David,
Thanks for your patience! You have discovered a misconfiguration in
the default spring configurations for FESL in 3.6, and led me to find
a couple of other annoying minor bugs, too. First, your specific
problem:
Your request is not matching any policies. I think you will find all
the following to be true: If you look further up in your logs, you'll
see a serialization of the XACML request. Actually, you'll see two:
one for the findObjects action, and another for the
listObjectInFieldSearchResults action. If I'm right, the latter is
the one that's failing. Here's how you can fix it:
* Open the file under
$FEDORA_HOME/server/config/spring/web/config-melcoe-pep-mapping.xml
* change the name of the property in line 14 from "actionMap" to
"actionValueMap". Those are both valid properties, but the latter is
the one that is used to map values from the granular action-id's to
the umbrella values
That should fix your immediate problem, and you should moreover now
only see XACML request serializations for "read" actions. The
unmapped findObjects request was working because of the api-a target
that was also in your policy. Unfortunately the listObject... action
does not set a value for the api in its environment. This is a bug;
I'll try to report it in jira ASAP.
Finally, there's a problem running the FESL policy index rebuilder in
3.6. If you need to do so, copy
$FEDORA_HOME/server/config/spring/web/config-policy-index.xml into the
directory immediately above it, and add the following lines to it:
<bean id="org.fcrepo.server.security.xacml.pdp.data.PolicyIndexRebuilder2"
class="org.fcrepo.server.security.xacml.pdp.data.PolicyIndexRebuilder" >
<property name="policyIndex"
ref="org.fcrepo.server.security.xacml.pdp.data.PolicyIndex" />
</bean>
Obviously, this is also a bug that should be reported. We'll get
these issues resolved in the next bugfix release, which should go into
codefreeze by the end of the month. I'll send a notice to this list
when they're fixed in the master branch of the git repository, in case
you're willing to build from source.
Regards,
Ben
On Tue, Oct 9, 2012 at 12:40 PM, David Lacy <david.l...@villanova.edu> wrote:
> Yes, and I've tested it on multiple machines, all calls to findObjects match
> 'NotApplicable' policies. Here is the log for several other api-a calls from
> the same location, with the failing one at the end. They all share the
> warning about not finding the subject:role attribute, but it only seems to
> affect the findObjects call. (if that even has anything to do with it...)
>
> Please let me know if I can supply any other info.
>
>
> http://localhost:8088/fedora/objects/fedora-system:FedoraObject-3.0/datastreams/DC/content
>
> -> <Decision>Permit</Decision>
>
> n:fedora:names:fedora:2.1:environment:httpRequest:sessionEncoding
> DEBUG 2012-10-09 12:23:12.876 [http-8088-6] (AttributeFinderModule) exiting
> parmsOk normally org.fcrepo.server.security.ContextAttributeFinderModule
> DEBUG 2012-10-09 12:23:12.876 [http-8088-6] (AttributeFinderModule)
> willService() org.fcrepo.server.security.ContextAttributeFinderModule deny
> this known adhoc attribute urn:fedora:names:fedora:2.1:action:contextId
> DEBUG 2012-10-09 12:23:12.876 [http-8088-6] (AttributeFinderModule)
> AttributeFinder:willService()
> org.fcrepo.server.security.ContextAttributeFinderModule returns false
> DEBUG 2012-10-09 12:23:12.876 [http-8088-6] (AttributeFinderModule)
> AttributeFinder:getAttributeFromEvaluationCtxorg.fcrepo.server.security.ContextAttributeFinderModule
> exit on couldn't get resource attribute from xacml request wrong bag n=0
> DEBUG 2012-10-09 12:23:12.876 [http-8088-6] (ContextAttributeFinderModule)
> ContextAttributeFinder:getContextId exit on can't get contextId on request
> callback
> DEBUG 2012-10-09 12:23:12.876 [http-8088-6] (ContextAttributeFinderModule)
> contextId=null attributeId=urn:fedora:names:fedora:2.1:subject:role
> DEBUG 2012-10-09 12:23:12.876 [http-8088-6] (AttributeFinderModule)
> org.fcrepo.server.security.ContextAttributeFinderModule got temp=null
> DEBUG 2012-10-09 12:23:12.876 [http-8088-6] (AttributeFinderModule)
> AttributeFinder:findAttribute exit on attribute value not
> foundorg.fcrepo.server.security.ContextAttributeFinderModule
> DEBUG 2012-10-09 12:23:12.876 [http-8088-6] (PolicyManager) Matched policies
> and created abstract policy.
