Hi,
I could get a not-null value for response above removing local transport in
carbon.xml. Still it does not print the log.warn() message and it seems log
level is set to "ERROR" in class " AuthorizationHandler".
If I change the log4j.properties file entry as follows;
log4j.rootLogger=ERROR, CARBON_CONSOLE, CARBON_LOGFILE, CARBON_MEMORY,
CARBON_SYS_LOG, ERROR_LOGFILE
to
log4j.rootLogger=WARN, CARBON_CONSOLE, CARBON_LOGFILE, CARBON_MEMORY,
CARBON_SYS_LOG, ERROR_LOGFILE
then I could print the warn message successfully.
@Johann
According to you suggestion if I set log level as above, I don't need to
add a new log message. The above configuration prints a warn message as
"Invoking admin services on worker node is forbidden..." just after the
successful login message, when trying to login in a worker node.
Thanks,
Nipuni
On Mon, Aug 4, 2014 at 3:02 PM, Nipuni Perera <nip...@wso2.com> wrote:
> Isn't response object gets a null value a bug?
>
>
> On Mon, Aug 4, 2014 at 2:47 PM, Nipuni Perera <nip...@wso2.com> wrote:
>
>> Hi,
>>
>> Yes, AuthorizationHandler does isWorkerNode() check in
>> invoke(MessageContext msgContext) method [1]. But this statement does not
>> get hit when I debug. As per the below code, the second if statement does
>> not execute as it returns from the first. As I debug from the worker node,
>> the second if statement gives a NPE for
>> "response.setStatus(HttpServletResponse.SC_FORBIDDEN);" as response is set
>> to null. Thus it does not print the log.warn() message. Is this is expected
>> in a worker node?
>>
>> if (this.callToGeneralService(msgContext) ||
>> skipAuthentication(msgContext) ) {
>> return InvocationResponse.CONTINUE;
>> }
>> if(CarbonUtils.isWorkerNode()){ // You are not allowed to invoke
>> admin services on worker nodes
>> HttpServletResponse response = (HttpServletResponse)
>> msgContext.getProperty(HTTPConstants.MC_HTTP_SERVLETRESPONSE);
>> response.setStatus(HttpServletResponse.SC_FORBIDDEN);
>> log.warn("Invoking admin services on worker node is
>> forbidden...");
>> return InvocationResponse.ABORT;
>> }
>>
>> [1]
>> https://github.com/wso2-dev/carbon4-kernel/blob/master/core/org.wso2.carbon.server.admin/src/main/java/org/wso2/carbon/server/admin/module/handler/AuthorizationHandler.java
>>
>> Thanks,
>> Nipuni
>>
>>
>> On Sun, Aug 3, 2014 at 11:28 PM, Afkham Azeez <az...@wso2.com> wrote:
>>
>>> When admin services on worker nodes are tried to be called, we return a
>>> 403.
>>>
>>>
>>> On Sun, Aug 3, 2014 at 11:17 PM, Johann Nallathamby <joh...@wso2.com>
>>> wrote:
>>>
>>>> [Adding Sameera & Azeez]
>>>>
>>>>
>>>> On Fri, Aug 1, 2014 at 10:06 PM, Johann Nallathamby <joh...@wso2.com>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Fri, Aug 1, 2014 at 7:11 PM, Kasun Gajasinghe <kas...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> It makes sense to block the management console access for worker
>>>>>> nodes, so that the users get a clear idea that performing management
>>>>>> operations in worker nodes is wrong. But do we really need to block
>>>>>> access
>>>>>> to back-end admin services? Is there a usecase where users might need to
>>>>>> perform read-only operations on worker nodes?
>>>>>>
>>>>>
>>>>> @Kasun, Sameera:
>>>>> This may be not related to this thread, but why have we blocked access
>>>>> to worker node admin services. This prevents external clients from calling
>>>>> any admin services from outside the firewall, since in most production
>>>>> deployments we won't expose the management sub domain outside the
>>>>> firewall.
>>>>> Are the assumptions that,
>>>>> 1. Admin services will not be exposed outside the firewall to be
>>>>> called by clients, even if they are *read-only*.
>>>>> 2. If it is a service exposed for a client outside the firewall it
>>>>> should be a non-admin service, which if requires authentication and
>>>>> authorization should do by iteself and not using admin service
>>>>> declaration.
>>>>>
>>>>> BTW, I was thinking of AuthenticationAdmin which is not an admin
>>>>> service. It does authentication and authorization from within the service.
>>>>> So the isWorkerNode() check is not done. So Good, external clients can
>>>>> actually call this service. Still the management console login is failing
>>>>> as expected. I couldn't find the place where we do the check for
>>>>> AuthenticationAdmin. So I am thinking if login() operation is successful
>>>>> and the failure is because subsequent admin service calls from the
>>>>> management console are failing. I guess its OK to have it like this :) .
>>>>> Thoughts?
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Aug 1, 2014 at 1:59 PM, Nipuni Perera <nip...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I am working on jira issue[1]. I could reproduce the issue in a
>>>>>>> cluster with ELB, manager node and a worker node using ESB 4.8.0. When a
>>>>>>> login attempt is triggered,
>>>>>>>
>>>>>>> 1. login() method of AuthenticationAdmin.java (line 62 of [2])
>>>>>>> set boolean values for "isAuthenticated" and "isAuthorized".
