Correction: $FEDORA_HOME/data/fedora-xacml-policies
apologies! > -----Original Message----- > From: Steve Bayliss [mailto:[email protected]] > Sent: 22 June 2010 12:03 > To: 'Richard Jones' > Cc: [email protected] > Subject: Re: [Fedora-commons-developers] Authorisation Error using API > > > Hi Richard > > The active policies (generated on first-time > installation/startup from the > directory you found below) are under > > $FEDORA_HOME/fedora-xacml-policies (then under > repository-policies/default) > > So try modifying the policy there (and then reloading) - in > fact you could > simply delete this policy to see if it is causing the problem. > > Steve > > > -----Original Message----- > > From: Richard Jones [mailto:[email protected]] > > Sent: 22 June 2010 11:48 > > To: Steve Bayliss > > Cc: [email protected] > > Subject: Re: [Fedora-commons-developers] Authorisation > Error using API > > > > > > Hi Steve, > > > > Ah, interesting, thanks for that; didn't know about this - > > found the file: > > > > fed...@fedora:~/fedora-dev/fedora-32/server$ find . | grep deny > > ./fedora-internal-use/fedora-internal-use-repository-policies- > > approximating-2.0/deny-reloadPolicies-if-not-localhost.xml > > ./fedora-internal-use/fedora-internal-use-repository-policies- > > approximating-2.0/deny-purge-datastream-if-active-or-inactive.xml > > ./fedora-internal-use/fedora-internal-use-repository-policies- > > approximating-2.0/deny-serverShutdown-if-not-localhost.xml > > ./fedora-internal-use/fedora-internal-use-repository-policies- > > approximating-2.0/deny-policy-management-if-not-administrator.xml > > ./fedora-internal-use/fedora-internal-use-repository-policies- > > approximating-2.0/deny-apim-if-not-localhost.xml > > ./fedora-internal-use/fedora-internal-use-repository-policies- > > approximating-2.0/deny-inactive-or-deleted-objects-or-datastre > > ams-if-not-administrator.xml > > ./fedora-internal-use/fedora-internal-use-repository-policies- > > approximating-2.0/deny-purge-object-if-active-or-inactive.xml > > > > is this the correct one? It seems fairly hidden away, > > perhaps there's > > somewhere else I should be editing these policies? > > > > Anyway, I have removed the policy file completely (for the > > purposes of > > testing) and run the fedora-reload-policies tool: > > > > fed...@fedora:~/fedora-dev/fedora-32/server$ find . | grep deny > > ./fedora-internal-use/fedora-internal-use-repository-policies- > > approximating-2.0/deny-reloadPolicies-if-not-localhost.xml > > ./fedora-internal-use/fedora-internal-use-repository-policies- > > approximating-2.0/deny-purge-datastream-if-active-or-inactive.xml > > ./fedora-internal-use/fedora-internal-use-repository-policies- > > approximating-2.0/deny-serverShutdown-if-not-localhost.xml > > ./fedora-internal-use/fedora-internal-use-repository-policies- > > approximating-2.0/deny-policy-management-if-not-administrator.xml > > ./fedora-internal-use/fedora-internal-use-repository-policies- > > approximating-2.0/deny-inactive-or-deleted-objects-or-datastre > > ams-if-not-administrator.xml > > ./fedora-internal-use/fedora-internal-use-repository-policies- > > approximating-2.0/deny-purge-object-if-active-or-inactive.xml > > > > fed...@fedora:~/fedora-dev/fedora-32/server/bin$ > > ./fedora-reload-policies.sh http fedoraAdmin ***** > > SUCCESS: Policies have been reloaded > > > > but am still seeing exactly the same results. > > > > I then tried modifying the deny-apim-if-not-localhost.xml, > > changing the > > Apply rules as follows: > > > > <Rule RuleId="1" Effect="Deny"> > > <Condition > FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> > > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> > > <!-- Apply > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-le > > ast-one-member-of"> > > > > <EnvironmentAttributeDesignator > > AttributeId="urn:fedora:names:fedora:2.1:environment:httpReque > > st:clientIpAddress" > > DataType="http://www.w3.org/2001/XMLSchema#string"/> > > <Apply > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> > > <AttributeValue > > DataType="http://www.w3.org/2001/XMLSchema#string";>127.0.0.1</ > > AttributeValue> > > > > </Apply> > > </Apply --> > > <Apply > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-strin > > g-match"> > > <AttributeValue > > > DataType="http://www.w3.org/2001/XMLSchema#string";>.