The policy in deny-apim-if-not-localhost.xml denies API-M access based on the client IP, not the server IP. By default, you have to run API-M actions from the machine Fedora is running on. If you use a DNS name to make those calls, you're probably not going over the localhost interface- so your client ip will not be 127.0.0.1.
I also see one way in which the names of the installation properties might be misleading- "xacml.enabled=True" means that an authz framework is enabled, but it's the older xacml implementation rather than fesl. If I remember correctly, it's an error to have both of those properties set to 'True', so perhaps a future version might use something like: authz.impl=[None|FESL|XACML] ... to clarify what's going on and preclude enabling competing frameworks. - Ben On Fri, May 13, 2011 at 11:49 AM, Chalk, Stuart <sch...@unf.edu> wrote: > API-A functions are working but API-M were not. However, it turns out that I > have fixed the problem. > I forgot to use the IP address (I used the name) for my server in > deny-apim-if-not-localhost.xml. > So, this problem arises when fedora.serverHost is set to anything other than > localhost. > If it is not localhost you must enter the IP address of the server > in deny-apim-if-not-localhost.xml under the line with 127.0.0.1. > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";><server_ip_address></AttributeValue> > > Thoughts > 1) For future versions of Fedora could the addition of the IP address be > automatically added to deny-apim-if-not-localhost.xml? > This would make this much easier :) > 2) The error is a little misleading as AuthZ is not turned on and yet the > error indicates that is the problem > org.fcrepo.server.errors.authorization.AuthzDeniedException: Is > Fedora incorrectly reporting the error? > Stuart > PS For future reference the install properties that work if the above > change to deny-apim-if-not-localhost.xml is made are > (note that both xacml.enabled=true and fesl.authn.enabled=true) > keystore.file=included > ri.enabled=true > messaging.enabled=false > apia.auth.required=false > database.jdbcDriverClass=com.mysql.jdbc.Driver > tomcat.ssl.port=8443 > ssl.available=true > database.jdbcURL=jdbc\:mysql\://localhost/fedora3?useUnicode\=true&characterEncoding\=UTF-8&autoReconnect\=true > database.password=********* > database.mysql.driver=included > database.username=eureka > fesl.authz.enabled=false > tomcat.shutdown.port=8005 > deploy.local.services=true > xacml.enabled=true > database.mysql.jdbcDriverClass=com.mysql.jdbc.Driver > tomcat.http.port=8080 > fedora.serverHost=chalk.coas.unf.edu > database=mysql > database.driver=included > fedora.serverContext=fedora > llstore.type=akubra-fs > tomcat.home=/opt/local/fedora/tomcat > fesl.authn.enabled=true > database.mysql.jdbcURL=jdbc\:mysql\://localhost/fedora3?useUnicode\=true&characterEncoding\=UTF-8&autoReconnect\=true > fedora.home=/opt/local/fedora > install.type=custom > servlet.engine=included > apim.ssl.required=false > fedora.admin.pass=********* > apia.ssl.required=false > > On May 13, 2011, at 9:31 AM, Scott Prater wrote: > > Stuart -- > > Just to clarify, is the problem only with API-M functions, or API-A > functions, too? > > If API-A is working without authentication, then you should get back a > response to this query: > > http://chalk.coas.unf.edu:8080/fedora/describe > > What is the REST request you are trying to submit that provokes the error? > > If you install with XACML turned off in install.properties, does the > problem disappear? > > -- Scott > > On 05/13/2011 05:48 AM, Stuart Chalk wrote: > > Alex > > Do you remember which one(s) or do you have a reference to where the error > is reported? > > The strange thing is that I have the same setup on my laptop with it > accessed through http://localhost and it works fine. > > Anyone - Are there file permission issues that can cause this? > > Stuart > > On May 13, 2011, at 4:47 AM, Alex Lopez wrote: > > If I remember correctly a similar error could be corrected by first > > commenting out some auth filters in fedora's web.xml and resseting, so > > it could load policies first time, then it would work OK and filters > > could be activated again because policies where already in place. > > Em 13-05-2011 00:57, Stuart Chalk escreveu: > > Scott > > Looking at the install page for FeSL it indicates that I only need to do an > extra config for AuthZ. > > Anyway I set fesl.authn.enabled=false in the install.properties file and > reinstall Fedora using the install.properties file and it still has the same > error. > > INFO 2011-05-12 19:37:13.905 [http-8080-4] (Cache) Authenticating user > [fedoraAdmin] > > INFO 2011-05-12 19:37:13.925 [http-8080-4] (DefaultManagement) Completed > getDatastream(pid: fedora-system:ContentModel-3.0, datastreamID: DC, > asOfDateTime: null) > > WARN 2011-05-12 19:37:13.934 [http-8080-4] (DatastreamResource) > Authorization failed; unable to fulfill REST API request > > org.fcrepo.server.errors.authorization.AuthzDeniedException: > > at > org.fcrepo.server.security.PolicyEnforcementPoint.enforce(PolicyEnforcementPoint.java:422) > [fcrepo-server-3.4.2.jar:na] > > at > org.fcrepo.server.security.DefaultAuthorization.enforceGetDatastream(DefaultAuthorization.java:639) > [fcrepo-server-3.4.2.jar:na] > > at > org.fcrepo.server.management.DefaultManagement.getDatastream(DefaultManagement.java:1124) > [fcrepo-server-3.4.2.jar:na] > > What I don't understand is that fesl.authz.enabled was set to false both > times and yet it is still giving me a AuthZ error... > > Stuart > > > On May 12, 2011, at 6:02 PM, Scott Prater wrote: > > Hello, Stuart -- > > I see you have FeSL authn enabled, which could be causing a problem. > > Have you configured your FeSL environment? > > https://wiki.duraspace.org/display/FCR30/FeSL+Installation > > Alternatively, you could reinstall with fesl turned off, and see if your > > results improve. > > -- Scott > > On 05/12/2011 02:35 PM, Chalk, Stuart wrote: > > Problems getting a fresh install of Fedora 3.4.2 to authenticate properly. > Having the same issue of authentication others have had using the admin or > HTML interface. I have read the reports of this problem but can't seem to > find the solution. I have changed the deny-apim-if-not-localhost.xml file > to include the address of the server. I have included the > install.properites file at the end of this email. > > Suggestions? > > Stuart Chalk, Ph.D. > > Associate Professor of Chemistry > > Department of Chemistry, Building 50, Room 3514, > > University of North Florida > > 1 UNF Drive, Jacksonville, FL 32224 USA > > P: 904-620-1938 > > F: 904-620-3535 > > E: sch...@unf.edu > > W: http://www.unf.edu/coas/chemistry/ > > > INFO 2011-05-12 14:03:24.911 [http-8080-1] (DefaultManagement) Completed > ingest(objectXML, format: info:fedora/fedora-system:FOXML-1.1, encoding: > UTF-8, pid : eureka:test, logMessage: null) > > WARN 2011-05-12 14:03:24.914 [http-8080-1] (FedoraObjectResource) > Authorization failed; unable to fulfill REST API request > > org.fcrepo.server.errors.authorization.AuthzDeniedException: > > at > org.fcrepo.server.security.PolicyEnforcementPoint.enforce(PolicyEnforcementPoint.java:422) > [fcrepo-server-3.4.2.jar:na] > > at > org.fcrepo.server.security.DefaultAuthorization.enforceIngest(DefaultAuthorization.java:788) > [fcrepo-server-3.4.2.jar:na] > > at > org.fcrepo.server.management.DefaultManagement.ingest(DefaultManagement.java:168) > [fcrepo-server-3.4.2.jar:na] > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > [na:1.6.0_24] > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > [na:1.6.0_24] > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > [na:1.6.0_24] > > at java.lang.reflect.Method.invoke(Method.java:597) [na:1.6.0_24] > > at > org.fcrepo.server.messaging.NotificationInvocationHandler.invoke(NotificationInvocationHandler.java:68) > [fcrepo-server-3.4.2.jar:na] > > at $Proxy0.ingest(Unknown Source) [na:na] > > at > org.fcrepo.server.management.ManagementModule.ingest(ManagementModule.java:354) > [fcrepo-server-3.4.2.jar:na] > > at > org.fcrepo.server.rest.FedoraObjectResource.createObject(FedoraObjectResource.java:293) > [fcrepo-server-3.4.2.jar:na] > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > [na:1.6.0_24] > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > [na:1.6.0_24] > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > [na:1.6.0_24] > > at java.lang.reflect.Method.invoke(Method.java:597) [na:1.6.0_24] > > at > com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:175) > [jersey-bundle-1.0.3.1.jar:1.0.3.1] > > at > com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:67) > [jersey-bundle-1.0.3.1.jar:1.0.3.1] > > at > com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:163) > [jersey-bundle-1.0.3.1.jar:1.0.3.1] > > at > com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:71) > [jersey-bundle-1.0.3.1.jar:1.0.3.1] > > at > com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:111) > [jersey-bundle-1.0.3.1.jar:1.0.3.1] > > at > com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:63) > [jersey-bundle-1.0.3.1.jar:1.0.3.1] > > at > com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:689) > [jersey-bundle-1.0.3.1.jar:1.0.3.1] > > at > com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:647) > [jersey-bundle-1.0.3.1.jar:1.0.3.1] > > at > com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:638) > [jersey-bundle-1.0.3.1.jar:1.0.3.1] > > at > com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:309) > [jersey-bundle-1.0.3.1.jar:1.0.3.1] > > at > com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:425) > [jersey-bundle-1.0.3.1.jar:1.0.3.1] > > at > com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:590) > [jersey-bundle-1.0.3.1.jar:1.0.3.1] > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > [servlet-api.jar:na] > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > [catalina.jar:na] > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > [catalina.jar:na] > > at > org.fcrepo.server.security.servletfilters.FilterRestApiFlash.doFilter(FilterRestApiFlash.java:66) > [fcrepo-server-3.4.2.jar:na] > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > [catalina.jar:na] > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > [catalina.jar:na] > > at > org.fcrepo.server.security.jaas.AuthFilterJAAS.doFilter(AuthFilterJAAS.java:295) > [fcrepo-security-jaas-3.4.2.jar:na] > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > [catalina.jar:na] > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > [catalina.jar:na] > > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > [catalina.jar:na] > > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > [catalina.jar:na] > > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525) > [catalina.jar:na] > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) > [catalina.jar:na] > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > [catalina.jar:na] > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > [catalina.jar:na] > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) > [catalina.jar:na] > > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849) > [tomcat-coyote.jar:na] > > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) > [tomcat-coyote.jar:na] > > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454) > [tomcat-coyote.jar:na] > > at