Hello I'm at rev.8587 (fcrepo-security-jaas is at 8576).
Thanks to your explanations I think that I understand what happens about the URL-encoding issue, and it's not really a problem. It's just because in my test scenario, I manually switch from REST API to LITE API, which should not happen : fedora/objects/demo%3A19 HTTP Basic auth pop up again and again, so I changed that in fedora/get/demo%3A19 which was not a good idea this URL give me the links : /fedora/objects/demo%253A19/datastreams --> ok /fedora/objects/demo%253A19/methods --> ok /fedora/objects/demo%253A19/versions --> ok /fedora/objects/demo%253A19/objectXML --> no path in db registry for [demo%3A19] But if I use the URL fedora/get/demo:19, all the links are just fine ----- Huân Thebault Centre de Calcul de l'IN2P3 Development Team Tel. Std +33 4 78 93 08 80 -----Message d'origine----- De : Steve Bayliss [mailto:[email protected]] Envoyé : mardi 8 juin 2010 13:32 À : 'Huân Thebault'; 'fedora-commons-developers' Objet : RE: [Fedora-commons-developers] PEP Denying Access Hi Huân It looks like there is some difference in authorization between the LITE APIs and the REST APIs when using FeSL, I'll attempt to investigate further when I get a chance. For the objectXML link not working - there were some recent changes to the stylesheets that produce these (related to URL-encoding - and this looks like a double-encoding issue), however these are working fine for me. 1) could you confirm which SVN revision you are using? 2) could you give the exact steps to reproduce this - ie paste into an email the full /fedora/get/[pid] URL (ie including the PID itself), and from there copy the objectXML link and paste that in as well? Note that the REST API *requires* URL-encoded PIDs (however the ":" character doesn't have to be encoded, but will be accepted if it is encoded), but the LITE APIs will not accept URL-encoded PIDs (however I believe if you encode : as %3A it will in fact still work - it could be that the LITE /fedora/get/[pid] is being supplied with an encoded PID, and is then failing to decode this and is passing on this raw value to the view generation, which is then encoding it again). Regards Steve > -----Original Message----- > From: Huân Thebault [mailto:[email protected]] > Sent: 03 June 2010 12:17 > To: fedora-commons-developers > Subject: Re: [Fedora-commons-developers] PEP Denying Access > > > This is an interesting test scenario : > > /fedora/describe HTTP basic auth -- > ok > /fedora/objects ok > /fedora/objects/[pid] HTTP basic auth > -- > does not work > > I then replace "objects" by "get" : > /fedora/get/[pid] ok > > >From there, I click on the given links : > /fedora/objects/[pid]/datastreams ok > /fedora/objects/[pid]/versions ok > /fedora/objects/[pid]/methods ok > /fedora/objects/[pid]/objectXML If I just click on the > link I've got : > "fedora/objects/CCIN2P3%253A7647/objectXML" which does not > work, but if I > change it as "fedora/objects/CCIN2P3%3A7647/objectXML" it's ok > > > ----- > Huân Thebault > Centre de Calcul de l'IN2P3 > Development Team > Tel. Std +33 4 78 93 08 80 > > > -----Message d'origine----- > De : Steve Bayliss [mailto:[email protected]] > Envoyé : jeudi 3 juin 2010 10:56 > À : 'Huân Thebault'; 'fedora-commons-developers' > Objet : RE: [Fedora-commons-developers] PEP Denying Access > > Hi Huân > > When you get to the URL for the object, where you're prompted to > authenticate, what's the actual URL at this point? Is it the > old-style > API-LITE URL of the form /fedora/get/{pid} or is it the new > REST-API form > /fedora/objects/{pid}? > > Whichever it is, could you try the alternative form and > report if you get > the same problem with both URLs? > > Regards > Steve > > > -----Original Message----- > > From: Huân Thebault [mailto:[email protected]] > > Sent: 02 June 2010 15:54 > > To: fedora-commons-developers > > Subject: Re: [Fedora-commons-developers] PEP Denying Access > > > > > > Hello > > > > I have apia.auth.required=false > > So I changed datastreamContentDispositionInlineEnabled to > > false, restarted > > fedora, but still the same error, with the same logs... > > > > Here is my install.properties (without usernames / passwords) : > > > > #Install Options > > #Wed May 26 11:32:20 CEST 2010 > > ri.enabled=false > > messaging.enabled=false > > apia.auth.required=false > > database.jdbcDriverClass=org.postgresql.Driver > > database.postgresql.jdbcDriverClass=org.postgresql.Driver > > ssl.available=false > > database.jdbcURL=jdbc\:postgresql\://ccpgsql.in2p3.fr/***** > > database.password=****** > > fesl.dbxml.home=/home/fedora_dev/dbxml-2.5.13 > > database.username=****** > > fesl.authz.enabled=true > > tomcat.shutdown.port=8006 > > database.postgresql.driver=included > > deploy.local.services=true > > xacml.enabled=false > > tomcat.http.port=8091 > > fedora.serverHost=ccsvli38.in2p3.fr > > database=postgresql > > database.driver=included > > fedora.serverContext=fedora > > tomcat.home=/home/fedora_dev/fedora-commons/tomcat > > fesl.authn.enabled=true > > fedora.home=/home/fedora_dev/fedora-commons > > install.type=custom > > > database.postgresql.jdbcURL=jdbc\:postgresql\://ccpgsql.in2p3.fr/***** > > servlet.engine=included > > fedora.admin.pass=******* > > > > Thanks for your help > > > > ----- > > Huân Thebault > > Centre de Calcul de l'IN2P3 > > Development Team > > Tel. Std +33 4 78 93 08 80 > > > > > > > > -----Message d'origine----- > > De : Edwin Shin [mailto:[email protected]] > > Envoyé : mercredi 2 juin 2010 08:42 > > À : fedora-dev > > Objet : Re: [Fedora-commons-developers] PEP Denying Access > > > > Huân, > > > > When you installed fedora, did you require authentication for > > API-A? (you > > can check $FEDORA_HOME/install/install.properties for the value of > > apia.auth.required). If it's false, then try applying the > > workaround Steve > > suggested below. If it's true, then FCREPO-703 doesn't > apply in case. > > > > The policy log messages suggest you're not authenticated, but > > on the other > > hand you reported that you were prompted for authentication, > > so I'm not sure > > what's going on there. > > > > Actually, you might as well post your install.properties file > > (stripping out > > the passwords for fedoraAdmin, the database or anything else > > you feel is > > sensitive). Then maybe one of us can try duplicating the > > issue with your > > settings locally. Not sure if I'll have a chance in the next > > couple of days > > but perhaps Steve or Nish might. > > > > Eddie > > > > On 1 Jun 2010, at 5:11 PM, Steve Bayliss wrote: > > > > > Could it be possible that this is related to > > > https://fedora-commons.org/jira/browse/FCREPO-703 ? > > > > > > Huân, to see if this is the case, you could modify > > fedora.fcfg and change > > > the parameter datastreamContentDispositionInlineEnabled to > > false to verify > > > if this is the case. > > > > > > Regards > > > Steve > > > > > >> -----Original Message----- > > >> From: Huân Thebault [mailto:[email protected]] > > >> Sent: 01 June 2010 15:10 > > >> To: fedora-commons-developers > > >> Subject: Re: [Fedora-commons-developers] PEP Denying Access > > >> > > >> > > >> Hi Nish > > >> > > >> You're right, I don't have policies to allow anonymous > > >> access. But the real > > >> problem is that I am NOT using anonymous access. I'm > > >> identifying myself as > > >> "fedoraAdmin". > > >> > > >> I attach a log file, corresponding to the following scenario : > > >> - 2010-06-01 15:51:48.726 : I go to "/fedora/objects" url. I am > > >> prompted for authentification, I am authentifying myself as > > >> "fedoraAdmin" > > >> - I search "*", everything's fine, I've got results > > >> - I try to access an object called "CRDO-Aix:PYJ011" > > >> - I'm prompted for authentication, I give "fedoraAdmin" > > >> credentials, > > >> but the HTTP basic auth. popup come up again and again > and again... > > >> And as you can see in logs, I'm then seen as "anonymous" > > >> > > >> > > >> > > >> ----- > > >> Huân Thebault > > >> Centre de Calcul de l'IN2P3 > > >> Development Team > > >> Tel. Std +33 4 78 93 08 80 > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> -----Message d'origine----- > > >> De : Nishen Naidoo [mailto:[email protected]] > > >> Envoyé : mardi 1 juin 2010 13:11 > > >> À : [email protected]; 'Huan Thebault' > > >> Cc : 'fedora-commons-develop...@lists. sourceforge. net' > > >> Objet : RE: [Fedora-commons-developers] PEP Denying Access > > >> > > >> Hi Huan, > > >> > > >> You probably don't have policies to allow anoymous access to > > >> resources. From > > >> the request, it is identifying that there is no authenticated > > >> user trying to > > >> access the item. For this to work you will need to add a > > policy to the > > >> bootstrap policies to allow this. > > >> > > >> Something like this might work: > > >> > > >> <?xml version="1.0" encoding="UTF-8"?> > > >> <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" > > >> > > xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" > > >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > >> xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os > > >> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0- > > >> policy-schema- > > >> os.xsd > > >> urn:oasis:names:tc:xacml:2.0:context:schema:os > > >> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0- > > >> context-schema > > >> -os.xsd" > > >> PolicyId="anonymous:readall" > > >> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combinin > > >> g-algorithm:pe > > >> rmit-overrides"> > > >> <Description>A policy to provide public users the ability > > to view all > > >> objects in the demo object collection</Description> > > >> <Target> > > >> <Subjects> > > >> <Subject> > > >> <SubjectMatch > > >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > > >> <AttributeValue > > >> DataType="http://www.w3.org/2001/XMLSchema#string";>anonymous</ > > >> AttributeValue > > >>> > > >> <SubjectAttributeDesignator > > >> AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > > >> DataType="http://www.w3.org/2001/XMLSchema#string"; /> > > >> </SubjectMatch> > > >> </Subject> > > >> </Subjects> > > >> <Resources> > > >> <Resource> > > >> <!