> DEBUG 2012-10-09 12:23:12.877 [http-8088-6] (MelcoePDPImpl) response is:
> <Response>
> <Result ResourceId="/fedora-system:FedoraObject-3.0/DC">
> <Decision>Permit</Decision>
> <Status>
> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
> </Status>
> </Result>
> </Response>
>
>
>
> http://localhost:8088/fedora/objects/fedora-system:FedoraObject-3.0/methods/fedora-system:3/viewObjectProfile
>
> -> <Decision>Permit</Decision>
>
> DEBUG 2012-10-09 12:25:20.130 [http-8088-6] (AttributeFinderModule) exiting
> parmsOk normally org.fcrepo.server.security.ContextAttributeFinderModule
> DEBUG 2012-10-09 12:25:20.130 [http-8088-6] (AttributeFinderModule)
> willService() org.fcrepo.server.security.ContextAttributeFinderModule deny
> this known adhoc attribute urn:fedora:names:fedora:2.1:action:contextId
> DEBUG 2012-10-09 12:25:20.130 [http-8088-6] (AttributeFinderModule)
> AttributeFinder:willService()
> org.fcrepo.server.security.ContextAttributeFinderModule returns false
> DEBUG 2012-10-09 12:25:20.130 [http-8088-6] (AttributeFinderModule)
> AttributeFinder:getAttributeFromEvaluationCtxorg.fcrepo.server.security.ContextAttributeFinderModule
> exit on couldn't get resource attribute from xacml request wrong bag n=0
> DEBUG 2012-10-09 12:25:20.130 [http-8088-6] (ContextAttributeFinderModule)
> ContextAttributeFinder:getContextId exit on can't get contextId on request
> callback
> DEBUG 2012-10-09 12:25:20.130 [http-8088-6] (ContextAttributeFinderModule)
> contextId=null attributeId=urn:fedora:names:fedora:2.1:subject:role
> DEBUG 2012-10-09 12:25:20.130 [http-8088-6] (AttributeFinderModule)
> org.fcrepo.server.security.ContextAttributeFinderModule got temp=null
> DEBUG 2012-10-09 12:25:20.130 [http-8088-6] (AttributeFinderModule)
> AttributeFinder:findAttribute exit on attribute value not
> foundorg.fcrepo.server.security.ContextAttributeFinderModule
> DEBUG 2012-10-09 12:25:20.130 [http-8088-6] (PolicyManager) Matched policies
> and created abstract policy.
> DEBUG 2012-10-09 12:25:20.130 [http-8088-6] (MelcoePDPImpl) response is:
> <Response>
> <Result ResourceId="/fedora-system:FedoraObject-3.0">
> <Decision>Permit</Decision>
> <Status>
> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
> </Status>
> </Result>
> </Response>
>
>
> http://localhost:8088/fedora/objects/fedora-system:FedoraObject-3.0/versions?format=xml
>
> -> <Decision>Permit</Decision>
>
> DEBUG 2012-10-09 12:25:57.392 [http-8088-6] (AttributeFinderModule) another
> registered attribute =
> org.fcrepo.server.security.ContextAttributeFinderModule
> urn:fedora:names:fedora:2.1:environment:httpRequest:scheme
> DEBUG 2012-10-09 12:25:57.392 [http-8088-6] (AttributeFinderModule) another
> registered attribute =
> org.fcrepo.server.security.ContextAttributeFinderModule
> urn:fedora:names:fedora:2.1:environment:httpRequest:sessionEncoding
> DEBUG 2012-10-09 12:25:57.392 [http-8088-6] (AttributeFinderModule) exiting
> parmsOk normally org.fcrepo.server.security.ContextAttributeFinderModule
> DEBUG 2012-10-09 12:25:57.392 [http-8088-6] (AttributeFinderModule)
> willService() org.fcrepo.server.security.ContextAttributeFinderModule deny
> this known adhoc attribute urn:fedora:names:fedora:2.1:action:contextId
> DEBUG 2012-10-09 12:25:57.392 [http-8088-6] (AttributeFinderModule)
