Hi, I could get a not-null value for response above removing local transport in carbon.xml. Still it does not print the log.warn() message and it seems log level is set to "ERROR" in class " AuthorizationHandler". If I change the log4j.properties file entry as follows;
log4j.rootLogger=ERROR, CARBON_CONSOLE, CARBON_LOGFILE, CARBON_MEMORY, CARBON_SYS_LOG, ERROR_LOGFILE to log4j.rootLogger=WARN, CARBON_CONSOLE, CARBON_LOGFILE, CARBON_MEMORY, CARBON_SYS_LOG, ERROR_LOGFILE then I could print the warn message successfully. @Johann According to you suggestion if I set log level as above, I don't need to add a new log message. The above configuration prints a warn message as "Invoking admin services on worker node is forbidden..." just after the successful login message, when trying to login in a worker node. Thanks, Nipuni On Mon, Aug 4, 2014 at 3:02 PM, Nipuni Perera <nip...@wso2.com> wrote: > Isn't response object gets a null value a bug? > > > On Mon, Aug 4, 2014 at 2:47 PM, Nipuni Perera <nip...@wso2.com> wrote: > >> Hi, >> >> Yes, AuthorizationHandler does isWorkerNode() check in >> invoke(MessageContext msgContext) method [1]. But this statement does not >> get hit when I debug. As per the below code, the second if statement does >> not execute as it returns from the first. As I debug from the worker node, >> the second if statement gives a NPE for >> "response.setStatus(HttpServletResponse.SC_FORBIDDEN);" as response is set >> to null. Thus it does not print the log.warn() message. Is this is expected >> in a worker node? >> >> if (this.callToGeneralService(msgContext) || >> skipAuthentication(msgContext) ) { >> return InvocationResponse.CONTINUE; >> } >> if(CarbonUtils.isWorkerNode()){ // You are not allowed to invoke >> admin services on worker nodes >> HttpServletResponse response = (HttpServletResponse) >> msgContext.getProperty(HTTPConstants.MC_HTTP_SERVLETRESPONSE); >> response.setStatus(HttpServletResponse.SC_FORBIDDEN); >> log.warn("Invoking admin services on worker node is >> forbidden..."); >> return InvocationResponse.ABORT; >> } >> >> [1] >> https://github.com/wso2-dev/carbon4-kernel/blob/master/core/org.wso2.carbon.server.admin/src/main/java/org/wso2/carbon/server/admin/module/handler/AuthorizationHandler.java >> >> Thanks, >> Nipuni >> >> >> On Sun, Aug 3, 2014 at 11:28 PM, Afkham Azeez <az...@wso2.com> wrote: >> >>> When admin services on worker nodes are tried to be called, we return a >>> 403. >>> >>> >>> On Sun, Aug 3, 2014 at 11:17 PM, Johann Nallathamby <joh...@wso2.com> >>> wrote: >>> >>>> [Adding Sameera & Azeez] >>>> >>>> >>>> On Fri, Aug 1, 2014 at 10:06 PM, Johann Nallathamby <joh...@wso2.com> >>>> wrote: >>>> >>>>> >>>>> >>>>> On Fri, Aug 1, 2014 at 7:11 PM, Kasun Gajasinghe <kas...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> It makes sense to block the management console access for worker >>>>>> nodes, so that the users get a clear idea that performing management >>>>>> operations in worker nodes is wrong. But do we really need to block >>>>>> access >>>>>> to back-end admin services? Is there a usecase where users might need to >>>>>> perform read-only operations on worker nodes? >>>>>> >>>>> >>>>> @Kasun, Sameera: >>>>> This may be not related to this thread, but why have we blocked access >>>>> to worker node admin services. This prevents external clients from calling >>>>> any admin services from outside the firewall, since in most production >>>>> deployments we won't expose the management sub domain outside the >>>>> firewall. >>>>> Are the assumptions that, >>>>> 1. Admin services will not be exposed outside the firewall to be >>>>> called by clients, even if they are *read-only*. >>>>> 2. If it is a service exposed for a client outside the firewall it >>>>> should be a non-admin service, which if requires authentication and >>>>> authorization should do by iteself and not using admin service >>>>> declaration. >>>>> >>>>> BTW, I was thinking of AuthenticationAdmin which is not an admin >>>>> service. It does authentication and authorization from within the service. >>>>> So the isWorkerNode() check is not done. So Good, external clients can >>>>> actually call this service. Still the management console login is failing >>>>> as expected. I couldn't find the place where we do the check for >>>>> AuthenticationAdmin. So I am thinking if login() operation is successful >>>>> and the failure is because subsequent admin service calls from the >>>>> management console are failing. I guess its OK to have it like this :) . >>>>> Thoughts? >>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Fri, Aug 1, 2014 at 1:59 PM, Nipuni Perera <nip...