多详细信息,请参阅here