>>>>>>> 2. Both values set to true in workerNode (eg: for admin user
>>>>>>> login attempt)
>>>>>>> 3. Initially "isAuthenticated" value set to true (line 101), due
>>>>>>> to a return value of authenticate() method in
>>>>>>> AbstractUserStoreManager.java[3].
>>>>>>> 4. authenticate() method does not check if
>>>>>>> CarbonUtils.isWorkerNode() is set to true or false.
>>>>>>>
>>>>>>> In order to fix the issue I can check CarbonUtils.isWorkerNode()
>>>>>>> value in login() method of AuthenticationAdmin.java as follows.
>>>>>>>
>>>>>>> boolean isAuthenticated = CarbonUtils.isWorkerNode() ? false
>>>>>>> : realm.getUserStoreManager().authenticate(username, password);
>>>>>>>
>>>>>>> or use authenticate() method in AbstractUserStoreManager.java to
>>>>>>> check isWorkerNode() value in a if condition. What would be the best
>>>>>>> option? Is there a better way to fix this?
>>>>>>>
>>>>>> @Nipuni:
>>>>> Doing it in either place is wrong. UserStoreManagers are invoked
>>>>> through CarbonContext API as well, so we cannot have it there.
>>>>> AuthenticationAdmin is only one authenticator, having it in there is also
>>>>> not optimal. Currently I think we do this check in AuthorizationHandler.
>>>>> Correct me I am wrong. So there is no way to avoid this unless we just
>>>>> print one log after authentication and authorization.
>>>>>
>>>>> I guess for your problem you could just print another log along the
>>>>> lines of "you are not authorized access a worker node", right after the
>>>>> successful login message which at least gives an indication as to why it
>>>>> failed.
>>>>>
>>>>>> [1] https://wso2.org/jira/browse/CARBON-14793
>>>>>>> [2]
>>>>>>> https://github.com/wso2-dev/carbon4-kernel/blob/master/core/org.wso2.carbon.core.services/src/main/java/org/wso2/carbon/core/services/authentication/AuthenticationAdmin.java
>>>>>>> [3]
>>>>>>> https://github.com/wso2-dev/carbon4-kernel/blob/master/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Nipuni
>>>>>>> --
>>>>>>> Nipuni Perera
>>>>>>> Software Engineer; WSO2 Inc.; http://wso2.com
>>>>>>> Email: nip...@wso2.com
>>>>>>> Git hub profile: https://github.com/nipuni
>>>>>>> Mobile: +94 (71) 5626680
>>>>>>> <http://wso2.com>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Dev mailing list
>>>>>>> Dev@wso2.org
>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> *Kasun Gajasinghe*Senior Software Engineer, WSO2 Inc.
>>>>>> email: kasung AT spamfree wso2.com
>>>>>> linked-in: http://lk.linkedin.com/in/gajasinghe
>>>>>> blog: http://kasunbg.org
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thanks & Regards,
>>>>>
>>>>> *Johann Dilantha Nallathamby*
>>>>> Associate Technical Lead & Product Lead of WSO2 Identity Server
>>>>> Integration Technologies Team
>>>>> WSO2, Inc.
>>>>> lean.enterprise.middleware
>>>>>
>>>>> Mobile - *+94777776950*
>>>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Thanks & Regards,
>>>>
>>>> *Johann Dilantha Nallathamby*
>>>> Associate Technical Lead & Product Lead of WSO2 Identity Server
>>>> Integration Technologies Team
>>>> WSO2, Inc.
>>>> lean.enterprise.middleware
>>>>
>>>> Mobile - *+94777776950*
>>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>>>>
>>>
>>>
>>>
>>> --
>>> *Afkham Azeez*
>>> Director of Architecture; WSO2, Inc.; http://wso2.com
>>> Member; Apache Software Foundation; http://www.apache.org/
>>> * <http://www.apache.org/>*
>>> *email: **az...@wso2.com* <az...@wso2.com>
>>> * cell: +94 77 3320919 <%2B94%2077%203320919> blog: *
>>> *http://blog.afkham.org* <http://blog.afkham.org>
>>> *twitter: **http://twitter.com/afkham_azeez*
>>> <http://twitter.com/afkham_azeez>
>>> * linked-in: **http://lk.linkedin.com/in/afkhamazeez
>>> <http://lk.linkedin.com/in/afkhamazeez>*
>>>
>>> *Lean . Enterprise . Middleware*
>>>
>>
>>
>>
>> --
>> Nipuni Perera
>> Software Engineer; WSO2 Inc.; http://wso2.com
>> Email: nip...@wso2.com
>> Git hub profile: https://github.com/nipuni
>> Mobile: +94 (71) 5626680
>> <http://wso2.com>
>>
>>
>
>
> --
> Nipuni Perera
> Software Engineer; WSO2 Inc.; http://wso2.com
> Email: nip...@wso2.com
> Git hub profile: https://github.com/nipuni
> Mobile: +94 (71) 5626680
> <http://wso2.com>
>
>
--
Nipuni Perera
Software Engineer; WSO2 Inc.; http://wso2.com
Email: nip...@wso2.com
Git hub profile: https://github.com/nipuni
Mobile: +94 (71) 5626680
<http://wso2.com>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