> AttributeFinder:willService()
> org.fcrepo.server.security.ContextAttributeFinderModule returns false
> DEBUG 2012-10-09 12:25:57.392 [http-8088-6] (AttributeFinderModule)
> AttributeFinder:getAttributeFromEvaluationCtxorg.fcrepo.server.security.ContextAttributeFinderModule
> exit on couldn't get resource attribute from xacml request wrong bag n=0
> DEBUG 2012-10-09 12:25:57.392 [http-8088-6] (ContextAttributeFinderModule)
> ContextAttributeFinder:getContextId exit on can't get contextId on request
> callback
> DEBUG 2012-10-09 12:25:57.392 [http-8088-6] (ContextAttributeFinderModule)
> contextId=null attributeId=urn:fedora:names:fedora:2.1:subject:role
> DEBUG 2012-10-09 12:25:57.392 [http-8088-6] (AttributeFinderModule)
> org.fcrepo.server.security.ContextAttributeFinderModule got temp=null
> DEBUG 2012-10-09 12:25:57.392 [http-8088-6] (AttributeFinderModule)
> AttributeFinder:findAttribute exit on attribute value not
> foundorg.fcrepo.server.security.ContextAttributeFinderModule
> DEBUG 2012-10-09 12:25:57.392 [http-8088-6] (PolicyManager) Matched policies
> and created abstract policy.
> DEBUG 2012-10-09 12:25:57.392 [http-8088-6] (MelcoePDPImpl) response is:
> <Response>
> <Result ResourceId="/fedora-system:FedoraObject-3.0">
> <Decision>Permit</Decision>
> <Status>
> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
> </Status>
> </Result>
> </Response>
>
>
> http://localhost:8088/fedora/objects/fedora-system:FedoraObject-3.0?format=xml
>
> -> <Decision>Permit</Decision>
>
> DEBUG 2012-10-09 12:27:05.147 [http-8088-6] (AttributeFinderModule) another
> registered attribute =
> org.fcrepo.server.security.ContextAttributeFinderModule
> urn:fedora:names:fedora:2.1:environment:httpRequest:sessionEncoding
> DEBUG 2012-10-09 12:27:05.147 [http-8088-6] (AttributeFinderModule) exiting
> parmsOk normally org.fcrepo.server.security.ContextAttributeFinderModule
> DEBUG 2012-10-09 12:27:05.147 [http-8088-6] (AttributeFinderModule)
> willService() org.fcrepo.server.security.ContextAttributeFinderModule deny
> this known adhoc attribute urn:fedora:names:fedora:2.1:action:contextId
> DEBUG 2012-10-09 12:27:05.147 [http-8088-6] (AttributeFinderModule)
> AttributeFinder:willService()
> org.fcrepo.server.security.ContextAttributeFinderModule returns false
> DEBUG 2012-10-09 12:27:05.147 [http-8088-6] (AttributeFinderModule)
> AttributeFinder:getAttributeFromEvaluationCtxorg.fcrepo.server.security.ContextAttributeFinderModule
> exit on couldn't get resource attribute from xacml request wrong bag n=0
> DEBUG 2012-10-09 12:27:05.147 [http-8088-6] (ContextAttributeFinderModule)
> ContextAttributeFinder:getContextId exit on can't get contextId on request
> callback
> DEBUG 2012-10-09 12:27:05.147 [http-8088-6] (ContextAttributeFinderModule)
> contextId=null attributeId=urn:fedora:names:fedora:2.1:subject:role
> DEBUG 2012-10-09 12:27:05.147 [http-8088-6] (AttributeFinderModule)
> org.fcrepo.server.security.ContextAttributeFinderModule got temp=null
> DEBUG 2012-10-09 12:27:05.147 [http-8088-6] (AttributeFinderModule)
> AttributeFinder:findAttribute exit on attribute value not
> foundorg.fcrepo.server.security.ContextAttributeFinderModule
> DEBUG 2012-10-09 12:27:05.147 [http-8088-6] (PolicyManager) Matched policies
> and created abstract policy.
