[jira] [Commented] (JENA-2055) handle properly the denied access generated by jena-permission security evaluator

Claude Warren (Jira) Mon, 01 Mar 2021 06:22:08 -0800


    [ 
https://issues.apache.org/jira/browse/JENA-2055?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292906#comment-17292906
 ]


Claude Warren commented on JENA-2055:
-------------------------------------

I have two items to bring up here:

*One – The record code for OperationDeniedException*

I think there is a problem with the original solution.  If the problem is that 
authentication is required the system returns a 403 (forbidden) rather than a 
401 (unauthorized).  The issue in in the patch at the line that reads:
{code:java}
if ( ex.getCause() != null && ex.getCause() instanceof OperationDeniedException 
){code}
The code that follows should distinguish between the AccessDenied and the 
AuthenticationRequired exceptions.  I think that CannotCreate should proibably 
go with AccessDenied.

*Two – The permissions issue in UNION*

The work around for this problem  is to modify the SecurityEvaluator.

Background:

The system verifies that the user has access to the graph, if not it throws the 
ReadDeniedException.  However, if the user has access to the graph then the 
system will look at each triple and verify access.  So if the SecurityEvaluator 
returns true for graph access and then false for every triple the system will 
work.

 

The solution is probably to change the find() methods so that hey call 
canRead() rather than checkRead() and if canRead() returns false then return an 
empty iterator..

 

 

> handle properly the denied access generated by jena-permission security 
> evaluator
> ---------------------------------------------------------------------------------
>
>                 Key: JENA-2055
>                 URL: https://issues.apache.org/jira/browse/JENA-2055
>             Project: Apache Jena
>          Issue Type: Bug
>          Components: Fuseki
>    Affects Versions: Jena 3.17.0
>         Environment: jena-fuseki 3.17.0
> openjdk version "1.8.0_275"
>            Reporter: info parlepeuple
>            Assignee: Andy Seaborne
>            Priority: Major
>              Labels: fuseki2, permission
>             Fix For: Jena 4.0.0
>
>         Attachments: 
> 0001-handle-properly-the-denied-access-generated-by-jena.patch, 
> ShiroEvaluator.java, localData.ttl, pom.xml
>
>
> When the dataset is secured with [jena 
> permission|https://jena.apache.org/documentation/permissions/] , and some 
> access is denied, an exception is thrown from the SecuredGraph.
> This exception is not catched in SPARQLQueryProcessor, which results in a 500 
> error returned to the HTTP client.
> exception OperationDeniedException should return a 403, not a 500.
>  
> attached is the patch !
>  
> [2021-02-21 03:10:26] Fuseki WARN [3] RC = 500 : Model permissions violation:
>  org.apache.jena.shared.ReadDeniedException: Model permissions violation:
>  at 
> org.apache.jena.permissions.impl.SecuredItemImpl.checkRead(SecuredItemImpl.java:683)
>  ~[jena-permissions-3.17.0.jar:3.17.0]
>  at 
> org.apache.jena.permissions.graph.impl.SecuredGraphImpl.find(SecuredGraphImpl.java:154)
>  ~[jena-permissions-3.17.0.jar:3.17.0]
>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_275]
>  at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
> ~[?:1.8.0_275]
>  at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  ~[?:1.8.0_275]
>  at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_275]
>  at 
> org.apache.jena.permissions.impl.SecuredItemInvoker.invoke(SecuredItemInvoker.java:120)
>  ~[jena-permissions-3.17.0.jar:3.17.0]
>  at com.sun.proxy.$Proxy18.find(Unknown Source) ~[?:?]
>  at 
> org.apache.jena.sparql.graph.GraphUnionRead.graphBaseFind(GraphUnionRead.java:104)
>  ~[fuseki-server.jar:3.17.0]
>  at org.apache.jena.graph.impl.GraphBase.find(GraphBase.java:244) 
> ~[fuseki-server.jar:3.17.0]
>  at org.apache.jena.graph.impl.GraphBase.graphBaseFind(GraphBase.java:261) 
> ~[fuseki-server.jar:3.17.0]
>  at org.apache.jena.graph.impl.GraphBase.find(GraphBase.java:258) 
> ~[fuseki-server.jar:3.17.0]
>  at org.apache.jena.graph.impl.WrappedGraph.find(WrappedGraph.java:100) 
> ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.sparql.engine.iterator.QueryIterTriplePattern$TripleMapper.<init>(QueryIterTriplePattern.java:83)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.sparql.engine.iterator.QueryIterTriplePattern.nextStage(QueryIterTriplePattern.java:52)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.sparql.engine.iterator.QueryIterRepeatApply.makeNextStage(QueryIterRepeatApply.java:108)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.sparql.engine.iterator.QueryIterRepeatApply.hasNextBinding(QueryIterRepeatApply.java:65)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.sparql.engine.iterator.QueryIterBlockTriplesStar.hasNextBinding(QueryIterBlockTriplesStar.java:54)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.sparql.engine.iterator.QueryIterConvert.hasNextBinding(QueryIterConvert.java:58)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.sparql.engine.iterator.QueryIteratorWrapper.hasNextBinding(QueryIteratorWrapper.java:38)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.sparql.engine.iterator.QueryIteratorWrapper.hasNextBinding(QueryIteratorWrapper.java:38)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.sparql.engine.iterator.QueryIteratorBase.hasNext(QueryIteratorBase.java:114)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.sparql.engine.ResultSetStream.hasNext(ResultSetStream.java:74)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.sparql.engine.ResultSetCheckCondition.hasNext(ResultSetCheckCondition.java:55)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.executeQuery(SPARQLQueryProcessor.java:324)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.execute(SPARQLQueryProcessor.java:273)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.executeWithParameter(SPARQLQueryProcessor.java:222)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.execute(SPARQLQueryProcessor.java:207)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.fuseki.servlets.ActionService.executeLifecycle(ActionService.java:58)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.fuseki.servlets.SPARQLQueryProcessor.execPost(SPARQLQueryProcessor.java:83)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.fuseki.servlets.ActionProcessor.process(ActionProcessor.java:34)
>  ~[fuseki-server.jar:3.17.0]
>  at org.apache.jena.fuseki.servlets.ActionBase.process(ActionBase.java:55) 
> ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.fuseki.servlets.ActionExecLib.execAction(ActionExecLib.java:106)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.fuseki.server.Dispatcher.dispatchAction(Dispatcher.java:118) 
> ~[fuseki-server.jar:3.17.0]
>  at org.apache.jena.fuseki.server.Dispatcher.process(Dispatcher.java:110) 
> ~[fuseki-server.jar:3.17.0]
>  at org.apache.jena.fuseki.server.Dispatcher.dispatch(Dispatcher.java:96) 
> ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.fuseki.servlets.FusekiFilter.doFilter(FusekiFilter.java:51) 
> ~[fuseki-server.jar:3.17.0]
>  at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) 
> ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) 
> ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) 
> ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) 
> ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:450)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>  ~[fuseki-server.jar:3.17.0]
>  at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) 
> ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.fuseki.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:284)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.apache.jena.fuseki.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:247)
>  ~[fuseki-server.jar:3.17.0]
>  at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201) 
> ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) 
> ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) 
> ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602) 
> ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1612)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
>  ~[fuseki-server.jar:3.17.0]
>  at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501) 
> ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1582)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) 
> ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:716)
>  ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
>  ~[fuseki-server.jar:3.17.0]
>  at org.eclipse.jetty.server.Server.handle(Server.java:516) 
> ~[fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383) 
> ~[fuseki-server.jar:3.17.0]
>  at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:556) 
> [fuseki-server.jar:3.17.0]
>  at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375) 
> [fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273) 
> [fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
>  [fuseki-server.jar:3.17.0]
>  at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) 
> [fuseki-server.jar:3.17.0]
>  at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) 
> [fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
>  [fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
>  [fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
>  [fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
>  [fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)
>  [fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773)
>  [fuseki-server.jar:3.17.0]
>  at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905)
>  [fuseki-server.jar:3.17.0]
>  at java.lang.Thread.run(Thread.java:748) [?:1.8.0_275]
>  [2021-02-21 03:10:26] Fuseki INFO [3] 500 Server Error (18 ms)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (JENA-2055) handle properly the denied access generated by jena-permission security evaluator

Reply via email to