*</AttributeValue> > > <Apply > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-a > > nd-only"> > > <EnvironmentAttributeDesignator > > AttributeId="urn:fedora:names:fedora:2.1:environment:httpReque > > st:clientIpAddress" > > DataType="http://www.w3.org/2001/XMLSchema#string"/> > > </Apply> > > </Apply> > > </Apply> > > </Condition> > > </Rule> > > > > I believe, from the documentation in the file, that this > should mean > > that any IP address which matches the regular expression .* > > (so, all of > > them) will be permitted to access the API. This approach > also failed. > > > > I tried also restarting tomcat after policy reloads, without effect. > > > > Any thoughts? > > > > Cheers, > > > > Richard > > > > > > Steve Bayliss wrote: > > > Hi Richard > > > > > > You don't by any chance have the > > deny-apim-if-not-localhost.xml policy on > > > the new machine? This policy will (unedited) prevent API-M > > access unless > > > you're accessing Fedora from the same machine on which it > > is installed. > > > > > > Regards > > > Steve > > > > > > > > >> -----Original Message----- > > >> From: Richard Jones [mailto:[email protected]] > > >> Sent: 21 June 2010 15:24 > > >> To: [email protected] > > >> Subject: [Fedora-commons-developers] Authorisation Error > using API > > >> > > >> > > >> Hi Folks, > > >> > > >> I'm having a bizarre problem with my Fedora 3.2. I've > > been using the > > >> desktop admin client to create objects in the repository, > > and today I > > >> have moved my fedora repository onto another machine. > Now when I > > >> attempt to create new objects through both the SOAP (using > > >> the desktop > > >> client) or the REST API's I get these > > AuthzDeniedExceptions. I have > > >> used the desktop client to successfully authenticate onto > > the Fedora > > >> instance, and I can perform READ operations such as search > > >> and retrieve, > > >> but when I ask it to create a new object I get this error > > in the logs. > > >> > > >> Any suggestions? > > >> > > >> Cheers, > > >> > > >> Richard > > >> > > >> > > >> ERROR 2010-06-21 14:18:06.793 [http-8080-Processor24] > > >> (FedoraAPIMBindingSOAPHTTPImpl) Error getting next PID > > >> fedora.server.errors.authorization.AuthzDeniedException: > > >> at > > >> fedora.server.security.PolicyEnforcementPoint.enforce(PolicyEn > > >> forcementPoint.java:457) > > >> at > > >> fedora.server.security.DefaultAuthorization.enforceGetNextPid( > > >> DefaultAuthorization.java:637) > > >> at > > >> fedora.server.management.DefaultManagement.getNextPID(DefaultM > > >> anagement.java:1181) > > >> at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > >> at > > >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess > > >> orImpl.java:57) > > >> at > > >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth > > >> odAccessorImpl.java:43) > > >> at java.lang.reflect.Method.invoke(Method.java:616) > > >> at > > >> fedora.server.messaging.NotificationInvocationHandler.invoke(N > > >> > > > otificationInvocationHandler.java:92) > > > > > >> at $Proxy0.getNextPID(Unknown Source) > > >> at > > >> fedora.server.management.ManagementModule.getNextPID(Managemen > > >> tModule.java:323) > > >> at > > >> fedora.server.management.FedoraAPIMBindingSOAPHTTPImpl.getNext > > >> PID(FedoraAPIMBindingSOAPHTTPImpl.java:507) > > >> at > > >> fedora.server.management.FedoraAPIMBindingSOAPHTTPSkeleton.get > > >> NextPID(FedoraAPIMBindingSOAPHTTPSkeleton.java:432) > > >> at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > >> at > > >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess > > >> orImpl.java:57) > > >> at > > >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth > > >> odAccessorImpl.java:43) > > >> at java.lang.reflect.Method.invoke(Method.java:616) > > >> at > > >> org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCPro > > >> vider.java:397) > > >> at > > >> org.apache.axis.providers.java.RPCProvider.processMessage(RPCP > > >> rovider.java:186) > > >> at > > >> org.apache.axis.providers.java.JavaProvider.invoke(JavaProvide > > >> r.java:323) > > >> at > > >> org.apache.axis.strategies.InvocationStrategy.visit(Invocation > > >> Strategy.java:32) > > >> at > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > > >> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > > >> at > > >> > > > org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) > > >> at > > org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) > > >> at > > >> org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet. > > >> java:699) > > >> at > javax.servlet.http.HttpServlet.service(HttpServlet.java:710) > > >> at > > >> org.apache.axis.transport.http.AxisServletBase.service(AxisSer > > >> vletBase.java:327) > > >> at > javax.servlet.http.HttpServlet.service(HttpServlet.java:803) > > >> at > > >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt > > >> er(ApplicationFilterChain.java:269) > > >> at > > >> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli > > >> cationFilterChain.java:188) > > >> at > > >> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil > > >> terSetup.java:256) > > >> at > > >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt > > >> er(ApplicationFilterChain.java:215) > > >> at > > >> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli > > >> cationFilterChain.java:188) > > >> at > > >> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil > > >> terSetup.java:256) > > >> at > > >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt > > >> er(ApplicationFilterChain.java:215) > > >> at > > >> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli > > >> cationFilterChain.java:188) > > >> at > > >> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil > > >> terSetup.java:256) > > >> at > > >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt > > >> er(ApplicationFilterChain.java:215) > > >> at > > >> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli > > >> cationFilterChain.java:188) > > >> at > > >> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil > > >> terSetup.java:256) > > >> at > > >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt > > >> er(ApplicationFilterChain.java:215) > > >> at > > >> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli > > >> cationFilterChain.java:188) > > >> at > > >> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil > > >> terSetup.java:256) > > >> at > > >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt > > >> er(ApplicationFilterChain.java:215) > > >> at > > >> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli > > >> cationFilterChain.java:188) > > >> at > > >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardW > > >> rapperValve.java:213) > > >> at > > >> org.apache.catalina.core.StandardContextValve.invoke(StandardC > > >> ontextValve.java:174) > > >> at > > >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Aut > > >> henticatorBase.java:525) > > >> at > > >> org.apache.catalina.core.StandardHostValve.invoke(StandardHost > > >> Valve.java:127) > > >> at > > >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReport > > >> Valve.java:117) > > >> at > > >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEn > > >> gineValve.java:108) > > >> at > > >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdap > > >> ter.java:174) > > >> at > > >> org.apache.coyote.http11.Http11Processor.process(Http11Process > > >> or.java:874) > > >> at > > >> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHa > > >> ndler.processConnection(Http11BaseProtocol.java:665) > > >> at > > >> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolT > > >> cpEndpoint.java:528) > > >> at > > >> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(Le > > >> > > > aderFollowerWorkerThread.java:81) > > > > > >> at > > >> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run( > > >> ThreadPool.java:689) > > >> at java.lang.Thread.run(Thread.java:636) > > >> > > >> Cheers, > > >> > > >> Richard > > >> > > >> -- > > >> Richard Jones > > >> Head of Repository Systems, Symplectic Limited > > >> e: [email protected] > > >> t: 0845 026 4755 > > >> t: +44 (0)207 7334036 > > >> w: http://www.symplectic.co.uk/ > > >> > > >> > > >> -------------------------------------------------------------- > > >> ---------------- > > >> ThinkGeek and WIRED's GeekDad team up for the Ultimate > > >> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the > > >> lucky parental unit. See the prize list and enter to win: > > >> http://p.sf.net/sfu/thinkgeek-promo > > >> _______________________________________________ > > >> Fedora-commons-developers mailing list > > >> [email protected] > > >> > > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > > >> > > >> > > > > > > > > > > > > > > > -- > > Richard Jones > > Head of Repository Systems, Symplectic Limited > > e: [email protected] > > t: 0845 026 4755 > > t: +44 (0)207 7334036 > > w: http://www.symplectic.co.uk/ > > > > > > > -------------------------------------------------------------- > ---------------- > ThinkGeek and WIRED's GeekDad team up for the Ultimate > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the > lucky parental unit. See the prize list and enter to win: > http://p.sf.net/sfu/thinkgeek-promo > _______________________________________________ > Fedora-commons-developers mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Fedora-commons-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
