Hi Huân
When you get to the URL for the object, where you're prompted to
authenticate, what's the actual URL at this point? Is it the old-style
API-LITE URL of the form /fedora/get/{pid} or is it the new REST-API form
/fedora/objects/{pid}?
Whichever it is, could you try the alternative form and report if you get
the same problem with both URLs?
Regards
Steve
> -----Original Message-----
> From: Huân Thebault [mailto:[email protected]]
> Sent: 02 June 2010 15:54
> To: fedora-commons-developers
> Subject: Re: [Fedora-commons-developers] PEP Denying Access
>
>
> Hello
>
> I have apia.auth.required=false
> So I changed datastreamContentDispositionInlineEnabled to
> false, restarted
> fedora, but still the same error, with the same logs...
>
> Here is my install.properties (without usernames / passwords) :
>
> #Install Options
> #Wed May 26 11:32:20 CEST 2010
> ri.enabled=false
> messaging.enabled=false
> apia.auth.required=false
> database.jdbcDriverClass=org.postgresql.Driver
> database.postgresql.jdbcDriverClass=org.postgresql.Driver
> ssl.available=false
> database.jdbcURL=jdbc\:postgresql\://ccpgsql.in2p3.fr/*****
> database.password=******
> fesl.dbxml.home=/home/fedora_dev/dbxml-2.5.13
> database.username=******
> fesl.authz.enabled=true
> tomcat.shutdown.port=8006
> database.postgresql.driver=included
> deploy.local.services=true
> xacml.enabled=false
> tomcat.http.port=8091
> fedora.serverHost=ccsvli38.in2p3.fr
> database=postgresql
> database.driver=included
> fedora.serverContext=fedora
> tomcat.home=/home/fedora_dev/fedora-commons/tomcat
> fesl.authn.enabled=true
> fedora.home=/home/fedora_dev/fedora-commons
> install.type=custom
> database.postgresql.jdbcURL=jdbc\:postgresql\://ccpgsql.in2p3.fr/*****
> servlet.engine=included
> fedora.admin.pass=*******
>
> Thanks for your help
>
> -----
> Huân Thebault
> Centre de Calcul de l'IN2P3
> Development Team
> Tel. Std +33 4 78 93 08 80
>
>
>
> -----Message d'origine-----
> De : Edwin Shin [mailto:[email protected]]
> Envoyé : mercredi 2 juin 2010 08:42
> À : fedora-dev
> Objet : Re: [Fedora-commons-developers] PEP Denying Access
>
> Huân,
>
> When you installed fedora, did you require authentication for
> API-A? (you
> can check $FEDORA_HOME/install/install.properties for the value of
> apia.auth.required). If it's false, then try applying the
> workaround Steve
> suggested below. If it's true, then FCREPO-703 doesn't apply in case.
>
> The policy log messages suggest you're not authenticated, but
> on the other
> hand you reported that you were prompted for authentication,
> so I'm not sure
> what's going on there.
>
> Actually, you might as well post your install.properties file
> (stripping out
> the passwords for fedoraAdmin, the database or anything else
> you feel is
> sensitive). Then maybe one of us can try duplicating the
> issue with your
> settings locally. Not sure if I'll have a chance in the next
> couple of days
> but perhaps Steve or Nish might.
>
> Eddie
>
> On 1 Jun 2010, at 5:11 PM, Steve Bayliss wrote:
>
> > Could it be possible that this is related to
> > https://fedora-commons.org/jira/browse/FCREPO-703 ?
> >
> > Huân, to see if this is the case, you could modify
> fedora.fcfg and change
> > the parameter datastreamContentDispositionInlineEnabled to
> false to verify
> > if this is the case.
> >
> > Regards
> > Steve
> >
> >> -----Original Message-----
> >> From: Huân Thebault [mailto:[email protected]]
> >> Sent: 01 June 2010 15:10
> >> To: fedora-commons-developers
> >> Subject: Re: [Fedora-commons-developers] PEP Denying Access
> >>
> >>
> >> Hi Nish
> >>
> >> You're right, I don't have policies to allow anonymous
> >> access. But the real
> >> problem is that I am NOT using anonymous access. I'm
> >> identifying myself as
> >> "fedoraAdmin".
> >>
> >> I attach a log file, corresponding to the following scenario :
> >> - 2010-06-01 15:51:48.726 : I go to "/fedora/objects" url. I am
> >> prompted for authentification, I am authentifying myself as
> >> "fedoraAdmin"
> >> - I search "*", everything's fine, I've got results
> >> - I try to access an object called "CRDO-Aix:PYJ011"
> >> - I'm prompted for authentication, I give "fedoraAdmin"
> >> credentials,
> >> but the HTTP basic auth. popup come up again and again and again...
> >> And as you can see in logs, I'm then seen as "anonymous"
> >>
> >>
> >>
> >> -----
> >> Huân Thebault
> >> Centre de Calcul de l'IN2P3
> >> Development Team
> >> Tel. Std +33 4 78 93 08 80
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> -----Message d'origine-----
> >> De : Nishen Naidoo [mailto:[email protected]]
> >> Envoyé : mardi 1 juin 2010 13:11
> >> À : [email protected]; 'Huan Thebault'
> >> Cc : 'fedora-commons-develop...@lists. sourceforge. net'
> >> Objet : RE: [Fedora-commons-developers] PEP Denying Access
> >>
> >> Hi Huan,
> >>
> >> You probably don't have policies to allow anoymous access to
> >> resources. From
> >> the request, it is identifying that there is no authenticated
> >> user trying to
> >> access the item. For this to work you will need to add a
> policy to the
> >> bootstrap policies to allow this.