java.lang.Thread.run(Thread.java:680) [na:1.6.0_24] > > Install.Properties > > #Install Options > > #Thu May 12 13:18:30 EDT 2011 > > keystore.file=included > > ri.enabled=true > > messaging.enabled=false > > apia.auth.required=false > > database.jdbcDriverClass=com.mysql.jdbc.Driver > > tomcat.ssl.port=8443 > > ssl.available=true > > database.jdbcURL=jdbc\:mysql\://localhost/fedora3?useUnicode\=true&characterEncoding\=UTF-8&autoReconnect\=true > > database.password=******** > > database.mysql.driver=included > > database.username=eureka > > fesl.authz.enabled=false > > tomcat.shutdown.port=8005 > > deploy.local.services=true > > xacml.enabled=true > > database.mysql.jdbcDriverClass=com.mysql.jdbc.Driver > > tomcat.http.port=8080 > > fedora.serverHost=chalk.coas.unf.edu > > database=mysql > > database.driver=included > > fedora.serverContext=fedora > > llstore.type=akubra-fs > > tomcat.home=/opt/local/fedora/tomcat > > fesl.authn.enabled=true > > database.mysql.jdbcURL=jdbc\:mysql\://localhost/fedora3?useUnicode\=true&characterEncoding\=UTF-8&autoReconnect\=true > > fedora.home=/opt/local/fedora > > install.type=custom > > servlet.engine=included > > apim.ssl.required=false > > fedora.admin.pass=******** > > apia.ssl.required=false > > > > > ------------------------------------------------------------------------------ > > Achieve unprecedented app performance and reliability > > What every C/C++ and Fortran developer should know. > > Learn how Intel has extended the reach of its next-generation tools > > to help boost performance applications - inlcuding clusters. > > http://p.sf.net/sfu/intel-dev2devmay > > _______________________________________________ > > Fedora-commons-users mailing list > > Fedora-commons-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > > -- > > Scott Prater > > Library, Instructional, and Research Applications (LIRA) > > Division of Information Technology (DoIT) > > University of Wisconsin - Madison > > pra...@wisc.edu > > ------------------------------------------------------------------------------ > > Achieve unprecedented app performance and reliability > > What every C/C++ and Fortran developer should know. > > Learn how Intel has extended the reach of its next-generation tools > > to help boost performance applications - inlcuding clusters. > > http://p.sf.net/sfu/intel-dev2devmay > > _______________________________________________ > > Fedora-commons-users mailing list > > Fedora-commons-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > > ------------------------------------------------------------------------------ > > Achieve unprecedented app performance and reliability > > What every C/C++ and Fortran developer should know. > > Learn how Intel has extended the reach of its next-generation tools > > to help boost performance applications - inlcuding clusters. > > http://p.sf.net/sfu/intel-dev2devmay > > _______________________________________________ > > Fedora-commons-users mailing list > > Fedora-commons-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > ------------------------------------------------------------------------------ > > Achieve unprecedented app performance and reliability > > What every C/C++ and Fortran developer should know. > > Learn how Intel has extended the reach of its next-generation tools > > to help boost performance applications - inlcuding clusters. > > http://p.sf.net/sfu/intel-dev2devmay > > _______________________________________________ > > Fedora-commons-users mailing list > > Fedora-commons-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > > ------------------------------------------------------------------------------ > > Achieve unprecedented app performance and reliability > > What every C/C++ and Fortran developer should know. > > Learn how Intel has extended the reach of its next-generation tools > > to help boost performance applications - inlcuding clusters. > > http://p.sf.net/sfu/intel-dev2devmay > > _______________________________________________ > > Fedora-commons-users mailing list > > Fedora-commons-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > > -- > Scott Prater > Library, Instructional, and Research Applications (LIRA) > Division of Information Technology (DoIT) > University of Wisconsin - Madison > pra...@wisc.edu > > ------------------------------------------------------------------------------ > Achieve unprecedented app performance and reliability > What every C/C++ and Fortran developer should know. > Learn how Intel has extended the reach of its next-generation tools > to help boost performance applications - inlcuding clusters. > http://p.sf.net/sfu/intel-dev2devmay > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > > ------------------------------------------------------------------------------ > Achieve unprecedented app performance and reliability > What every C/C++ and Fortran developer should know. > Learn how Intel has extended the reach of its next-generation tools > to help boost performance applications - inlcuding clusters. > http://p.sf.net/sfu/intel-dev2devmay > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
