Hi Richard The active policies (generated on first-time installation/startup from the directory you found below) are under
$FEDORA_HOME/fedora-xacml-policies (then under repository-policies/default) So try modifying the policy there (and then reloading) - in fact you could simply delete this policy to see if it is causing the problem. Steve > -----Original Message----- > From: Richard Jones [mailto:[email protected]] > Sent: 22 June 2010 11:48 > To: Steve Bayliss > Cc: [email protected] > Subject: Re: [Fedora-commons-developers] Authorisation Error using API > > > Hi Steve, > > Ah, interesting, thanks for that; didn't know about this - > found the file: > > fed...@fedora:~/fedora-dev/fedora-32/server$ find . | grep deny > ./fedora-internal-use/fedora-internal-use-repository-policies- > approximating-2.0/deny-reloadPolicies-if-not-localhost.xml > ./fedora-internal-use/fedora-internal-use-repository-policies- > approximating-2.0/deny-purge-datastream-if-active-or-inactive.xml > ./fedora-internal-use/fedora-internal-use-repository-policies- > approximating-2.0/deny-serverShutdown-if-not-localhost.xml > ./fedora-internal-use/fedora-internal-use-repository-policies- > approximating-2.0/deny-policy-management-if-not-administrator.xml > ./fedora-internal-use/fedora-internal-use-repository-policies- > approximating-2.0/deny-apim-if-not-localhost.xml > ./fedora-internal-use/fedora-internal-use-repository-policies- > approximating-2.0/deny-inactive-or-deleted-objects-or-datastre > ams-if-not-administrator.xml > ./fedora-internal-use/fedora-internal-use-repository-policies- > approximating-2.0/deny-purge-object-if-active-or-inactive.xml > > is this the correct one? It seems fairly hidden away, > perhaps there's > somewhere else I should be editing these policies? > > Anyway, I have removed the policy file completely (for the > purposes of > testing) and run the fedora-reload-policies tool: > > fed...@fedora:~/fedora-dev/fedora-32/server$ find . | grep deny > ./fedora-internal-use/fedora-internal-use-repository-policies- > approximating-2.0/deny-reloadPolicies-if-not-localhost.xml > ./fedora-internal-use/fedora-internal-use-repository-policies- > approximating-2.0/deny-purge-datastream-if-active-or-inactive.xml > ./fedora-internal-use/fedora-internal-use-repository-policies- > approximating-2.0/deny-serverShutdown-if-not-localhost.xml > ./fedora-internal-use/fedora-internal-use-repository-policies- > approximating-2.0/deny-policy-management-if-not-administrator.xml > ./fedora-internal-use/fedora-internal-use-repository-policies- > approximating-2.0/deny-inactive-or-deleted-objects-or-datastre > ams-if-not-administrator.xml > ./fedora-internal-use/fedora-internal-use-repository-policies- > approximating-2.0/deny-purge-object-if-active-or-inactive.xml > > fed...@fedora:~/fedora-dev/fedora-32/server/bin$ > ./fedora-reload-policies.sh http fedoraAdmin ***** > SUCCESS: Policies have been reloaded > > but am still seeing exactly the same results. > > I then tried modifying the deny-apim-if-not-localhost.xml, > changing the > Apply rules as follows: > > <Rule RuleId="1" Effect="Deny"> > <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> > <!-- Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-le > ast-one-member-of"> > > <EnvironmentAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:environment:httpReque > st:clientIpAddress" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>127.0.0.1</ > AttributeValue> > > </Apply> > </Apply --> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-strin > g-match"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>.*</AttributeValue> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-a > nd-only"> > <EnvironmentAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:environment:httpReque > st:clientIpAddress" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </Apply> > </Apply> > </Apply> > </Condition> > </Rule> > > I believe, from the documentation in the file, that this should mean > that any IP address which matches the regular expression .* > (so, all of > them) will be permitted to access the API. This approach also failed. > > I tried also restarting tomcat after policy reloads, without effect. > > Any thoughts? > > Cheers, > > Richard > > > Steve Bayliss wrote: > > Hi Richard > > > > You don't by any chance have the > deny-apim-if-not-localhost.xml policy on > > the new machine? This policy will (unedited) prevent API-M > access unless > > you're accessing Fedora from the same machine on which it > is installed. > > > > Regards > > Steve > > > > > >> -----Original Message----- > >> From: Richard Jones [mailto:[email protected]] > >> Sent: 21 June 2010 15:24 > >> To: [email protected] > >> Subject: [Fedora-commons-developers] Authorisation Error using API > >> > >> > >> Hi Folks, > >> > >> I'm having a bizarre problem with my Fedora 3.2. I've > been using the > >> desktop admin client to create objects in the repository, > and today I > >> have moved my fedora repository onto another machine. Now when I > >> attempt to create new objects through both the SOAP (using > >> the desktop > >> client) or the REST API's I get these > AuthzDeniedExceptions. I have > >> used the desktop client to successfully authenticate onto > the Fedora > >> instance, and I can perform READ operations such as search > >> and retrieve, > >> but when I ask it to create a new object I get this error > in the logs. > >> > >> Any suggestions? > >> > >> Cheers, > >> > >> Richard > >> > >> > >> ERROR 2010-06-21 14:18:06.793 [http-8080-Processor24] > >> (FedoraAPIMBindingSOAPHTTPImpl) Error getting next PID > >> fedora.server.errors.authorization.AuthzDeniedException: > >> at > >> fedora.server.security.PolicyEnforcementPoint.enforce(PolicyEn > >> forcementPoint.java:457) > >> at > >> fedora.server.security.DefaultAuthorization.enforceGetNextPid( > >> DefaultAuthorization.java:637) > >> at > >> fedora.server.management.DefaultManagement.getNextPID(DefaultM > >> anagement.java:1181) > >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >> at > >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess > >> orImpl.java:57) > >> at > >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth > >> odAccessorImpl.java:43) > >> at java.lang.reflect.Method.invoke(Method.java:616) > >> at > >> fedora.server.messaging.NotificationInvocationHandler.invoke(N > >> > > otificationInvocationHandler.java:92) > > > >> at $Proxy0.getNextPID(Unknown Source) > >> at > >> fedora.server.management.ManagementModule.getNextPID(Managemen > >> tModule.java:323) > >> at > >> fedora.server.management.FedoraAPIMBindingSOAPHTTPImpl.getNext > >> PID(FedoraAPIMBindingSOAPHTTPImpl.java:507) > >> at > >> fedora.server.management.FedoraAPIMBindingSOAPHTTPSkeleton.get > >> NextPID(FedoraAPIMBindingSOAPHTTPSkeleton.java:432) > >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >> at > >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess > >> orImpl.java:57) > >> at > >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth > >> odAccessorImpl.java:43) > >> at java.lang.reflect.Method.invoke(Method.java:616) > >> at > >> org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCPro > >> vider.java:397) > >> at > >> org.apache.axis.providers.java.RPCProvider.processMessage(RPCP > >> rovider.java:186) > >> at > >> org.apache.axis.providers.java.JavaProvider.invoke(JavaProvide > >> r.java:323) > >> at > >> org.apache.axis.strategies.InvocationStrategy.visit(Invocation > >> Strategy.java:32) > >> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > >> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > >> at > >> > org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) > >> at > org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) > >> at > >> org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet. > >> java:699) > >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) > >> at > >> org.apache.axis.transport.http.AxisServletBase.service(AxisSer > >> vletBase.java:327) > >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) > >> at > >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt > >> er(ApplicationFilterChain.java:269) > >> at > >> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli > >> cationFilterChain.java:188) > >> at > >> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil > >> terSetup.java:256) > >> at > >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt > >> er(ApplicationFilterChain.java:215) > >> at > >> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli > >> cationFilterChain.java:188) > >> at > >> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil > >> terSetup.java:256) > >> at > >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt > >> er(ApplicationFilterChain.java:215) > >> at > >> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli > >> cationFilterChain.java:188) > >> at > >> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil > >> terSetup.java:256) > >> at > >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt > >> er(ApplicationFilterChain.java:215) > >> at > >> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli > >> cationFilterChain.java:188) > >> at > >> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil > >> terSetup.java:256) > >> at > >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt > >> er(ApplicationFilterChain.java:215) > >> at > >> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli > >> cationFilterChain.java:188) > >> at > >> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil > >> terSetup.java:256) > >> at > >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt > >> er(ApplicationFilterChain.java:215) > >> at > >> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli > >> cationFilterChain.java:188) > >> at > >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardW > >> rapperValve.java:213) > >> at > >> org.apache.catalina.core.StandardContextValve.invoke(StandardC > >> ontextValve.java:174) > >> at > >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Aut > >> henticatorBase.java:525) > >> at > >> org.apache.catalina.core.StandardHostValve.invoke(StandardHost > >> Valve.java:127) > >> at > >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReport > >> Valve.java:117) > >> at > >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEn > >> gineValve.java:108) > >> at > >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdap > >> ter.java:174) > >> at > >> org.apache.coyote.http11.Http11Processor.process(Http11Process > >> or.java:874) > >> at > >> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHa > >> ndler.processConnection(Http11BaseProtocol.java:665) > >> at > >> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolT > >> cpEndpoint.java:528) > >> at > >> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(Le > >> > > aderFollowerWorkerThread.java:81) > > > >> at > >> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run( > >> ThreadPool.java:689) > >> at java.lang.Thread.run(Thread.java:636) > >> > >> Cheers, > >> > >> Richard > >> > >> -- > >> Richard Jones > >> Head of Repository Systems, Symplectic Limited > >> e: [email protected] > >> t: 0845 026 4755 > >> t: +44 (0)207 7334036 > >> w: http://www.symplectic.co.uk/ > >> > >> > >> -------------------------------------------------------------- > >> ---------------- > >> ThinkGeek and WIRED's GeekDad team up for the Ultimate > >> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the > >> lucky parental unit. See the prize list and enter to win: > >> http://p.sf.net/sfu/thinkgeek-promo > >> _______________________________________________ > >> Fedora-commons-developers mailing list > >> [email protected] > >> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > >> > >> > > > > > > > > > -- > Richard Jones > Head of Repository Systems, Symplectic Limited > e: [email protected] > t: 0845 026 4755 > t: +44 (0)207 7334036 > w: http://www.symplectic.co.uk/ > > ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Fedora-commons-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