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I am working on jira issue[1]. I could reproduce the issue in a >>>>>>> cluster with ELB, manager node and a worker node using ESB 4.8.0. When a >>>>>>> login attempt is triggered, >>>>>>> >>>>>>> 1. login() method of AuthenticationAdmin.java (line 62 of [2]) >>>>>>> set boolean values for "isAuthenticated" and "isAuthorized". >>>>>>> 2. Both values set to true in workerNode (eg: for admin user >>>>>>> login attempt) >>>>>>> 3. Initially "isAuthenticated" value set to true (line 101), due >>>>>>> to a return value of authenticate() method in >>>>>>> AbstractUserStoreManager.java[3]. >>>>>>> 4. authenticate() method does not check if >>>>>>> CarbonUtils.isWorkerNode() is set to true or false. >>>>>>> >>>>>>> In order to fix the issue I can check CarbonUtils.isWorkerNode() >>>>>>> value in login() method of AuthenticationAdmin.java as follows. >>>>>>> >>>>>>> boolean isAuthenticated = CarbonUtils.isWorkerNode() ? false >>>>>>> : realm.getUserStoreManager().authenticate(username, password); >>>>>>> >>>>>>> or use authenticate() method in AbstractUserStoreManager.java to >>>>>>> check isWorkerNode() value in a if condition. What would be the best >>>>>>> option? Is there a better way to fix this? >>>>>>> >>>>>> @Nipuni: >>>>> Doing it in either place is wrong. UserStoreManagers are invoked >>>>> through CarbonContext API as well, so we cannot have it there. >>>>> AuthenticationAdmin is only one authenticator, having it in there is also >>>>> not optimal. Currently I think we do this check in AuthorizationHandler. >>>>> Correct me I am wrong. So there is no way to avoid this unless we just >>>>> print one log after authentication and authorization. >>>>> >>>>> I guess for your problem you could just print another log along the >>>>> lines of "you are not authorized access a worker node", right after the >>>>> successful login message which at least gives an indication as to why it >>>>> failed. >>>>> >>>>>> [1] https://wso2.org/jira/browse/CARBON-14793 >>>>>>> [2] >>>>>>> https://github.com/wso2-dev/carbon4-kernel/blob/master/core/org.wso2.carbon.core.services/src/main/java/org/wso2/carbon/core/services/authentication/AuthenticationAdmin.java >>>>>>> [3] >>>>>>> https://github.com/wso2-dev/carbon4-kernel/blob/master/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java >>>>>>> >>>>>>> Thanks, >>>>>>> Nipuni >>>>>>> -- >>>>>>> Nipuni Perera >>>>>>> Software Engineer; WSO2 Inc.; http://wso2.com >>>>>>> Email: nip...@wso2.com >>>>>>> Git hub profile: https://github.com/nipuni >>>>>>> Mobile: +94 (71) 5626680 >>>>>>> <http://wso2.com> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> Dev@wso2.org >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> *Kasun Gajasinghe*Senior Software Engineer, WSO2 Inc. >>>>>> email: kasung AT spamfree wso2.com >>>>>> linked-in: http://lk.linkedin.com/in/gajasinghe >>>>>> blog: http://kasunbg.org >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks & Regards, >>>>> >>>>> *Johann Dilantha Nallathamby* >>>>> Associate Technical Lead & Product Lead of WSO2 Identity Server >>>>> Integration Technologies Team >>>>> WSO2, Inc. >>>>> lean.enterprise.middleware >>>>> >>>>> Mobile - *+94777776950* >>>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>>>> >>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> >>>> *Johann Dilantha Nallathamby* >>>> Associate Technical Lead & Product Lead of WSO2 Identity Server >>>> Integration Technologies Team >>>> WSO2, Inc. >>>> lean.enterprise.middleware >>>> >>>> Mobile - *+94777776950* >>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>>> >>> >>> >>> >>> -- >>> *Afkham Azeez* >>> Director of Architecture; WSO2, Inc.; http://wso2.com >>> Member; Apache Software Foundation; http://www.apache.org/ >>> * <http://www.apache.org/>* >>> *email: **az...@wso2.com* <az...@wso2.com> >>> * cell: +94 77 3320919 <%2B94%2077%203320919> blog: * >>> *http://blog.afkham.org* <http://blog.afkham.org> >>> *twitter: **http://twitter.com/afkham_azeez* >>> <http://twitter.com/afkham_azeez> >>> * linked-in: **http://lk.linkedin.com/in/afkhamazeez >>> <http://lk.linkedin.com/in/afkhamazeez>* >>> >>> *Lean . Enterprise . Middleware* >>> >> >> >> >> -- >> Nipuni Perera >> Software Engineer; WSO2 Inc.; http://wso2.com >> Email: nip...@wso2.com >> Git hub profile: https://github.com/nipuni >> Mobile: +94 (71) 5626680 >> <http://wso2.com> >> >> > > > -- > Nipuni Perera > Software Engineer; WSO2 Inc.; http://wso2.com > Email: nip...@wso2.com > Git hub profile: https://github.com/nipuni > Mobile: +94 (71) 5626680 > <http://wso2.com> > > -- Nipuni Perera Software Engineer; WSO2 Inc.; http://wso2.com Email: nip...@wso2.com Git hub profile: https://github.com/nipuni Mobile: +94 (71) 5626680 <http://wso2.com>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev