Hi Paul and Alex, I agree, this needs to be solved for Fedora...it is only going to get more common. I recall someone having a similar problem with Solaris a while back, but commenting out the ipv6 entry in /etc/hosts isn't really a solution.
Looking at the default deny-apim-if-not-localhost.xml policy on a newly installed Fedora, I see that it's got 127.0.0.1 as the default ip address. Access is going to be disallowed by default as long as the client IP address is reported as something other than 127.0.0.1, and I'm assuming in your ipv6-aware environment it's reported as ::1 I wonder if this could be fixed by simply changing that default policy. Could one of you try this and report back: 1) revert to your original /etc/hosts and verify the problem occurs again 2) modify the following file: $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default/deny-apim-if-not-localhost.xml a) Right after the AttributeValue line containing 127.0.0.1, add another identical AttributeValue line with ::1 for the value instead of 127.0.0.1 3) restart fedora (or just tell the server to reload the policies, e.g. "fedora-reload-policies.sh http fedoraAdmin fedoraAdmin") If that succeeds, then I think we can just change that default policy for 3.3, which is coming in a few weeks. Thanks, Chris On Tue, Nov 17, 2009 at 8:00 AM, Paul Pound <[email protected]> wrote: > We had a user who had this same issue on ubuntu 9.04 server. Api-m soap > calls were getting unauthorized errors until he commented out the ipv6 > stuff in his hosts file. > > Has anyone else had this problem? Does it affect the new rest api or > is it soap calls only? Is there another way around this? > > This is with xacml enforcement on. He changed the log level to debug > and we could see that the user was authenticated and had the appropriate > roles. > > Thanks, > Paul > >>>> Alexander O'Neill <[email protected]> 10/8/2009 2:48 pm >>> > Hi, > > I was getting "401 Unauthorized" errors when trying to use API-M on my > > local Fedora 3.2 install after upgrading to Mac OS X 10.6. I > struggled with global XACML policies and tried to see if I had changed > > anything but couldn't see anything that might be the culprit. > > Just before I was going to zap my local Fedora install I had a thought > > that it might have to do with the usual API-M restriction to being > called from localhost. I looked in my /etc/hosts folder and saw new > entries: > > 127.0.0.1 localhost > 255.255.255.255 broadcasthost > ::1 localhost > fe80::1%lo0 localhost > > Commenting out the last 2 lines and restarting Fedora solved the > problem I was having. > > BUT: > > This is how Snow Leopard comes by default, so anyone installing Fedora > > on the Mac platform is now going to face this problem if they try to > use API-M. > > So I think it's now necessary to find a solution in Fedora itself for > > this IPv6 localhost issue, since it was mostly a stroke of luck that I > > thought to look in the right place. What do other people think? > > Cheers, > > > --- > Alexander O'Neill > Programmer / Analyst > Robertson Library > University of Prince Edward Island > > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart > your > developing skills, take BlackBerry mobile applications to market and > stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Fedora-commons-developers mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Fedora-commons-developers mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Fedora-commons-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
