Jim (everyone), Sorry to bother.
We added these files to a configuration repository, and I missed changing the mode for how the file gets re-sync'd. This whole issue was due to the fact that tomcat was unable to read the clientApproval xml. -k On Fri, Jul 19, 2013 at 07:42:52PM +0000, Basney, Jim wrote: > Karen, > > Sorry, I can't explain it. I don't know why oa4mp would log that the > client has not been approved when the corresponding clientApprovals data > file contains "<entry key="approved">true</entry>". My only other idea is > to try restarting your oa4mp server, if you haven't tried that already. > Please submit a bug report at https://gateways.atlassian.net/browse/OAUTH > with full details (oa4mp version, config file, log file, clientApprovals > data file). > > -Jim > > On 7/19/13 2:03 PM, "Karen M. Fernsler" <[email protected]> wrote: > >Thanks again Jim, > > > >Correct me if I'm misunderstanding, but in this case I think we're > >looking at the latter possibility (#2) if the client id in the > >error message > > > > a) matches the client id with (<entry key="approved">true</entry>) in > > the clientApprovals/dataPath file and > > b) also matches the client id in the clients/dataPath file > > > >I have confirmed they all indeed match. > > > >I have opened a ticket with globusonline. > > > >-k > > > >On Fri, Jul 19, 2013 at 05:57:22PM +0000, Basney, Jim wrote: > >> Karen, > >> > >> I don't know about the "Json parse unterminated string" message. I > >>suspect > >> that's coming from Globus Online, not oa4mp. Maybe you should submit a > >> request at https://support.globusonline.org/ about that. > >> > >> Since you're using oa4mp's fileStore you can check for the Globus client > >> in your fileStore path. In the clientApprovals/dataPath subdirectory you > >> should see a file containing the oauth_consumer_key in question (i.e., > >> matching the client identifier from the error message you quoted in your > >> original message) along with: > >> > >> <entry key="approved">true</entry> > >> > >> You should also see a file containing the same oauth_consumer_key in the > >> clients/dataPath subdirectory. They're just XML text files, so you can > >> grep/cat them. > >> > >> It seems to me the only possibilities are either 1) something changed in > >> your fileStore path for the Globus client or 2) Globus Online is using a > >> different OAuth client identifier than it was before (i.e., different > >>from > >> what you approved). Hopefully matching the client identifier from the > >> error message to the oauth_consumer_key in clientApprovals/dataPath will > >> diagnose the problem. > >> > >> -Jim > >> > >> On 7/19/13 12:40 PM, "Karen M. Fernsler" <[email protected]> wrote: > >> >Hi Jim, > >> > > >> >Thanks for your response. > >> > > >> >We're using fileStore. > >> > > >> >In web.xml, oa4mp:server.config.file is pointing to the server > >> >config file that was fed to oa4mp-approver.jar in the attempt > >> >to re-approve. This config file only has one config in it > >> >"myconfig". > >> > > >> >I was able to set up a test client and approve it with this setup. > >> > > >> >The globus client which is now "unapproved" was approved at one > >> >point and we were able to use it with the oauth server to do transfers > >> >with gridftp. > >> > > >> >One thing we have noticed -- at the point where globusonline tries to > >> >redirect the user to the oauth server for authentication we have > >> >seen a pink error box pop up briefly posting: > >> >"Json parse unterminated string" (it's a really brief pop up and it > >> >doesn't always display the text). > >> > > >> >thanks, > >> >-k > >> > > >> >On Fri, Jul 19, 2013 at 01:26:14AM +0000, Basney, Jim wrote: > >> >> Hi Karen, > >> >> > >> >> My only guess is that your oa4mp server is configured to look in a > >> >> different store for your clients and clientApprovals than where you > >> >>wrote > >> >> the clientApprovals using oa4mp-approver.jar. What are the contents > >>of > >> >>the > >> >> OA4MP config file pointed to by the oa4mp:server.config.file property > >> >>and > >> >> is that the same config file you're using with oa4mp-approver.jar to > >> >> approve the client? Are you using mysql, postgresql, fileStore, or > >> >> memoryStore for clients and clientApprovals? > >> >> > >> >> I'm Ccing Jeff Gaynor who may be able to provide additional > >>assistance. > >> >> > >> >> Documentation references: > >> >> > >> > >>>>http://grid.ncsa.illinois.edu/myproxy/oauth/server/configuration/server > >>>>-c > >> >>on > >> >> figuration-file.xhtml > >> >> > >>http://grid.ncsa.illinois.edu/myproxy/oauth/server/dtd/server-dtd.xhtml > >> >> > >> > >>>>http://grid.ncsa.illinois.edu/myproxy/oauth/server/dtd/server-dtd-conte > >>>>nt > >> >>-t > >> >> ags.xhtml > >> >> > >> > >>>>http://grid.ncsa.illinois.edu/myproxy/oauth/server/manuals/manually-app > >>>>ro > >> >>vi > >> >> ng-clients.xhtml > >> >> > >> >> -Jim > >> >> > >> >> On 7/18/13 8:12 PM, "Karen M. Fernsler" <[email protected]> wrote: > >> >> >Hi, > >> >> > > >> >> >A few weeks ago we approved globusonline as a client for use with > >>our > >> >> >oauth server. > >> >> > > >> >> >Up until very recently it was working just fine, but suddenly the > >> >>server > >> >> >appears to be > >> >> >claiming that the client isn't approved: > >> >> > > >> >> >Jul 18, 2013 6:04:35 PM > >> >>edu.uiuc.ncsa.security.core.util.MyLoggingFacade > >> >> >error > >> >> >SEVERE: oa4mp(Thu Jul 18 18:04:35 PDT 2013): INTERNAL ERROR: Error: > >>The > >> >> >client with identifier "myproxy:oa4mp,2012:/client/[....]" has not > >>been > >> >> >approved. Request rejected. Please contact your administrator. > >> >> >Jul 18, 2013 6:04:35 PM > >> >>edu.uiuc.ncsa.security.core.util.MyLoggingFacade > >> >> >error > >> >> >SEVERE: oa4mp(Thu Jul 18 18:04:35 PDT 2013): > >> >> >edu.uiuc.ncsa.security.delegation.server.UnapprovedClientException: > >> >> >Error: The client with identifier "myproxy:oa4mp,2012:/client/[ ... > >>]" > >> >> >has not been approved. Request rejected. Please contact your > >> >>administrator > >> >> > > >> >> > > >> >> >Has anyone run into this before? > >> >> >Any ideas what to look for? > >> >> > > >> >> >We have tried re-approving the client to no avail. > >> >> > > >> >> >thanks, > >> >> >-k >
