Hi Steve,
Ah, interesting, thanks for that; didn't know about this - found the file:
fed...@fedora:~/fedora-dev/fedora-32/server$ find . | grep deny
./fedora-internal-use/fedora-internal-use-repository-policies-approximating-2.0/deny-reloadPolicies-if-not-localhost.xml
./fedora-internal-use/fedora-internal-use-repository-policies-approximating-2.0/deny-purge-datastream-if-active-or-inactive.xml
./fedora-internal-use/fedora-internal-use-repository-policies-approximating-2.0/deny-serverShutdown-if-not-localhost.xml
./fedora-internal-use/fedora-internal-use-repository-policies-approximating-2.0/deny-policy-management-if-not-administrator.xml
./fedora-internal-use/fedora-internal-use-repository-policies-approximating-2.0/deny-apim-if-not-localhost.xml
./fedora-internal-use/fedora-internal-use-repository-policies-approximating-2.0/deny-inactive-or-deleted-objects-or-datastreams-if-not-administrator.xml
./fedora-internal-use/fedora-internal-use-repository-policies-approximating-2.0/deny-purge-object-if-active-or-inactive.xml
is this the correct one? It seems fairly hidden away, perhaps there's
somewhere else I should be editing these policies?
Anyway, I have removed the policy file completely (for the purposes of
testing) and run the fedora-reload-policies tool:
fed...@fedora:~/fedora-dev/fedora-32/server$ find . | grep deny
./fedora-internal-use/fedora-internal-use-repository-policies-approximating-2.0/deny-reloadPolicies-if-not-localhost.xml
./fedora-internal-use/fedora-internal-use-repository-policies-approximating-2.0/deny-purge-datastream-if-active-or-inactive.xml
./fedora-internal-use/fedora-internal-use-repository-policies-approximating-2.0/deny-serverShutdown-if-not-localhost.xml
./fedora-internal-use/fedora-internal-use-repository-policies-approximating-2.0/deny-policy-management-if-not-administrator.xml
./fedora-internal-use/fedora-internal-use-repository-policies-approximating-2.0/deny-inactive-or-deleted-objects-or-datastreams-if-not-administrator.xml
./fedora-internal-use/fedora-internal-use-repository-policies-approximating-2.0/deny-purge-object-if-active-or-inactive.xml
fed...@fedora:~/fedora-dev/fedora-32/server/bin$
./fedora-reload-policies.sh http fedoraAdmin *****
SUCCESS: Policies have been reloaded
but am still seeing exactly the same results.
I then tried modifying the deny-apim-if-not-localhost.xml, changing the
Apply rules as follows:
<Rule RuleId="1" Effect="Deny">
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<!-- Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<EnvironmentAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>127.0.0.1</AttributeValue>
</Apply>
</Apply -->
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>.*</AttributeValue>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<EnvironmentAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
I believe, from the documentation in the file, that this should mean
that any IP address which matches the regular expression .* (so, all of
them) will be permitted to access the API. This approach also failed.
I tried also restarting tomcat after policy reloads, without effect.
Any thoughts?
Cheers,
Richard
Steve Bayliss wrote:
> Hi Richard
>
> You don't by any chance have the deny-apim-if-not-localhost.xml policy on
> the new machine? This policy will (unedited) prevent API-M access unless
> you're accessing Fedora from the same machine on which it is installed.
>
> Regards
> Steve
>
>
>> -----Original Message-----
>> From: Richard Jones [mailto:[email protected]]
>> Sent: 21 June 2010 15:24
>> To: [email protected]
>> Subject: [Fedora-commons-developers] Authorisation Error using API
>>
>>
>> Hi Folks,
>>
>> I'm having a bizarre problem with my Fedora 3.2. I've been using the
>> desktop admin client to create objects in the repository, and today I
>> have moved my fedora repository onto another machine. Now when I
>> attempt to create new objects through both the SOAP (using
>> the desktop
>> client) or the REST API's I get these AuthzDeniedExceptions. I have
>> used the desktop client to successfully authenticate onto the Fedora
>> instance, and I can perform READ operations such as search
>> and retrieve,
>> but when I ask it to create a new object I get this error in the logs.
>>
>> Any suggestions?
