[
https://issues.apache.org/jira/browse/JENA-2055?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292857#comment-17292857
]
Rob Vesse commented on JENA-2055:
---------------------------------
[~infoplp] Unfortunately there is unlikely to be anything further that can be
done to resolve that second case you are noting. ARQ is by design a streaming
query engine i.e. it always aims to do the minimum amount of work possible to
provide the next query solution. This has a lot of performance benefits
especially wrt. keeping memory consumption down.
When Fuseki processes a query it passes off the query to ARQ and starts
directly streaming the results back to the client.
Therefore if ARQ starts evaluating the query and produces some results to which
a user is permitted access prior to encountering a permissions error then the
HTTP response is already partially written so it's not possible at that point
to change the HTTP response headers. So all ARQ can do is dump the error
message to the existing response (likely making it invalid data per your
comment).
> handle properly the denied access generated by jena-permission security
> evaluator
> ---------------------------------------------------------------------------------
>
> Key: JENA-2055
> URL: https://issues.apache.org/jira/browse/JENA-2055
> Project: Apache Jena
> Issue Type: Bug
> Components: Fuseki
> Affects Versions: Jena 3.17.0
> Environment: jena-fuseki 3.17.0
> openjdk version "1.8.0_275"
> Reporter: info parlepeuple
> Assignee: Andy Seaborne
> Priority: Major
> Labels: fuseki2, permission
> Fix For: Jena 4.0.0
>
> Attachments:
> 0001-handle-properly-the-denied-access-generated-by-jena.patch,
> ShiroEvaluator.java, localData.ttl, pom.xml
>
>
> When the dataset is secured with [jena
> permission|https://jena.apache.org/documentation/permissions/] , and some
> access is denied, an exception is thrown from the SecuredGraph.
> This exception is not catched in SPARQLQueryProcessor, which results in a 500
> error returned to the HTTP client.
> exception OperationDeniedException should return a 403, not a 500.
>
> attached is the patch !
>
> [2021-02-21 03:10:26] Fuseki WARN [3] RC = 500 : Model permissions violation:
> org.apache.jena.shared.ReadDeniedException: Model permissions violation:
> at
> org.apache.jena.permissions.impl.SecuredItemImpl.checkRead(SecuredItemImpl.java:683)
> ~[jena-permissions-3.17.0.jar:3.17.0]
> at
> org.apache.jena.permissions.graph.impl.SecuredGraphImpl.find(SecuredGraphImpl.java:154)
> ~[jena-permissions-3.17.0.jar:3.17.0]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_275]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[?:1.8.0_275]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.8.0_275]
> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_275]
> at
> org.apache.jena.permissions.impl.SecuredItemInvoker.invoke(SecuredItemInvoker.java:120)
> ~[jena-permissions-3.17.0.jar:3.17.0]
> at com.sun.proxy.$Proxy18.find(Unknown Source) ~[?:?]
> at
> org.apache.jena.sparql.graph.GraphUnionRead.graphBaseFind(GraphUnionRead.java:104)
> ~[fuseki-server.jar:3.17.0]
> at org.apache.jena.graph.impl.GraphBase.find(GraphBase.java:244)
> ~[fuseki-server.jar:3.17.0]
> at org.apache.jena.graph.impl.GraphBase.graphBaseFind(GraphBase.java:261)
> ~[fuseki-server.jar:3.17.0]
> at org.apache.jena.graph.impl.GraphBase.find(GraphBase.java:258)
> ~[fuseki-server.jar:3.17.0]
> at org.apache.jena.graph.impl.WrappedGraph.find(WrappedGraph.java:100)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIterTriplePattern$TripleMapper.<init>(QueryIterTriplePattern.java:83)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIterTriplePattern.nextStage(QueryIterTriplePattern.java:52)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIterRepeatApply.makeNextStage(QueryIterRepeatApply.java:108)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIterRepeatApply.hasNextBinding(QueryIterRepeatApply.java:65)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIterBlockTriplesStar.hasNextBinding(QueryIterBlockTriplesStar.java:54)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIterConvert.hasNextBinding(QueryIterConvert.java:58)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIteratorWrapper.hasNextBinding(QueryIteratorWrapper.java:38)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIteratorWrapper.hasNextBinding(QueryIteratorWrapper.java:38)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.ResultSetStream.hasNext(ResultSetStream.java:74)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.ResultSetCheckCondition.hasNext(ResultSetCheckCondition.java:55)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.executeQuery(SPARQLQueryProcessor.java:324)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.execute(SPARQLQueryProcessor.java:273)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.executeWithParameter(SPARQLQueryProcessor.java:222)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.execute(SPARQLQueryProcessor.java:207)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.ActionService.executeLifecycle(ActionService.java:58)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.execPost(SPARQLQueryProcessor.java:83)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.ActionProcessor.process(ActionProcessor.java:34)
> ~[fuseki-server.jar:3.17.0]
> at org.apache.jena.fuseki.servlets.ActionBase.process(ActionBase.java:55)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.ActionExecLib.execAction(ActionExecLib.java:106)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.server.Dispatcher.dispatchAction(Dispatcher.java:118)
> ~[fuseki-server.jar:3.17.0]
> at org.apache.jena.fuseki.server.Dispatcher.process(Dispatcher.java:110)
> ~[fuseki-server.jar:3.17.0]
> at org.apache.jena.fuseki.server.Dispatcher.dispatch(Dispatcher.java:96)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.FusekiFilter.doFilter(FusekiFilter.java:51)
> ~[fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:450)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> ~[fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:284)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:247)
> ~[fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1612)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
> ~[fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1582)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:716)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.server.Server.handle(Server.java:516)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
> ~[fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:556)
> [fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
> [fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
> [fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905)
> [fuseki-server.jar:3.17.0]
> at java.lang.Thread.run(Thread.java:748) [?:1.8.0_275]
> [2021-02-21 03:10:26] Fuseki INFO [3] 500 Server Error (18 ms)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
