Re: [Fedora-commons-developers] PEP Denying Access

[Nishen Naidoo]

Hi Huan,

What mechanism are you using for authentication to Fedora?

Thanks,
Nish


Nishen Naidoo
IT Projects Developer
Library IT
MACQUARIE UNIVERSITY NSW 2109

E-Mail: nishen.nai...@mq.edu.au
Phone:  +61 2 98506553
Mobile: +61 4 30006783
Fax:    +61 2 98507912
http://www.library.mq.edu.au/

CRICOS Provider No 00002J

This message is intended for the addressee named and may contain
confidential information. If you are not the intended recipient, please
delete it and notify the sender. Views expressed in this message are those
of the individual sender, and are not necessarily the views of Macquarie
University Library or Macquarie University.

Please consider the environment before printing this email.


-----Original Message-----
From: Huân Thebault [mailto:huan.theba...@cc.in2p3.fr] 
Sent: Wednesday, 2 June 2010 12:10 AM
To: fedora-commons-developers
Subject: Re: [Fedora-commons-developers] PEP Denying Access

Hi Nish

You're right, I don't have policies to allow anonymous access. But the real
problem is that I am NOT using anonymous access. I'm identifying myself as
"fedoraAdmin".

I attach a log file, corresponding to the following scenario :
        - 2010-06-01 15:51:48.726 : I go to "/fedora/objects" url. I am
prompted for authentification, I am authentifying myself as "fedoraAdmin"
        - I search "*", everything's fine, I've got results
        - I try to access an object called "CRDO-Aix:PYJ011"
        - I'm prompted for authentication, I give "fedoraAdmin" credentials,
but the HTTP basic auth. popup come up again and again and again...
And as you can see in logs, I'm then seen as "anonymous"



-----
Huân Thebault
Centre de Calcul de l'IN2P3
Development Team
Tel. Std                 +33 4 78 93 08 80







-----Message d'origine-----
De : Nishen Naidoo [mailto:nishen.nai...@mq.edu.au] Envoyé : mardi 1 juin
2010 13:11 À : yf...@york.ac.uk; 'Huan Thebault'
Cc : 'fedora-commons-develop...@lists. sourceforge. net'
Objet : RE: [Fedora-commons-developers] PEP Denying Access

Hi Huan,

You probably don't have policies to allow anoymous access to resources. From
the request, it is identifying that there is no authenticated user trying to
access the item. For this to work you will need to add a policy to the
bootstrap policies to allow this.

Something like this might work:

<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-
os.xsd
      urn:oasis:names:tc:xacml:2.0:context:schema:os
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema
-os.xsd"
 PolicyId="anonymous:readall"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:pe
rmit-overrides">
 <Description>A policy to provide public users the ability to view all
objects in the demo object collection</Description>  <Target>
  <Subjects>
   <Subject>
    <SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
     <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>anonymous</AttributeValue
>
     <SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"; />
    </SubjectMatch>
   </Subject>
  </Subjects>
  <Resources>
   <Resource>
    <!-- to view everything under the resource collection -->
    <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
     <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>/.*</AttributeValue>
     <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"; />
    </ResourceMatch>
   </Resource>
  </Resources>
  <Actions>
   <Action>
    <ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
     <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2
.1:action:api-a</AttributeValue>
     <ActionAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:action:api"
DataType="http://www.w3.org/2001/XMLSchema#string"; />
    </ActionMatch>
   </Action>
   <Action>
    <ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
     <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue>
     <ActionAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:action:id"
DataType="http://www.w3.org/2001/XMLSchema#string"; />
    </ActionMatch>
   </Action>
  </Actions>
 </Target>
 <Rule Effect="Permit"
RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit"/>
</Policy>







Nishen Naidoo
IT Projects Developer
Library IT
MACQUARIE UNIVERSITY NSW 2109

E-Mail: nishen.nai...@mq.edu.au
Phone:  +61 2 98506553
Mobile: +61 4 30006783
Fax:    +61 2 98507912
http://www.library.mq.edu.au/

CRICOS Provider No 00002J

This message is intended for the addressee named and may contain
confidential information. If you are not the intended recipient, please
delete it and notify the sender. Views expressed in this message are those
of the individual sender, and are not necessarily the views of Macquarie
University Library or Macquarie University.

Please consider the environment before printing this email.
________________________________________
From: yf508 [yf...@york.ac.uk]
Sent: Tuesday, 1 June 2010 6:13 PM
To: 'Huan Thebault'
Cc: 'fedora-commons-develop...@lists. sourceforge. net'
Subject: Re: [Fedora-commons-developers] PEP Denying Access

>  Looking at sources, the "3" at last line means :
>  DECISION_NOT_APPLICABLE , which is an error (it should be :
>  DECISION_PERMIT, DECISION_INDETERMINATE, DECISION_DENY)

It seems to me that 'DECISION_NOT_APPLICABLE' means the required policy does
not exist - it's not an error state. So the problem you have might be
related to bootstrap policies (there are bootstrap policies in Fedora 2.x.
I'm not using Fedora 3.x so not sure whether there are some bootstrap ones
in 3.x).

Frank

---------------------------------
Dr. Yankui(Frank) Feng
Digital Library Systems Developer
The University of York
Heslington, York, YO10 5DD, UK
Tel: +44 (0) 1904-434507
Email: yf508 at york.ac.uk
---------------------------------


----------------------------------------------------------------------------
--

_______________________________________________
Fedora-commons-developers mailing list
Fedora-commons-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers

smime.p7s
Description: S/MIME cryptographic signature

------------------------------------------------------------------------------


_______________________________________________
Fedora-commons-developers mailing list
Fedora-commons-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers