[ https://issues.apache.org/jira/browse/JENA-2055?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292857#comment-17292857 ]
Rob Vesse commented on JENA-2055: --------------------------------- [~infoplp] Unfortunately there is unlikely to be anything further that can be done to resolve that second case you are noting. ARQ is by design a streaming query engine i.e. it always aims to do the minimum amount of work possible to provide the next query solution. This has a lot of performance benefits especially wrt. keeping memory consumption down. When Fuseki processes a query it passes off the query to ARQ and starts directly streaming the results back to the client. Therefore if ARQ starts evaluating the query and produces some results to which a user is permitted access prior to encountering a permissions error then the HTTP response is already partially written so it's not possible at that point to change the HTTP response headers. So all ARQ can do is dump the error message to the existing response (likely making it invalid data per your comment). > handle properly the denied access generated by jena-permission security > evaluator > --------------------------------------------------------------------------------- > > Key: JENA-2055 > URL: https://issues.apache.org/jira/browse/JENA-2055 > Project: Apache Jena > Issue Type: Bug > Components: Fuseki > Affects Versions: Jena 3.17.0 > Environment: jena-fuseki 3.17.0 > openjdk version "1.8.0_275" > Reporter: info parlepeuple > Assignee: Andy Seaborne > Priority: Major > Labels: fuseki2, permission > Fix For: Jena 4.0.0 > > Attachments: > 0001-handle-properly-the-denied-access-generated-by-jena.patch, > ShiroEvaluator.java, localData.ttl, pom.xml > > > When the dataset is secured with [jena > permission|https://jena.apache.org/documentation/permissions/] , and some > access is denied, an exception is thrown from the SecuredGraph. > This exception is not catched in SPARQLQueryProcessor, which results in a 500 > error returned to the HTTP client. > exception OperationDeniedException should return a 403, not a 500. > > attached is the patch ! > > [2021-02-21 03:10:26] Fuseki WARN [3] RC = 500 : Model permissions violation: > org.apache.jena.shared.ReadDeniedException: Model permissions violation: > at > org.apache.jena.permissions.impl.SecuredItemImpl.checkRead(SecuredItemImpl.java:683) > ~[jena-permissions-3.17.0.jar:3.17.0] > at > org.apache.jena.permissions.graph.impl.SecuredGraphImpl.find(SecuredGraphImpl.java:154) > ~[jena-permissions-3.17.0.jar:3.17.0] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_275] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:1.8.0_275] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:1.8.0_275] > at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_275] > at > org.apache.jena.permissions.impl.SecuredItemInvoker.invoke(SecuredItemInvoker.java:120) > ~[jena-permissions-3.17.0.jar:3.17.0] > at com.sun.proxy.$Proxy18.find(Unknown Source) ~[?:?] > at > org.apache.jena.sparql.graph.GraphUnionRead.graphBaseFind(GraphUnionRead.java:104) > ~[fuseki-server.jar:3.17.0] > at org.apache.jena.graph.impl.GraphBase.find(GraphBase.java:244) > ~[fuseki-server.jar:3.17.0] > at org.apache.jena.graph.impl.GraphBase.graphBaseFind(GraphBase.java:261) > ~[fuseki-server.jar:3.17.0] > at org.apache.jena.graph.impl.GraphBase.find(GraphBase.java:258) > ~[fuseki-server.jar:3.17.0] > at org.apache.jena.graph.impl.WrappedGraph.find(WrappedGraph.java:100) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.sparql.engine.iterator.QueryIterTriplePattern$TripleMapper.<init>(QueryIterTriplePattern.java:83) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.sparql.engine.iterator.QueryIterTriplePattern.nextStage(QueryIterTriplePattern.java:52) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.sparql.engine.iterator.QueryIterRepeatApply.makeNextStage(QueryIterRepeatApply.java:108) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.sparql.engine.iterator.QueryIterRepeatApply.hasNextBinding(QueryIterRepeatApply.java:65) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.sparql.engine.iterator.QueryIterBlockTriplesStar.hasNextBinding(QueryIterBlockTriplesStar.java:54) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.sparql.engine.iterator.QueryIterConvert.hasNextBinding(QueryIterConvert.java:58) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.sparql.engine.iterator.QueryIteratorWrapper.hasNextBinding(QueryIteratorWrapper.java:38) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.sparql.engine.iterator.QueryIteratorWrapper.hasNextBinding(QueryIteratorWrapper.java:38) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.sparql.engine.ResultSetStream.hasNext(ResultSetStream.java:74) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.sparql.engine.ResultSetCheckCondition.hasNext(ResultSetCheckCondition.java:55) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.executeQuery(SPARQLQueryProcessor.java:324) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.execute(SPARQLQueryProcessor.java:273) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.executeWithParameter(SPARQLQueryProcessor.java:222) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.execute(SPARQLQueryProcessor.java:207) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.fuseki.servlets.ActionService.executeLifecycle(ActionService.java:58) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.execPost(SPARQLQueryProcessor.java:83) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.fuseki.servlets.ActionProcessor.process(ActionProcessor.java:34) > ~[fuseki-server.jar:3.17.0] > at org.apache.jena.fuseki.servlets.ActionBase.process(ActionBase.java:55) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.fuseki.servlets.ActionExecLib.execAction(ActionExecLib.java:106) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.fuseki.server.Dispatcher.dispatchAction(Dispatcher.java:118) > ~[fuseki-server.jar:3.17.0] > at org.apache.jena.fuseki.server.Dispatcher.process(Dispatcher.java:110) > ~[fuseki-server.jar:3.17.0] > at org.apache.jena.fuseki.server.Dispatcher.dispatch(Dispatcher.java:96) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.fuseki.servlets.FusekiFilter.doFilter(FusekiFilter.java:51) > ~[fuseki-server.jar:3.17.0] > at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:450) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362) > ~[fuseki-server.jar:3.17.0] > at > org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) > ~[fuseki-server.jar:3.17.0] > at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.fuseki.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:284) > ~[fuseki-server.jar:3.17.0] > at > org.apache.jena.fuseki.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:247) > ~[fuseki-server.jar:3.17.0] > at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1612) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) > ~[fuseki-server.jar:3.17.0] > at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1582) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:716) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[fuseki-server.jar:3.17.0] > at org.eclipse.jetty.server.Server.handle(Server.java:516) > ~[fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383) > ~[fuseki-server.jar:3.17.0] > at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:556) > [fuseki-server.jar:3.17.0] > at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375) > [fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273) > [fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) > [fuseki-server.jar:3.17.0] > at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) > [fuseki-server.jar:3.17.0] > at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) > [fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) > [fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) > [fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) > [fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) > [fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375) > [fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773) > [fuseki-server.jar:3.17.0] > at > org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905) > [fuseki-server.jar:3.17.0] > at java.lang.Thread.run(Thread.java:748) [?:1.8.0_275] > [2021-02-21 03:10:26] Fuseki INFO [3] 500 Server Error (18 ms) -- This message was sent by Atlassian Jira (v8.3.4#803005)