-- to view everything under the resource collection --> > > >> <ResourceMatch > > >> > > MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> > > >> <AttributeValue > > >> DataType="http://www.w3.org/2001/XMLSchema#string";>/.*</Attrib > > >> uteValue> > > >> <ResourceAttributeDesignator > > >> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" > > >> DataType="http://www.w3.org/2001/XMLSchema#anyURI"; /> > > >> </ResourceMatch> > > >> </Resource> > > >> </Resources> > > >> <Actions> > > >> <Action> > > >> <ActionMatch > > >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > > >> <AttributeValue > > >> DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora: > > >> names:fedora:2 > > >> .1:action:api-a</AttributeValue> > > >> <ActionAttributeDesignator > > >> AttributeId="urn:fedora:names:fedora:2.1:action:api" > > >> DataType="http://www.w3.org/2001/XMLSchema#string"; /> > > >> </ActionMatch> > > >> </Action> > > >> <Action> > > >> <ActionMatch > > >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > > >> <AttributeValue > > >> DataType="http://www.w3.org/2001/XMLSchema#string";>read</Attri > > >> buteValue> > > >> <ActionAttributeDesignator > > >> AttributeId="urn:fedora:names:fedora:2.1:action:id" > > >> DataType="http://www.w3.org/2001/XMLSchema#string"; /> > > >> </ActionMatch> > > >> </Action> > > >> </Actions> > > >> </Target> > > >> <Rule Effect="Permit" > > >> > > > RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit"/> > > >> </Policy> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> Nishen Naidoo > > >> IT Projects Developer > > >> Library IT > > >> MACQUARIE UNIVERSITY NSW 2109 > > >> > > >> E-Mail: [email protected] > > >> Phone: +61 2 98506553 > > >> Mobile: +61 4 30006783 > > >> Fax: +61 2 98507912 > > >> http://www.library.mq.edu.au/ > > >> > > >> CRICOS Provider No 00002J > > >> > > >> This message is intended for the addressee named and may contain > > >> confidential information. If you are not the intended > > >> recipient, please > > >> delete it and notify the sender. Views expressed in this > > >> message are those > > >> of the individual sender, and are not necessarily the views > > >> of Macquarie > > >> University Library or Macquarie University. > > >> > > >> Please consider the environment before printing this email. > > >> ________________________________________ > > >> From: yf508 [[email protected]] > > >> Sent: Tuesday, 1 June 2010 6:13 PM > > >> To: 'Huan Thebault' > > >> Cc: 'fedora-commons-develop...@lists. sourceforge. net' > > >> Subject: Re: [Fedora-commons-developers] PEP Denying Access > > >> > > >>> Looking at sources, the "3" at last line means : > > >>> DECISION_NOT_APPLICABLE , which is an error (it should be : > > >>> DECISION_PERMIT, DECISION_INDETERMINATE, DECISION_DENY) > > >> > > >> It seems to me that 'DECISION_NOT_APPLICABLE' means the > > >> required policy does > > >> not exist - it's not an error state. So the problem you > > have might be > > >> related to bootstrap policies (there are bootstrap policies > > >> in Fedora 2.x. > > >> I'm not using Fedora 3.x so not sure whether there are some > > >> bootstrap ones > > >> in 3.x). > > >> > > >> Frank > > >> > > >> --------------------------------- > > >> Dr. Yankui(Frank) Feng > > >> Digital Library Systems Developer > > >> The University of York > > >> Heslington, York, YO10 5DD, UK > > >> Tel: +44 (0) 1904-434507 > > >> Email: yf508 at york.ac.uk > > >> --------------------------------- > > >> > > >> > > >> -------------------------------------------------------------- > > >> -------------- > > >> -- > > >> > > >> _______________________________________________ > > >> Fedora-commons-developers mailing list > > >> [email protected] > > >> > > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > > >> > > > > > > > > > > > -------------------------------------------------------------- > > -------------- > > -- > > > > > > _______________________________________________ > > > Fedora-commons-developers mailing list > > > [email protected] > > > > > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > > > > > > -------------------------------------------------------------- > > -------------- > > -- > > > > _______________________________________________ > > Fedora-commons-developers mailing list > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > > > > > > > > -------------------------------------------------------------- > > ---------------- > > > > _______________________________________________ > > Fedora-commons-developers mailing list > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > > > > > > > -------------------------------------------------------------- > ---------------- > ThinkGeek and WIRED's GeekDad team up for the Ultimate > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the > lucky parental unit. See the prize list and enter to win: > http://p.sf.net/sfu/thinkgeek-promo > _______________________________________________ > Fedora-commons-developers mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Fedora-commons-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