>>
>> Cheers,
>>
>> Richard
>>
>>
>> ERROR 2010-06-21 14:18:06.793 [http-8080-Processor24]
>> (FedoraAPIMBindingSOAPHTTPImpl) Error getting next PID
>> fedora.server.errors.authorization.AuthzDeniedException:
>> at
>> fedora.server.security.PolicyEnforcementPoint.enforce(PolicyEn
>> forcementPoint.java:457)
>> at
>> fedora.server.security.DefaultAuthorization.enforceGetNextPid(
>> DefaultAuthorization.java:637)
>> at
>> fedora.server.management.DefaultManagement.getNextPID(DefaultM
>> anagement.java:1181)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess
>> orImpl.java:57)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth
>> odAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:616)
>> at
>> fedora.server.messaging.NotificationInvocationHandler.invoke(N
>>
> otificationInvocationHandler.java:92)
>
>> at $Proxy0.getNextPID(Unknown Source)
>> at
>> fedora.server.management.ManagementModule.getNextPID(Managemen
>> tModule.java:323)
>> at
>> fedora.server.management.FedoraAPIMBindingSOAPHTTPImpl.getNext
>> PID(FedoraAPIMBindingSOAPHTTPImpl.java:507)
>> at
>> fedora.server.management.FedoraAPIMBindingSOAPHTTPSkeleton.get
>> NextPID(FedoraAPIMBindingSOAPHTTPSkeleton.java:432)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess
>> orImpl.java:57)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth
>> odAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:616)
>> at
>> org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCPro
>> vider.java:397)
>> at
>> org.apache.axis.providers.java.RPCProvider.processMessage(RPCP
>> rovider.java:186)
>> at
>> org.apache.axis.providers.java.JavaProvider.invoke(JavaProvide
>> r.java:323)
>> at
>> org.apache.axis.strategies.InvocationStrategy.visit(Invocation
>> Strategy.java:32)
>> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>> at
>> org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453)
>> at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281)
>> at
>> org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.
>> java:699)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
>> at
>> org.apache.axis.transport.http.AxisServletBase.service(AxisSer
>> vletBase.java:327)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt
>> er(ApplicationFilterChain.java:269)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli
>> cationFilterChain.java:188)
>> at
>> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil
>> terSetup.java:256)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt
>> er(ApplicationFilterChain.java:215)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli
>> cationFilterChain.java:188)
>> at
>> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil
>> terSetup.java:256)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt
>> er(ApplicationFilterChain.java:215)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli
>> cationFilterChain.java:188)
>> at
>> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil
>> terSetup.java:256)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt
>> er(ApplicationFilterChain.java:215)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli
>> cationFilterChain.java:188)
>> at
>> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil
>> terSetup.java:256)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt
>> er(ApplicationFilterChain.java:215)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli
>> cationFilterChain.java:188)
>> at
>> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil
>> terSetup.java:256)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt
>> er(ApplicationFilterChain.java:215)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli
>> cationFilterChain.java:188)
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardW
>> rapperValve.java:213)
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardC
>> ontextValve.java:174)
>> at
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Aut
>> henticatorBase.java:525)
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHost
>> Valve.java:127)
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReport
>> Valve.java:117)
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEn
>> gineValve.java:108)
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdap
>> ter.java:174)
>> at
>> org.apache.coyote.http11.Http11Processor.process(Http11Process
>> or.java:874)
>> at
>> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHa
>> ndler.processConnection(Http11BaseProtocol.java:665)
>> at
>> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolT
>> cpEndpoint.java:528)
>> at
>> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(Le
>>
> aderFollowerWorkerThread.java:81)
>
>> at
>> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
>> ThreadPool.java:689)
>> at java.lang.Thread.run(Thread.java:636)
>>
>> Cheers,
>>
>> Richard
>>
>> --
>> Richard Jones
>> Head of Repository Systems, Symplectic Limited
>> e: [email protected]
>> t: 0845 026 4755
>> t: +44 (0)207 7334036
>> w: http://www.symplectic.co.uk/
>>
>>
>> --------------------------------------------------------------
>> ----------------
>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>> lucky parental unit. See the prize list and enter to win:
>> http://p.sf.net/sfu/thinkgeek-promo
>> _______________________________________________
>> Fedora-commons-developers mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
>>
>>
>
>
>
--
Richard Jones
Head of Repository Systems, Symplectic Limited
e: [email protected]
t: 0845 026 4755
t: +44 (0)207 7334036
w: http://www.symplectic.co.uk/
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Fedora-commons-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
