This is an interesting test scenario : /fedora/describe HTTP basic auth -- > ok /fedora/objects ok /fedora/objects/[pid] HTTP basic auth -- > does not work
I then replace "objects" by "get" : /fedora/get/[pid] ok >From there, I click on the given links : /fedora/objects/[pid]/datastreams ok /fedora/objects/[pid]/versions ok /fedora/objects/[pid]/methods ok /fedora/objects/[pid]/objectXML If I just click on the link I've got : "fedora/objects/CCIN2P3%253A7647/objectXML" which does not work, but if I change it as "fedora/objects/CCIN2P3%3A7647/objectXML" it's ok ----- Huân Thebault Centre de Calcul de l'IN2P3 Development Team Tel. Std +33 4 78 93 08 80 -----Message d'origine----- De : Steve Bayliss [mailto:[email protected]] Envoyé : jeudi 3 juin 2010 10:56 À : 'Huân Thebault'; 'fedora-commons-developers' Objet : RE: [Fedora-commons-developers] PEP Denying Access Hi Huân When you get to the URL for the object, where you're prompted to authenticate, what's the actual URL at this point? Is it the old-style API-LITE URL of the form /fedora/get/{pid} or is it the new REST-API form /fedora/objects/{pid}? Whichever it is, could you try the alternative form and report if you get the same problem with both URLs? Regards Steve > -----Original Message----- > From: Huân Thebault [mailto:[email protected]] > Sent: 02 June 2010 15:54 > To: fedora-commons-developers > Subject: Re: [Fedora-commons-developers] PEP Denying Access > > > Hello > > I have apia.auth.required=false > So I changed datastreamContentDispositionInlineEnabled to > false, restarted > fedora, but still the same error, with the same logs... > > Here is my install.properties (without usernames / passwords) : > > #Install Options > #Wed May 26 11:32:20 CEST 2010 > ri.enabled=false > messaging.enabled=false > apia.auth.required=false > database.jdbcDriverClass=org.postgresql.Driver > database.postgresql.jdbcDriverClass=org.postgresql.Driver > ssl.available=false > database.jdbcURL=jdbc\:postgresql\://ccpgsql.in2p3.fr/***** > database.password=****** > fesl.dbxml.home=/home/fedora_dev/dbxml-2.5.13 > database.username=****** > fesl.authz.enabled=true > tomcat.shutdown.port=8006 > database.postgresql.driver=included > deploy.local.services=true > xacml.enabled=false > tomcat.http.port=8091 > fedora.serverHost=ccsvli38.in2p3.fr > database=postgresql > database.driver=included > fedora.serverContext=fedora > tomcat.home=/home/fedora_dev/fedora-commons/tomcat > fesl.authn.enabled=true > fedora.home=/home/fedora_dev/fedora-commons > install.type=custom > database.postgresql.jdbcURL=jdbc\:postgresql\://ccpgsql.in2p3.fr/***** > servlet.engine=included > fedora.admin.pass=******* > > Thanks for your help > > ----- > Huân Thebault > Centre de Calcul de l'IN2P3 > Development Team > Tel. Std +33 4 78 93 08 80 > > > > -----Message d'origine----- > De : Edwin Shin [mailto:[email protected]] > Envoyé : mercredi 2 juin 2010 08:42 > À : fedora-dev > Objet : Re: [Fedora-commons-developers] PEP Denying Access > > Huân, > > When you installed fedora, did you require authentication for > API-A? (you > can check $FEDORA_HOME/install/install.properties for the value of > apia.auth.required). If it's false, then try applying the > workaround Steve > suggested below. If it's true, then FCREPO-703 doesn't apply in case. > > The policy log messages suggest you're not authenticated, but > on the other > hand you reported that you were prompted for authentication, > so I'm not sure > what's going on there. > > Actually, you might as well post your install.properties file > (stripping out > the passwords for fedoraAdmin, the database or anything else > you feel is > sensitive). Then maybe one of us can try duplicating the > issue with your > settings locally. Not sure if I'll have a chance in the next > couple of days > but perhaps Steve or Nish might. > > Eddie > > On 1 Jun 2010, at 5:11 PM, Steve Bayliss wrote: > > > Could it be possible that this is related to > > https://fedora-commons.org/jira/browse/FCREPO-703 ? > > > > Huân, to see if this is the case, you could modify > fedora.fcfg and change > > the parameter datastreamContentDispositionInlineEnabled to > false to verify > > if this is the case. > > > > Regards > > Steve > > > >> -----Original Message----- > >> From: Huân Thebault [mailto:[email protected]] > >> Sent: 01 June 2010 15:10 > >> To: fedora-commons-developers > >> Subject: Re: [Fedora-commons-developers] PEP Denying Access > >> > >> > >> Hi Nish > >> > >> You're right, I don't have policies to allow anonymous > >> access. But the real > >> problem is that I am NOT using anonymous access. I'm > >> identifying myself as > >> "fedoraAdmin". > >> > >> I attach a log file, corresponding to the following scenario : > >> - 2010-06-01 15:51:48.726 : I go to "/fedora/objects" url. I am > >> prompted for authentification, I am authentifying myself as > >> "fedoraAdmin" > >> - I search "*", everything's fine, I've got results > >> - I try to access an object called "CRDO-Aix:PYJ011" > >> - I'm prompted for authentication, I give "fedoraAdmin" > >> credentials, > >> but the HTTP basic auth. popup come up again and again and again... > >> And as you can see in logs, I'm then seen as "anonymous" > >> > >> > >> > >> ----- > >> Huân Thebault > >> Centre de Calcul de l'IN2P3 > >> Development Team > >> Tel. Std +33 4 78 93 08 80 > >> > >> > >> > >> > >> > >> > >> > >> -----Message d'origine----- > >> De : Nishen Naidoo [mailto:[email protected]] > >> Envoyé : mardi 1 juin 2010 13:11 > >> À : [email protected]; 'Huan Thebault' > >> Cc : 'fedora-commons-develop...@lists. sourceforge. net' > >> Objet : RE: [Fedora-commons-developers] PEP Denying Access > >> > >> Hi Huan, > >> > >> You probably don't have policies to allow anoymous access to > >> resources. From > >> the request, it is identifying that there is no authenticated > >> user trying to > >> access the item. For this to work you will need to add a > policy to the > >> bootstrap policies to allow this. > >> > >> Something like this might work: > >> > >> <?xml version="1.0" encoding="UTF-8"?> > >> <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" > >> > xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" > >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > >> xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os > >> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0- > >> policy-schema- > >> os.xsd > >> urn:oasis:names:tc:xacml:2.0:context:schema:os > >> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0- > >> context-schema > >> -os.xsd" > >> PolicyId="anonymous:readall" > >> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combinin > >> g-algorithm:pe > >> rmit-overrides"> > >> <Description>A policy to provide public users the ability > to view all > >> objects in the demo object collection</Description> > >> <Target> > >> <Subjects> > >> <Subject> > >> <SubjectMatch > >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > >> <AttributeValue > >> DataType="http://www.w3.org/2001/XMLSchema#string";>anonymous</ > >> AttributeValue > >>> > >> <SubjectAttributeDesignator > >> AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > >> DataType="http://www.w3.org/2001/XMLSchema#string"; /> > >> </SubjectMatch> > >> </Subject> > >> </Subjects> > >> <Resources> > >> <Resource> > >> <!-- to view everything under the resource collection --> > >> <ResourceMatch > >> > MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> > >> <AttributeValue > >> DataType="http://www.w3.org/2001/XMLSchema#string";>/.*</Attrib > >> uteValue> > >> <ResourceAttributeDesignator > >> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" > >> DataType="http://www.w3.org/2001/XMLSchema#anyURI"; /> > >> </ResourceMatch> > >> </Resource> > >> </Resources> > >> <Actions> > >> <Action> > >> <ActionMatch > >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > >> <AttributeValue > >> DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora: > >> names:fedora:2 > >> .1:action:api-a</AttributeValue> > >> <ActionAttributeDesignator > >> AttributeId="urn:fedora:names:fedora:2.1:action:api" > >> DataType="http://www.w3.org/2001/XMLSchema#string"; /> > >> </ActionMatch> > >> </Action> > >> <Action> > >> <ActionMatch > >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > >> <AttributeValue > >> DataType="http://www.w3.org/2001/XMLSchema#string";>read</Attri > >> buteValue> > >> <ActionAttributeDesignator > >> AttributeId="urn:fedora:names:fedora:2.1:action:id" > >> DataType="http://www.w3.org/2001/XMLSchema#string"; /> > >> </ActionMatch> > >> </Action> > >> </Actions> > >> </Target> > >> <Rule Effect="Permit" > >> > RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit"/> > >> </Policy> > >> > >> > >> > >> > >> > >> > >> > >> Nishen Naidoo > >> IT Projects Developer > >> Library IT > >> MACQUARIE UNIVERSITY NSW 2109 > >> > >> E-Mail: [email protected] > >> Phone: +61 2 98506553 > >> Mobile: +61 4 30006783 > >> Fax: +61 2 98507912 > >> http://www.library.mq.edu.au/ > >> > >> CRICOS Provider No 00002J > >> > >> This message is intended for the addressee named and may contain > >> confidential information. If you are not the intended > >> recipient, please > >> delete it and notify the sender. Views expressed in this > >> message are those > >> of the individual sender, and are not necessarily the views > >> of Macquarie > >> University Library or Macquarie University. > >> > >> Please consider the environment before printing this email. > >> ________________________________________ > >> From: yf508 [[email protected]] > >> Sent: Tuesday, 1 June 2010 6:13 PM > >> To: 'Huan Thebault' > >> Cc: 'fedora-commons-develop...@lists. sourceforge. net' > >> Subject: Re: [Fedora-commons-developers] PEP Denying Access > >> > >>> Looking at sources, the "3" at last line means : > >>> DECISION_NOT_APPLICABLE , which is an error (it should be : > >>> DECISION_PERMIT, DECISION_INDETERMINATE, DECISION_DENY) > >> > >> It seems to me that 'DECISION_NOT_APPLICABLE' means the > >> required policy does > >> not exist - it's not an error state. So the problem you > have might be > >> related to bootstrap policies (there are bootstrap policies > >> in Fedora 2.x. > >> I'm not using Fedora 3.x so not sure whether there are some > >> bootstrap ones > >> in 3.x). > >> > >> Frank > >> > >> --------------------------------- > >> Dr. Yankui(Frank) Feng > >> Digital Library Systems Developer > >> The University of York > >> Heslington, York, YO10 5DD, UK > >> Tel: +44 (0) 1904-434507 > >> Email: yf508 at york.ac.uk > >> --------------------------------- > >> > >> > >> -------------------------------------------------------------- > >> -------------- > >> -- > >> > >> _______________________________________________ > >> Fedora-commons-developers mailing list > >> [email protected] > >> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > >> > > > > > > > -------------------------------------------------------------- > -------------- > -- > > > > _______________________________________________ > > Fedora-commons-developers mailing list > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > > > -------------------------------------------------------------- > -------------- > -- > > _______________________________________________ > Fedora-commons-developers mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > > > > -------------------------------------------------------------- > ---------------- > > _______________________________________________ > Fedora-commons-developers mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Fedora-commons-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