> DEBUG 2012-10-09 12:27:05.148 [http-8088-6] (MelcoePDPImpl) response is:
> <Response>
> <Result ResourceId="/fedora-system:FedoraObject-3.0">
> <Decision>Permit</Decision>
> <Status>
> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
> </Status>
> </Result>
> </Response>
>
>
> http://localhost:8088/fedora/objects?pid=true&title=true&terms=fedora-system%3AFedoraObject-3.0&query=&maxResults=20&resultFormat=xml
>
> -> <Decision>NotApplicable</Decision>
>
> DEBUG 2012-10-09 12:29:05.397 [http-8088-6] (AttributeFinderModule) exiting
> parmsOk normally org.fcrepo.server.security.ContextAttributeFinderModule
> DEBUG 2012-10-09 12:29:05.397 [http-8088-6] (AttributeFinderModule)
> willService() org.fcrepo.server.security.ContextAttributeFinderModule deny
> this known adhoc attribute urn:fedora:names:fedora:2.1:action:contextId
> DEBUG 2012-10-09 12:29:05.397 [http-8088-6] (AttributeFinderModule)
> AttributeFinder:willService()
> org.fcrepo.server.security.ContextAttributeFinderModule returns false
> DEBUG 2012-10-09 12:29:05.397 [http-8088-6] (AttributeFinderModule)
> AttributeFinder:getAttributeFromEvaluationCtxorg.fcrepo.server.security.ContextAttributeFinderModule
> exit on couldn't get resource attribute from xacml request wrong bag n=0
> DEBUG 2012-10-09 12:29:05.397 [http-8088-6] (ContextAttributeFinderModule)
> ContextAttributeFinder:getContextId exit on can't get contextId on request
> callback
> DEBUG 2012-10-09 12:29:05.397 [http-8088-6] (ContextAttributeFinderModule)
> contextId=null attributeId=urn:fedora:names:fedora:2.1:subject:role
> DEBUG 2012-10-09 12:29:05.397 [http-8088-6] (AttributeFinderModule)
> org.fcrepo.server.security.ContextAttributeFinderModule got temp=null
> DEBUG 2012-10-09 12:29:05.397 [http-8088-6] (AttributeFinderModule)
> AttributeFinder:findAttribute exit on attribute value not
> foundorg.fcrepo.server.security.ContextAttributeFinderModule
> DEBUG 2012-10-09 12:29:05.397 [http-8088-6] (PolicyManager) Matched policies
> and created abstract policy.
> DEBUG 2012-10-09 12:29:05.397 [http-8088-6] (MelcoePDPImpl) response is:
> <Response>
> <Result ResourceId="/fedora-system:FedoraObject-3.0">
> <Decision>NotApplicable</Decision>
> <Status>
> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
> </Status>
> </Result>
> </Response>
>
> DEBUG 2012-10-09 12:29:05.397 [http-8088-6] (EvaluationEngineImpl) Adding PDP
> evaluation results to cache
> DEBUG 2012-10-09 12:29:05.398 [http-8088-6] (ResponseCacheImpl) Adding Cache
> Item (14/14/14): b63a28344cfc08ac43ca1d1665853d4a
> DEBUG 2012-10-09 12:29:05.398 [http-8088-6] (EvaluationEngineImpl) Time taken
> for XACML Evaluation: 9ms
> DEBUG 2012-10-09 12:29:05.398 [http-8088-6] (FindObjects) Response: <Response>
> <Result ResourceId="/fedora-system:FedoraObject-3.0">
> <Decision>NotApplicable</Decision>
> <Status>
> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
> </Status>
> </Result>
> </Response>
>
> DEBUG 2012-10-09 12:29:05.399 [http-8088-6] (FindObjects) Checking:
> /fedora-system:FedoraObject-3.0
> DEBUG 2012-10-09 12:29:05.399 [http-8088-6] (FindObjects) Removing:
> /fedora-system:FedoraObject-3.0 [fedora-system:FedoraObject-3.0]
>
>
> David Lacy
> Falvey Library Technology Services
> Villanova University
> library.villanova.edu
>
>> -----Original Message-----
>> From: Benjamin Armintor [mailto:armin...@gmail.com]
>> Sent: Tuesday, October 09, 2012 12:10 PM
>> To: Support and info exchange list for Fedora users.
>> Subject: Re: [fcrepo-user] findObjects REST API and 3.6 problem
>>
>> Is this action running from the same client ip as all of the
>> correctly-functioning actions?
>>
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Fedora-commons-users mailing list
> Fedora-commons-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
