我正在尝试向用户添加角色,如下所示
/**
passing values to addUserToGroup method
**/
addUserToGroup("e5911e4e-3d44-448c-bb42-dd6d51855cd4", "d405c6df-0af8-4e3b-95e4-4d06e542189e", "role");
private static String addUserToGroup(
String userId,
String groupId,
String objectName) throws OfficeException {
String newKey = null;
/**
* Setup the JSON Body
*/
JSONObject jsonObj=new JSONObject();
String objectLink = String.format("https://%s/%s/directoryObjects/%s",
AppParameter.getProtectedResourceHostName(),
AppParameter.getTenantContextId(),
userId);
try{
jsonObj.put("url", objectLink);
/**
* Convert the JSON object into a string.
*/
String data = jsonObj.toString();
if(objectName.equals("roledelete"))
{
}
else if(objectName.equals("role"))
{
newKey = handlRequestPostJSON(
String.format("/%ss/%s/$links/members", objectName, groupId),
null,
data,
"addUserToGroup");
}
return newKey;
}catch(Exception e){
throw new OfficeException(AppParameter.ErrorCreatingJSON,e.getMessage(), e, null);
}
}
/ ** handlRequestPostJSON方法** /
public static String handlRequestPostJSON(String path, String queryOption, String data, String opName){
URL url = null;
HttpURLConnection conn = null;
String queryOptionAdd = "";
String apiVersion = AppParameter.getDataContractVersion();
try {
/**
* Form the request uri by specifying the individual components of the
* URI.
*/
if (queryOption == null)
{
queryOptionAdd = apiVersion;
}
else
{
queryOptionAdd = queryOption + "&" + apiVersion;
}
URI uri = new URI(
AppParameter.PROTOCOL_NAME,
AppParameter.getRestServiceHost(),
"/" + AppParameter.getTenantContextId() + path,
queryOptionAdd,
null);
/**
* Open an URL Connection.
*/
url = uri.toURL();
conn = (HttpURLConnection) url.openConnection();
/**
* Set method to POST.
*/
conn.setRequestMethod("POST");
if( opName.equalsIgnoreCase("roledelete"))
{
conn.setRequestMethod("DELETE");
}
/**
* Set the appropriate request header fields.
*/
conn.setRequestProperty(AppParameter.AUTHORIZATION_HEADER, AppParameter.getAccessToken());
conn.setRequestProperty("Accept", "application/json");
/**
* If the request for create an user or update an user, the appropriate content type would
* be application/json.
*/
if( opName.equalsIgnoreCase("createUser") || opName.equalsIgnoreCase("updateUser") ){
conn.setRequestProperty("Content-Type", "application/json");
}
/**
* If the operation is to add an user to a group/role,
* the content type should be set to "application/json".
*/
else if(opName.equalsIgnoreCase("addUserToGroup")){
conn.setRequestProperty("Content-Type", "application/json");
}
/**
* If the operation is for update user, then we need to send a
* PATCH request, not a POST request. Therefore, we use the X-HTTP-METHOD
* header field to specify that this request is intended to be used as a
* PATCH request.
*/
if(opName.equalsIgnoreCase("updateUser")){
conn.setRequestProperty("X-HTTP-Method", "PATCH");
}
/**
* Send the http message payload to the server.
*/
conn.setDoOutput(true);
OutputStreamWriter wr = new OutputStreamWriter(conn.getOutputStream());
wr.write(data);
wr.flush();
/**
* Get the message response from the server.
*/
BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));
String line, response = "";
while((line=rd.readLine()) != null){
response += line;
}
/**
* Close the streams.
*/
wr.close();
rd.close();
int responseCode = conn.getResponseCode();
System.out.println("Response Code: " + responseCode);
return (Integer.toString(responseCode));
} catch (Exception e2) {
try {
int responseCode = conn.getResponseCode();
System.out.println("Response Code: " + responseCode);
} catch (IOException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
}
/**
* Get the error stream.
*/
BufferedReader reader = new BufferedReader(new InputStreamReader(conn.getErrorStream()));
StringBuffer stringBuf = new StringBuffer();
String inputLine;
try {
while ((inputLine = reader.readLine()) != null) {
stringBuf.append(inputLine);
}
} catch (IOException e) {
// TODO HANDLE THE EXCEPTION
}
String response = stringBuf.toString();
System.out.println(response);
return response;
}
}
显示错误如下
{“odata.error”:{“code”:“Authorization_RequestDenied”,“message”:{“lang”:“en”,“value”:“没有足够的权限来完成操作。”},“requestId” : “05318157-1c3b-4410-9be5-ce6c6246514c”, “日期”: “2016-11-23T04:27:53”}}
请帮帮我。提前谢谢。
答案 0 :(得分:0)
您的应用程序需要在AAD中配置必要的权限。
最好的办法是让它以与登录用户相同的权限访问AAD,然后以Azure AD管理员身份登录该应用程序。
查看经典Azure门户(https://manage.windowsazure.com)中应用程序配置的“其他应用程序权限”选项卡。
答案 1 :(得分:0)
要成功使用委托令牌调用Azure AD图形REST,应该满足两个条件。首先,令牌包含足够的权限来操作资源。第二,登录用户拥有足够的权限来操作资源。
例如,要将群组成员添加到群组,令牌需要包含权限Directory.ReadWrite.All
,Directory.AccessAsUser.All
。签名用户还需要拥有操作全局管理员等组的权限。
有关权限和范围的更多详细信息,请参阅here。