Scott, We observe this bug in our production systems and need to find the fix as well. We have an implicit MIT Certificate Authentication thats failing to work directly against bitstreams because of it.
-Mark On Jun 18, 2007, at 2:20 AM, Scott Yeadon wrote: > OK, it's not null, the authentication succeeds, but since the code > drops > down into the AuthorizationException handling of the > DSpaceServlet.java, > there is no redirection (implicit authentication) so it bombs out. Is > this a bug? > > Scott. > > Scott Yeadon wrote: >> Hi All, >> >> I have a stackable authentication class which obtains credentials >> from >> a request. When I access a protected bitstream, the auth class works >> (credentials are parsed and all ok) however the context user is still >> null although setCurrentUser() is called before returning the SUCCESS >> status. The flow is: >> >> - attempt to access protected bitstream >> - AuhorizeAction happens, fails, throws AuthorizeException >> - Authenticate.startAuthentication occurs and my class in invoked >> with >> success >> - After return from startAuthentication the currentUser is still null >> (even though explicitly being set in the authenticate method), so the >> request fails with access denied to user 0 (default value when >> getCurrentUser() is null). As my class is implicit authentication >> there is no redirection either. >> >> I don't understand why this is null, the log message shows: >> 2007-06-18 14:31:47,032 INFO >> org.dspace.app.webui.servlet.DSpaceServlet @ >> myuser:session_id=AB51545186B04E419B63AD9FF140C7BF:ip_addr=150.203.2. >> 97:authorize_error:org.dspace.authorize.AuthorizeException: >> Authorization denied for action READ on BITSTREAM:32978 by user 0 >> >> showing that the "myuser" user is the current user (at least in the >> logHeader!) but not in the context object. >> >> Anyone done this before? My code is almost identical to the X509 >> auth, >> the only real difference being where the credentials are taken from. >> There are no problems with the credentials or request itself, just >> something I'm missing with the auth flow I suspect. >> >> Scott. >> >> > > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Dspace-devel mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/dspace-devel ~~~~~~~~~~~~~ Mark R. Diggory - DSpace Systems Manager MIT Libraries, Systems and Technology Services Massachusetts Institute of Technology Office: E25-131 Phone: (617) 253-1096 ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech
