Hi,
Sorry, but do you mean by "encode the allowable file URIs" ?
I join my XACML policies but I think that it's good because I can get the
datastream (with the fedoraAdmin user). I always log in with the Fedora
user with admin privileges so I didn't need that those datastreams to be
download-able without authentification.
Regards.
Cyril
The XACML file deny-unallowed-file-resolution.xml :
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
PolicyId="deny-file-resolve-if-not-allowed-dir"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>deny any file datastream resolution if not in allowed file
patterns</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string
">urn:fedora:names:fedora:2.1:action:id-retrieveFile</AttributeValue>
<ActionAttributeDesignator DataType="
http://www.w3.org/2001/XMLSchema#string";
AttributeId="urn:fedora:names:fedora:2.1:action:id"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<!-- uncomment (and change the deny rule id) if access via the file
protocol is desired.
The regular expression determines the locations and files allowed for
retrieval; it must match the canonical file URI for a resource.
Restricting access to administrators will allow datastreams in control
group 'M' to be ingested from the file system.
Restricting access by URI only will allow datastreams in control group
'E' to be located on the file system.
-->
<Rule RuleId="1" Effect="Permit">
<Condition
FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string
">^file:/var/local/fedora3.5/data/files/.*$</AttributeValue>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:fileUri"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
<Rule RuleId="1" Effect="Deny">
</Rule>
</Policy>
On Mon, Mar 12, 2012 at 3:17 PM, Benjamin Armintor <[email protected]>wrote:
> Hi Cyril,
> You have to encode the allowable file URIs for your repository into
> your XACML policies, so that's the first place I'd check. If you want
> those datastreams to be download-able without authentication, that
> must also be supported in your policies.
>
> - Ben
>
> On Mon, Mar 12, 2012 at 9:54 AM, Cyril Pestel <[email protected]>
> wrote:
> > Hi,
> >
> > For while, I use Extenal Datastream with file:// scheme with success.
> Now,
> > I'd like to associate a checksum with it. I've got some trouble (got
> > ExceptionReadingStream instead of the checksum and the error message
> below)
> > with Fedora 3.3 so then I've tried with Fedora 3.5. With the last
> version, I
> > got a AuthzDeniedException exception while I can view the contents of the
> > datastream (from java Fedora client) which means that I'm authenticate.
> >
> > However, I've read that some people have already done that without any
> > problem. So, what did I do wrong ? Any idea ?
> >
> > Regards.
> >
> >
> > Cyril Pestel
> >
> >
> >
> > INFO 2012-03-12 14:28:28.938 [http-8443-1]
> (DefaultExternalContentManager)
> > Checking resolution security on
> >
> file:/var/local/fedora3.5/data/files/159b24eb-4851-48f8-9334-48819bef58a1-Lionel1_can_Verifie_Anonymise.trs
> > ERROR 2012-03-12 14:28:28.941 [http-8443-1]
> (DefaultExternalContentManager)
> > org.fcrepo.server.errors.authorization.AuthzDeniedException:
> > at
> >
> org.fcrepo.server.security.PolicyEnforcementPoint.enforce(PolicyEnforcementPoint.java:406)
> > [fcrepo-server-3.5.jar:na]
> > at
> >
> org.fcrepo.server.security.DefaultAuthorization.enforceRetrieveFile(DefaultAuthorization.java:1660)
> > [fcrepo-server-3.5.jar:na]
> > at
> >
> org.fcrepo.server.storage.DefaultExternalContentManager.getFromFilesystem(DefaultExternalContentManager.java:246)
> > [fcrepo-server-3.5.jar:na]
> > at
> >
> org.fcrepo.server.storage.DefaultExternalContentManager.getExternalContent(DefaultExternalContentManager.java:146)
> > [fcrepo-server-3.5.jar:na]
> > at
> >
> org.fcrepo.server.storage.types.DatastreamReferencedContent.getContentStream(DatastreamReferencedContent.java:92)
> > [fcrepo-server-3.5.jar:na]
> > at
> >
> org.fcrepo.server.storage.types.Datastream.getContentStream(Datastream.java:120)
> > [fcrepo-server-3.5.jar:na]
> > at
> >
> org.fcrepo.server.storage.types.Datastream.getContentStreamForChecksum(Datastream.java:128)
> > [fcrepo-server-3.5.jar:na]
> > at
> >
> org.fcrepo.server.storage.types.Datastream.computeChecksum(Datastream.java:196)
> > [fcrepo-server-3.5.jar:na]
> > at
> >
> org.fcrepo.server.storage.types.Datastream.getChecksum(Datastream.java:148)
> > [fcrepo-server-3.5.jar:na]
> > at
> >
> org.fcrepo.server.storage.translation.FOXMLDOSerializer.appendDatastreams(FOXMLDOSerializer.java:345)
> > [fcrepo-server-3.5.jar:na]
> > at
> >
> org.fcrepo.server.storage.translation.FOXMLDOSerializer.serialize(FOXMLDOSerializer.java:118)
> > [fcrepo-server-3.5.jar:na]
> > at
> >
> org.fcrepo.server.storage.translation.DOTranslatorImpl.serialize(DOTranslatorImpl.java:99)
> > [fcrepo-server-3.5.jar:na]
> > at
> >
> org.fcrepo.server.storage.translation.DOTranslatorModule.serialize(DOTranslatorModule.java:139)
> > [fcrepo-server-3.5.jar:na]
> > at
> >
> org.fcrepo.server.storage.DefaultDOManager.doCommit(DefaultDOManager.java:1266)
> > [fcrepo-server-3.5.jar:na]
> > at
> > org.fcrepo.server.storage.SimpleDOWriter.commit(SimpleDOWriter.java:509)
> > [fcrepo-server-3.5.jar:na]
> > at
> >
> org.fcrepo.server.management.DefaultManagement.addDatastream(DefaultManagement.java:573)
