[
https://issues.apache.org/jira/browse/JENA-2055?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292860#comment-17292860
]
info parlepeuple edited comment on JENA-2055 at 3/1/21, 12:31 PM:
------------------------------------------------------------------
The difference between the 2 queries and their behaviour is because :
- we have 2 graphs. they both have data. One is accessible, the other one is
protected by the security evaluator.
- for the first query, we specifically ask to query on the protected graph. so
Jena gets the exception at the beginning of the query, and is able to return a
403.
- the second query is a UNION. it starts by searching on the unprotected graph
(defaultGRaph) and gets some tuples to return, so it sends them back to the
client. Later on, while continuing to process the UNION, it goes to the
protected graph, and gets an exception.
- at this moment, it is too late to change the HTTP status code. which is
fine. some data was returned to the client. But at least, the exception should
let jena to finish properly to handle the response and send the closing
characters of the JSON output. otherwise, the JSON is malformed, left in the
middle of processing.
was (Author: infoplp):
The difference between the 2 queries and their behaviour is because :
- we have 2 graphs. they both have data. One is accessible, the other one is
protected by the security evaluator.
- for the first query, we specifically ask to query on the protected graph. so
Jena gets the exception at the beginning of the query, and is able to return a
403.
- the second query is a UNION. it starts by searching on the unprotected graph
(defaultGRaph) and gets some tuples to return, so it sends them back to the
client. Later on, will continuing to process the UNION, it goes to the
protected graph, and gets an exception.
- at this moment, it is too late to change the HTTP status code. which is fine.
some data was returned to the client. But at least, the exception should let
jena to finish properly to handle the response and send the closing characters
of the JSON output. otherwise, the JSON is malformed, left in the middle of
processing.
> handle properly the denied access generated by jena-permission security
> evaluator
> ---------------------------------------------------------------------------------
>
> Key: JENA-2055
> URL: https://issues.apache.org/jira/browse/JENA-2055
> Project: Apache Jena
> Issue Type: Bug
> Components: Fuseki
> Affects Versions: Jena 3.17.0
> Environment: jena-fuseki 3.17.0
> openjdk version "1.8.0_275"
> Reporter: info parlepeuple
> Assignee: Andy Seaborne
> Priority: Major
> Labels: fuseki2, permission
> Fix For: Jena 4.0.0
>
> Attachments:
> 0001-handle-properly-the-denied-access-generated-by-jena.patch,
> ShiroEvaluator.java, localData.ttl, pom.xml
>
>
> When the dataset is secured with [jena
> permission|https://jena.apache.org/documentation/permissions/] , and some
> access is denied, an exception is thrown from the SecuredGraph.
> This exception is not catched in SPARQLQueryProcessor, which results in a 500
> error returned to the HTTP client.
> exception OperationDeniedException should return a 403, not a 500.
>
> attached is the patch !
>
> [2021-02-21 03:10:26] Fuseki WARN [3] RC = 500 : Model permissions violation:
> org.apache.jena.shared.ReadDeniedException: Model permissions violation:
> at
> org.apache.jena.permissions.impl.SecuredItemImpl.checkRead(SecuredItemImpl.java:683)
> ~[jena-permissions-3.17.0.jar:3.17.0]
> at
> org.apache.jena.permissions.graph.impl.SecuredGraphImpl.find(SecuredGraphImpl.java:154)
> ~[jena-permissions-3.17.0.jar:3.17.0]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_275]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[?:1.8.0_275]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.8.0_275]
> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_275]
> at
> org.apache.jena.permissions.impl.SecuredItemInvoker.invoke(SecuredItemInvoker.java:120)
> ~[jena-permissions-3.17.0.jar:3.17.0]
> at com.sun.proxy.$Proxy18.find(Unknown Source) ~[?:?]
> at
> org.apache.jena.sparql.graph.GraphUnionRead.graphBaseFind(GraphUnionRead.java:104)
> ~[fuseki-server.jar:3.17.0]
> at org.apache.jena.graph.impl.GraphBase.find(GraphBase.java:244)
> ~[fuseki-server.jar:3.17.0]
> at org.apache.jena.graph.impl.GraphBase.graphBaseFind(GraphBase.java:261)
> ~[fuseki-server.jar:3.17.0]
> at org.apache.jena.graph.impl.GraphBase.find(GraphBase.java:258)
> ~[fuseki-server.jar:3.17.0]
> at org.apache.jena.graph.impl.WrappedGraph.find(WrappedGraph.java:100)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIterTriplePattern$TripleMapper.<init>(QueryIterTriplePattern.java:83)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIterTriplePattern.nextStage(QueryIterTriplePattern.java:52)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIterRepeatApply.makeNextStage(QueryIterRepeatApply.java:108)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIterRepeatApply.hasNextBinding(QueryIterRepeatApply.java:65)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIterBlockTriplesStar.hasNextBinding(QueryIterBlockTriplesStar.java:54)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIterConvert.hasNextBinding(QueryIterConvert.java:58)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIteratorWrapper.hasNextBinding(QueryIteratorWrapper.java:38)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIteratorWrapper.hasNextBinding(QueryIteratorWrapper.java:38)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.ResultSetStream.hasNext(ResultSetStream.java:74)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.sparql.engine.ResultSetCheckCondition.hasNext(ResultSetCheckCondition.java:55)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.executeQuery(SPARQLQueryProcessor.java:324)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.execute(SPARQLQueryProcessor.java:273)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.executeWithParameter(SPARQLQueryProcessor.java:222)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.execute(SPARQLQueryProcessor.java:207)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.ActionService.executeLifecycle(ActionService.java:58)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.execPost(SPARQLQueryProcessor.java:83)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.ActionProcessor.process(ActionProcessor.java:34)
> ~[fuseki-server.jar:3.17.0]
> at org.apache.jena.fuseki.servlets.ActionBase.process(ActionBase.java:55)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.ActionExecLib.execAction(ActionExecLib.java:106)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.server.Dispatcher.dispatchAction(Dispatcher.java:118)
> ~[fuseki-server.jar:3.17.0]
> at org.apache.jena.fuseki.server.Dispatcher.process(Dispatcher.java:110)
> ~[fuseki-server.jar:3.17.0]
> at org.apache.jena.fuseki.server.Dispatcher.dispatch(Dispatcher.java:96)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.FusekiFilter.doFilter(FusekiFilter.java:51)
> ~[fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:450)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> ~[fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:284)
> ~[fuseki-server.jar:3.17.0]
> at
> org.apache.jena.fuseki.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:247)
> ~[fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1612)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
> ~[fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1582)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:716)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.server.Server.handle(Server.java:516)
> ~[fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
> ~[fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:556)
> [fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
> [fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
> [fuseki-server.jar:3.17.0]
> at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773)
> [fuseki-server.jar:3.17.0]
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905)
> [fuseki-server.jar:3.17.0]
> at java.lang.Thread.run(Thread.java:748) [?:1.8.0_275]
> [2021-02-21 03:10:26] Fuseki INFO [3] 500 Server Error (18 ms)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
