This is missing some of the traces and the timestamps (is this from ErrorLog.txt ?) But from what I can see this is working 'as expected' The first 3 lines are from an unknown unauthenticated user:
[Event:id=AppRequest Authentication Details] Authenticated Request User: 0 [Event:id=HTTPRequest ErrorFormat] Dispatching error to built-in handler [Event:id=HTTPRequest ErrorFormat] Resolved error format: xml These are the only events that indicate an error was 'Dispatched', the rest such as [Event:id=AppServer ErrorHandler] Request error handler in effect: /error-switch.xqy Indicate what the effective error handler URI *is* not that its being run. All the other requests are authenticated users. This should have produced an XML formatted error message. ( as per the app server default-error-format) You can change this to JSON or HTML format by default , but you don't have control over the text. This will never invoke any user defined code in V8. if you have authentication other than app-level enabled. That is a change from V7 (and was a security issue as well -- unauthenticated users should not be able to invoke user defined code on the server of any kind if the app server is configured to require authentication). There are ways to accomplish what you want, some using the same methods as V6 For example if you use app-level authentication and have your entry point responsible for user authentication (xdmp:login) then you can selectively return any results you like. You can default the DB and Modules DB to a protected DB with no other content or access rights, then using an eval() invoke your main application after authentication. Or you can use the declarative (XML) rewriter to conditionally direct requests to different modules DBs depending on any values in the request headers and URI and session context. In order to access any user defined code, including the error handler and rewriter, the user needs to be authenticated or in an app server that has application-level authentication. ( and needs to have execute privs to any xquery code ) Another alternative is using a small middle-tier hosted on ML (JavaScript or XQuery) or outside which intercepts requests and issues direct ML calls or authenticated calls on behalf of the user for the initial connection ... This could intercept the error returns from the initial login and translate it to whatever form you like. Either way - once a successful xdmp:login() is established then the system will make use of the session ID's for further request from that session. This can produce a much cleaner looking GUI or custom responses for a web service See: https://docs.marklogic.com/guide/security/recipes#id_22120 ----------------------------------------------------------------------------- David Lee Lead Engineer MarkLogic Corporation [email protected] Phone: +1 812-482-5224 Cell: +1 812-630-7622 www.marklogic.com -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Rahul Gupta Sent: Thursday, July 30, 2015 12:15 PM To: [email protected] Subject: Re: [MarkLogic Dev General] General Digest, Vol 133, Issue 80 Hi David, Thanks for the response. Please find the attached app-server configuration. What I am exactly doing is I want to throw some custom error which was running in ML 6 from the user-defined error-handler in ML 8 as well when an unauthorized user comes in who is not being listed in Security database. I recorded the traces for the events you let me know, and it is tracing that it is going to error-switch.xqy , default for Admin App-Server but it does not executes it. I don't know how to solve this now but I definitely want to execute my custom error-handler for an unauthorized user since I don't want to change the applications written on this error. [Event:id=AppRequest Authentication Details] Authenticated Request User: 0 [Event:id=HTTPRequest ErrorFormat] Dispatching error to builtin handler [Event:id=HTTPRequest ErrorFormat] Resolved error format: xml [Event:id=AppRequest Authentication Details] Authenticated Request User: 7071164303237443533 [Event:id=AppRequest Authentication Details] Current transaction ID/Mode/isolation: 0 0 2 [Event:id=AppRequest Authentication Details] Login User / Transaction user 0 7071164303237443533 [Event:id=AppServer ErrorHandler] AppServer configured error handler in errorHandler: /error-switch.xqy [Event:id=URL Rewrite] Original URL /get-error-log.xqy?filename=ErrorLog.txt [Event:id=AppRequest Rewrite] handleRewrite [Event:id=AppRequest RewriteDetails] handleRewrite found file XQuery rewriter in App Modules Filesystem: Admin/rewriter.xqy [Event:id=URL Rewrite] After XQuery Rewriter URL: /get-error-log.xqy?filename=ErrorLog.txt [Event:id=URL Rewrite] After XQuery xquery parsed URL: filename=ErrorLog.txt [Event:id=URL Rewrite] After XQuery Parsed URL: /get-error-log.xqy?filename=ErrorLog.txt [Event:id=AppRequest RewriteDetails] Succeeded with validated modifications: ['PATH','QUERY_PARAM'] [Event:id=AppRequest RewriteDetails] Path changed to: /get-error-log.xqy [Event:id=AppRequest RewriteDetails] Query Params changed to: ['filename=ErrorLog.txt'] [Event:id=AppRequest RewriteDetails] URL rewritten to: /get-error-log.xqy?filename=ErrorLog.txt [Event:id=AppServer ErrorHandler] Request error handler in effect: /error-switch.xqy [Event:id=URL Rewrite] Final URL: /get-error-log.xqy?filename=ErrorLog.txt [Event:id=AppRequest RewriteDetails] Current transaction ID/Mode/isolation: 0 0 2 [Event:id=AppServer ErrorHandler] Entering sendResult: [Event:id=AppRequest Authentication Details] Authenticated Request User: 7071164303237443533 [Event:id=AppRequest Authentication Details] Current transaction ID/Mode/isolation: 0 0 2 [Event:id=AppRequest Authentication Details] Login User / Transaction user 0 7071164303237443533 [Event:id=AppServer ErrorHandler] AppServer configured error handler in errorHandler: /error-switch.xqy [Event:id=URL Rewrite] Original URL /favicon.ico [Event:id=AppRequest Rewrite] handleRewrite [Event:id=AppRequest RewriteDetails] handleRewrite found file XQuery rewriter in App Modules Filesystem: Admin/rewriter.xqy [Event:id=URL Rewrite] After XQuery Rewriter URL: /favicon.ico [Event:id=URL Rewrite] After XQuery xquery parsed URL: [Event:id=URL Rewrite] After XQuery Parsed URL: /favicon.ico [Event:id=AppRequest RewriteDetails] Succeeded with validated modifications: ['PATH','QUERY_PARAM'] [Event:id=AppRequest RewriteDetails] Path changed to: /favicon.ico [Event:id=AppRequest RewriteDetails] Query Params changed to: [] [Event:id=AppRequest RewriteDetails] URL rewritten to: /favicon.ico [Event:id=AppServer ErrorHandler] Request error handler in effect: /error-switch.xqy [Event:id=URL Rewrite] Final URL: /favicon.ico [Event:id=AppRequest RewriteDetails] Current transaction ID/Mode/isolation: 0 0 2 [Event:id=AppRequest Authentication Details] Authenticated Request User: 7071164303237443533 [Event:id=AppRequest Authentication Details] Current transaction ID/Mode/isolation: 0 0 2 [Event:id=AppRequest Authentication Details] Login User / Transaction user 0 7071164303237443533 [Event:id=AppServer ErrorHandler] AppServer configured error handler in errorHandler: /error-switch.xqy [Event:id=URL Rewri te] Original URL /get-error-log.xqy?filename=ErrorLog.txt [Event:id=AppRequest Rewrite] handleRewrite [Event:id=AppRequest RewriteDetails] handleRewrite found file XQuery rewriter in App Modules Filesystem: Admin/rewriter.xqy [Event:id=URL Rewrite] After XQuery Rewriter URL: /get-error-log.xqy?filename=ErrorLog.txt [Event:id=URL Rewrite] After XQuery xquery parsed URL: filename=ErrorLog.txt [Event:id=URL Rewrite] After XQuery Parsed URL: /get-error-log.xqy?filename=ErrorLog.txt [Event:id=AppRequest RewriteDetails] Succeeded with validated modifications: ['PATH','QUERY_PARAM'] [Event:id=AppRequest RewriteDetails] Path changed to: /get-error-log.xqy [Event:id=AppRequest RewriteDetails] Query Params changed to: ['filename=ErrorLog.txt'] [Event:id=AppRequest RewriteDetails] URL rewritten to: /get-error-log.xqy?filename=ErrorLog.txt [Event:id=AppServer ErrorHandler] Request error handler in effect: /error-switch.xqy [Event:id=URL Rewrite] Final URL: /get-error-log.xqy?filename=ErrorLog.txt [Event:id=AppRequest RewriteDetails] Current transaction ID/Mode/isolation: 0 0 2 [Event:id=AppServer ErrorHandler] Entering sendResult: [Event:id=AppRequest Authentication Details] Authenticated Request User: 7071164303237443533 [Event:id=AppRequest Authentication Details] Current transaction ID/Mode/isolation: 0 0 2 [Event:id=AppRequest Authentication Details] Login User / Transaction user 0 7071164303237443533 [Event:id=AppServer ErrorHandler] AppServer configured error handler in errorHandler: /error-switch.xqy [Event:id=URL Rewrite] Original URL /favicon.ico [Event:id=AppRequest Rewrite] handleRewrite [Event:id=AppRequest RewriteDetails] handleRewrite found file XQuery rewriter in App Modules Filesystem: Admin/rewriter.xqy [Event:id=URL Rewrite] After XQuery Rewriter URL: /favicon.ico [Event:id=URL Rewrite] After XQuery xquery parsed URL: [Event:id=URL Rewrite] After XQuery Parsed URL: /favicon.ico [Event:id=AppRequest RewriteDetails] Succeeded with validated modifications: ['PATH','QUERY_PARAM'] [Event:id=AppRequest RewriteDetails] Path changed to: /favicon.ico [Event:id=AppRequest RewriteDetails] Query Params changed to: [] [Event:id=AppRequest RewriteDetails] URL rewritten to: /favicon.ico [Event:id=AppServer ErrorHandler] Request error handler in effect: /error-switch.xqy [Event:id=URL Rewrite] Final URL: /favicon.ico [Event:id=AppRequest RewriteDetails] Current transaction ID/Mode/isolation: 0 0 2 [Event:id=AppRequest Authentication Details] Authenticated Request User: 7071164303237443533 [Event:id=AppRequest Authentication Details] Current transaction ID/Mode/isolation: 0 0 2 [Event:id=AppRequest Authentication Details] Login User / Transaction user 0 7071164303237443533 [Event:id=AppServer ErrorHandler] AppServer configured error handler in errorHandler: /error-switch.xqy [Event:id=URL Rewri te] Original URL /get-error-log.xqy?filename=ErrorLog.txt [Event:id=AppRequest Rewrite] handleRewrite [Event:id=AppRequest RewriteDetails] handleRewrite found file XQuery rewriter in App Modules Filesystem: Admin/rewriter.xqy [Event:id=URL Rewrite] After XQuery Rewriter URL: /get-error-log.xqy?filename=ErrorLog.txt [Event:id=URL Rewrite] After XQuery xquery parsed URL: filename=ErrorLog.txt [Event:id=URL Rewrite] After XQuery Parsed URL: /get-error-log.xqy?filename=ErrorLog.txt [Event:id=AppRequest RewriteDetails] Succeeded with validated modifications: ['PATH','QUERY_PARAM'] [Event:id=AppRequest RewriteDetails] Path changed to: /get-error-log.xqy [Event:id=AppRequest RewriteDetails] Query Params changed to: ['filename=ErrorLog.txt'] [Event:id=AppRequest RewriteDetails] URL rewritten to: /get-error-log.xqy?filename=ErrorLog.txt [Event:id=AppServer ErrorHandler] Request error handler in effect: /error-switch.xqy [Event:id=URL Rewrite] Final URL: /get-error-log.xqy?filename=ErrorLog.txt [Event:id=AppRequest RewriteDetails] Current transaction ID/Mode/isolation: 0 0 2 [Event:id=AppServer ErrorHandler] Entering sendResult: [Event:id=AppRequest Authentication Details] Authenticated Request User: 7071164303237443533 [Event:id=AppRequest Authentication Details] Current transaction ID/Mode/isolation: 0 0 2 [Event:id=AppRequest Authentication Details] Login User / Transaction user 0 7071164303237443533 [Event:id=AppServer ErrorHandler] AppServer configured error handler in errorHandler: /error-switch.xqy [Event:id=URL Rewrite] Original URL /favicon.ico [Event:id=AppRequest Rewrite] handleRewrite [Event:id=AppRequest RewriteDetails] handleRewrite found file XQuery rewriter in App Modules Filesystem: Admin/rewriter.xqy [Event:id=URL Rewrite] After XQuery Rewriter URL: /favicon.ico [Event:id=URL Rewrite] After XQuery xquery parsed URL: [Event:id=URL Rewrite] After XQuery Parsed URL: /favicon.ico [Event:id=AppRequest RewriteDetails] Succeeded with validated modifications: ['PATH','QUERY_PARAM'] [Event:id=AppRequest RewriteDetails] Path changed to: /favicon.ico [Event:id=AppRequest RewriteDetails] Query Params changed to: [] [Event:id=AppRequest RewriteDetails] URL rewritten to: /favicon.ico [Event:id=AppServer ErrorHandler] Request error handler in effect: /error-switch.xqy [Event:id=URL Rewrite] Final URL: /favicon.ico [Event:id=AppRequest RewriteDetails] Current transaction ID/Mode/isolation: 0 0 2 Thanks, Rahul -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Tuesday, July 28, 2015 8:52 PM To: [email protected] Subject: General Digest, Vol 133, Issue 80 Send General mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://developer.marklogic.com/mailman/listinfo/general or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of General digest..." Today's Topics: 1. Re: ML 8 Error Handler Non-Execution | Unauthorized User (David Lee) ---------------------------------------------------------------------- Message: 1 Date: Tue, 28 Jul 2015 19:52:11 +0000 From: David Lee <[email protected]> Subject: Re: [MarkLogic Dev General] ML 8 Error Handler Non-Execution | Unauthorized User To: MarkLogic Developer Discussion <[email protected]> Message-ID: <6ad72d76c2d6f04d8be471b70d4b991e0bd11...