> >>
> >> Something like this might work:
> >>
> >> <?xml version="1.0" encoding="UTF-8"?>
> >> <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
> >>
> xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
> >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> >> xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
> >> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-
> >> policy-schema-
> >> os.xsd
> >> urn:oasis:names:tc:xacml:2.0:context:schema:os
> >> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-
> >> context-schema
> >> -os.xsd"
> >> PolicyId="anonymous:readall"
> >> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combinin
> >> g-algorithm:pe
> >> rmit-overrides">
> >> <Description>A policy to provide public users the ability
> to view all
> >> objects in the demo object collection</Description>
> >> <Target>
> >> <Subjects>
> >> <Subject>
> >> <SubjectMatch
> >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> >> <AttributeValue
> >> DataType="http://www.w3.org/2001/XMLSchema#string";>anonymous</
> >> AttributeValue
> >>>
> >> <SubjectAttributeDesignator
> >> AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
> >> DataType="http://www.w3.org/2001/XMLSchema#string"; />
> >> </SubjectMatch>
> >> </Subject>
> >> </Subjects>
> >> <Resources>
> >> <Resource>
> >> <!-- to view everything under the resource collection -->
> >> <ResourceMatch
> >>
> MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
> >> <AttributeValue
> >> DataType="http://www.w3.org/2001/XMLSchema#string";>/.*</Attrib
> >> uteValue>
> >> <ResourceAttributeDesignator
> >> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
> >> DataType="http://www.w3.org/2001/XMLSchema#anyURI"; />
> >> </ResourceMatch>
> >> </Resource>
> >> </Resources>
> >> <Actions>
> >> <Action>
> >> <ActionMatch
> >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> >> <AttributeValue
> >> DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:
> >> names:fedora:2
> >> .1:action:api-a</AttributeValue>
> >> <ActionAttributeDesignator
> >> AttributeId="urn:fedora:names:fedora:2.1:action:api"
> >> DataType="http://www.w3.org/2001/XMLSchema#string"; />
> >> </ActionMatch>
> >> </Action>
> >> <Action>
> >> <ActionMatch
> >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> >> <AttributeValue
> >> DataType="http://www.w3.org/2001/XMLSchema#string";>read</Attri
> >> buteValue>
> >> <ActionAttributeDesignator
> >> AttributeId="urn:fedora:names:fedora:2.1:action:id"
> >> DataType="http://www.w3.org/2001/XMLSchema#string"; />
> >> </ActionMatch>
> >> </Action>
> >> </Actions>
> >> </Target>
> >> <Rule Effect="Permit"
> >>
> RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit"/>
> >> </Policy>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> Nishen Naidoo
> >> IT Projects Developer
> >> Library IT
> >> MACQUARIE UNIVERSITY NSW 2109
> >>
> >> E-Mail: [email protected]
> >> Phone: +61 2 98506553
> >> Mobile: +61 4 30006783
> >> Fax: +61 2 98507912
> >> http://www.library.mq.edu.au/
> >>
> >> CRICOS Provider No 00002J
> >>
> >> This message is intended for the addressee named and may contain
> >> confidential information. If you are not the intended
> >> recipient, please
> >> delete it and notify the sender. Views expressed in this
> >> message are those
> >> of the individual sender, and are not necessarily the views
> >> of Macquarie
> >> University Library or Macquarie University.
> >>
> >> Please consider the environment before printing this email.
> >> ________________________________________
> >> From: yf508 [[email protected]]
> >> Sent: Tuesday, 1 June 2010 6:13 PM
> >> To: 'Huan Thebault'
> >> Cc: 'fedora-commons-develop...@lists. sourceforge. net'
> >> Subject: Re: [Fedora-commons-developers] PEP Denying Access
> >>
> >>> Looking at sources, the "3" at last line means :
> >>> DECISION_NOT_APPLICABLE , which is an error (it should be :
> >>> DECISION_PERMIT, DECISION_INDETERMINATE, DECISION_DENY)
> >>
> >> It seems to me that 'DECISION_NOT_APPLICABLE' means the
> >> required policy does
> >> not exist - it's not an error state. So the problem you
> have might be
> >> related to bootstrap policies (there are bootstrap policies
> >> in Fedora 2.x.
> >> I'm not using Fedora 3.x so not sure whether there are some
> >> bootstrap ones
> >> in 3.x).
> >>
> >> Frank
> >>
> >> ---------------------------------
> >> Dr. Yankui(Frank) Feng
> >> Digital Library Systems Developer
> >> The University of York
> >> Heslington, York, YO10 5DD, UK
> >> Tel: +44 (0) 1904-434507
> >> Email: yf508 at york.ac.uk
> >> ---------------------------------
> >>
> >>
> >> --------------------------------------------------------------
> >> --------------
> >> --
> >>
> >> _______________________________________________
> >> Fedora-commons-developers mailing list
> >> [email protected]
> >>
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
> >>
> >
> >
> >
> --------------------------------------------------------------
> --------------
> --
> >
> > _______________________________________________
> > Fedora-commons-developers mailing list
> > [email protected]
> >
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
>
>
> --------------------------------------------------------------
> --------------
> --
>
> _______________________________________________
> Fedora-commons-developers mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
>
>
>
> --------------------------------------------------------------
> ----------------
>
> _______________________________________________
> Fedora-commons-developers mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
>
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Fedora-commons-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