> > [fcrepo-server-3.5.jar:na]
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > [na:1.6.0_20]
> > at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> > [na:1.6.0_20]
> > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> > [na:1.6.0_20]
> > at java.lang.reflect.Method.invoke(Method.java:597) [na:1.6.0_20]
> > at
> >
> org.fcrepo.server.messaging.NotificationInvocationHandler.invoke(NotificationInvocationHandler.java:68)
> > [fcrepo-server-3.5.jar:na]
> > at $Proxy5.addDatastream(Unknown Source) [na:na]
> > at
> >
> org.fcrepo.server.management.ManagementModule.addDatastream(ManagementModule.java:227)
> > [fcrepo-server-3.5.jar:na]
> > at
> >
> org.fcrepo.server.management.FedoraAPIMBindingSOAPHTTPImpl.addDatastream(FedoraAPIMBindingSOAPHTTPImpl.java:211)
> > [fcrepo-server-3.5.jar:na]
> > at
> >
> org.fcrepo.server.management.FedoraAPIMBindingSOAPHTTPSkeleton.addDatastream(FedoraAPIMBindingSOAPHTTPSkeleton.java:385)
> > [fcrepo-common-3.5.jar:na]
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > [na:1.6.0_20]
> > at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> > [na:1.6.0_20]
> > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> > [na:1.6.0_20]
> > at java.lang.reflect.Method.invoke(Method.java:597) [na:1.6.0_20]
> > at
> >
> org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:397)
> > [axis-1.3-PATCHED.jar:na]
> > at
> >
> org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:186)
> > [axis-1.3-PATCHED.jar:na]
> > at
> > org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323)
> > [axis-1.3-PATCHED.jar:na]
> > at
> >
> org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
> > [axis-1.3-PATCHED.jar:na]
> > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> > [axis-1.3-PATCHED.jar:na]
> > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> > [axis-1.3-PATCHED.jar:na]
> > at
> > org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453)
> > [axis-1.3-PATCHED.jar:na]
> > at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281)
> > [axis-1.3-PATCHED.jar:na]
> > at
> > org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699)
> > [axis-1.3-PATCHED.jar:na]
> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
> > [servlet-api.jar:na]
> > at
> >
> org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327)
> > [axis-1.3-PATCHED.jar:na]
> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> > [servlet-api.jar:na]
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> > [catalina.jar:6.0.29]
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> > [catalina.jar:6.0.29]
> > at
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:368)
> > [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
> > at
> >
> org.fcrepo.server.security.jaas.AuthFilterJAAS.doFilter(AuthFilterJAAS.java:330)
> > [fcrepo-security-jaas-3.5.jar:na]
> > at
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
> > [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
> > at
> >
> org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:109)
> > [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
> > at
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
> > [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
> > at
> >
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169)
> > [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
> > at
> >
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> > [spring-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
> > at
> >
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> > [spring-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> > [catalina.jar:6.0.29]
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> > [catalina.jar:6.0.29]
> > at
> >
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> > [catalina.jar:6.0.29]
> > at
> >
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> > [catalina.jar:6.0.29]
> > at
> >
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> > [catalina.jar:6.0.29]
> > at
> >
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> > [catalina.jar:6.0.29]
> > at
> >
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> > [catalina.jar:6.0.29]
> > at
> >
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> > [catalina.jar:6.0.29]
> > at
> >
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> > [tomcat-coyote.jar:6.0.29]
> > at
> >
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> > [tomcat-coyote.jar:6.0.29]
> > at
> > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> > [tomcat-coyote.jar:6.0.29]
> > at java.lang.Thread.run(Thread.java:619) [na:1.6.0_20]
> > WARN 2012-03-12 14:28:28.944 [http-8443-1] (Datastream) IOException
> reading
> > datastream to generate checksum
> >
> >
> ------------------------------------------------------------------------------
> > Try before you buy = See our experts in action!
> > The most comprehensive online learning library for Microsoft developers
> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> > Metro Style Apps, more. Free future releases when you subscribe now!
> > http://p.sf.net/sfu/learndevnow-dev2
> > _______________________________________________
> > Fedora-commons-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
> >
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> Fedora-commons-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