@exchg10-be01.marklogic.com> Content-Type: text/plain; charset="us-ascii" I belive the documentation is incomplete in this area. I am looking into it. Could you provide your app server configuration details and how you upgraded it from 6.x ? (did you copy it exactly, recreate it, use package manager ?) In particular Port rewriter URL error handler url Authentication type (basic/app-level etc) default error format Database Modules DB Modules Root There is a core change in 8.0 where some types of HTTP level validation are now always generated by the core server where in 7.x they were passed to the user defined error handler. Specifically any 'HTTP protocol errors', HTTP validation or authentication errors that occur before the request is sufficiently processed to determine if the user is allowed to execute the rewriter are now handled internally according to the precedence documented. Errors thrown during user error handler execution are similarly handled. Its not clear which is the case for your example. Also the setting for default error format only applies to core server generated errors. Application generated errors can get the value of the default error format and choose to generate an appropriate format result or not. If your using the declarative (XML) rewriter you can set the in-effect error format in the rewriter (overriding the default format). There are several trace events that report on the resolution and handling of error messages as they occur. If you enable tracing and add these events then in ErrorLog.txt you will get a great deal of detail (more than you may want in a production system). Error and format handling <event-id>AppServer ErrorHandler</event-id> <event-id>HTTPRequest ErrorFormat</event-id> Rewriter details <event-id>AppRequest RewriteDetails</event-id> <event-id>AppRequest Rewrite</event-id> <event-id>AppRequest XML Rewriter</event-id> <event-id>Declarative Rewriter</event-id> <event-id>URL Rewrite</event-id> <event-id>Rewriter Evaluator</event-id> <event-id>Rewriter Evaluator Verbose</event-id> <event-id>Rewriter Invoke</event-id> <event-id>Rewriter Parser</event-id> <event-id>Rewriter Result</event-id> Authentication <event-id>AppRequest Authentication Details</event-id> ----------------------------------------------------------------------------- David Lee Lead Engineer MarkLogic Corporation [email protected] Phone: +1 812-482-5224 Cell: +1 812-630-7622 www.marklogic.com<http://www.marklogic.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Danny Sokolsky Sent: Tuesday, July 28, 2015 2:14 PM To: MarkLogic Developer Discussion <[email protected]> Subject: Re: [MarkLogic Dev General] ML 8 Error Handler Non-Execution | Unauthorized User Have you looked at your rewriter too? Maybe the 401 is for the rewriter, not the error handler? Another clue might come from the AccessLog for that app server. -Danny From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Rahul Gupta Sent: Tuesday, July 28, 2015 9:55 AM To: [email protected]<mailto:[email protected]> Subject: [MarkLogic Dev General] ML 8 Error Handler Non-Execution | Unauthorized User Hi, I am currently migrating my ML 6.0-5.3 code to ML 8.0-3 and I found that error-handler for the App-server is not being executed when an unauthorized user logs in. I did some research and came to this link: https://docs.marklogic.com/guide/app-dev/appserver-control#id_84264 But this link has no change as compared to ML 6 documentation and it was doing custom error handling for an unauthorized-user. https://docs.marklogic.com/6.0/guide/app-dev/appserver-control#id_84264 [cid:[email protected]] And in error-handler.xqy, it is written like as follows: let $error as element(e:error) := if ( fn:exists($error:errors) ) then local:handle-thrown-exception() else local:handle-general-error() Also, the app-server default user is assigned with admin role and default error format in ML 8 as "xml" tried using "html, json, compatible". Hence it has the execute permissions too. Still Not working... Can anyone please suggest how to throw custom message for an unauthorized user from the error handler mechanism. Currently I am getting is: <error-response xmlns='http://marklogic.com/xdmp/error'> <status-code>401</status-code> <status>Unauthorized</status> <message>401 Unauthorized</message> </error-response> Thanks, Rahul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://developer.marklogic.com/pipermail/general/attachments/20150728/64bbc110/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 4557 bytes Desc: image001.png Url : http://developer.marklogic.com/pipermail/general/attachments/20150728/64bbc110/attachment.png ------------------------------ _______________________________________________ General mailing list [email protected] Manage your subscription at: http://developer.marklogic.com/mailman/listinfo/general End of General Digest, Vol 133, Issue 80 **************************************** _______________________________________________ General mailing list [email protected] Manage your subscription at: http://developer.marklogic.com/mailman/listinfo/general
