Hi Steve, Great, thanks for that - deleting the policy file and reloading the policies works perfectly.
Cheers, Richard Steve Bayliss wrote: > Hi Richard > > The active policies (generated on first-time installation/startup from the > directory you found below) are under > > $FEDORA_HOME/fedora-xacml-policies (then under repository-policies/default) > > So try modifying the policy there (and then reloading) - in fact you could > simply delete this policy to see if it is causing the problem. > > Steve > > >> -----Original Message----- >> From: Richard Jones [mailto:[email protected]] >> Sent: 22 June 2010 11:48 >> To: Steve Bayliss >> Cc: [email protected] >> Subject: Re: [Fedora-commons-developers] Authorisation Error using API >> >> >> Hi Steve, >> >> Ah, interesting, thanks for that; didn't know about this - >> found the file: >> >> fed...@fedora:~/fedora-dev/fedora-32/server$ find . | grep deny >> ./fedora-internal-use/fedora-internal-use-repository-policies- >> approximating-2.0/deny-reloadPolicies-if-not-localhost.xml >> ./fedora-internal-use/fedora-internal-use-repository-policies- >> approximating-2.0/deny-purge-datastream-if-active-or-inactive.xml >> ./fedora-internal-use/fedora-internal-use-repository-policies- >> approximating-2.0/deny-serverShutdown-if-not-localhost.xml >> ./fedora-internal-use/fedora-internal-use-repository-policies- >> approximating-2.0/deny-policy-management-if-not-administrator.xml >> ./fedora-internal-use/fedora-internal-use-repository-policies- >> approximating-2.0/deny-apim-if-not-localhost.xml >> ./fedora-internal-use/fedora-internal-use-repository-policies- >> approximating-2.0/deny-inactive-or-deleted-objects-or-datastre >> ams-if-not-administrator.xml >> ./fedora-internal-use/fedora-internal-use-repository-policies- >> approximating-2.0/deny-purge-object-if-active-or-inactive.xml >> >> is this the correct one? It seems fairly hidden away, >> perhaps there's >> somewhere else I should be editing these policies? >> >> Anyway, I have removed the policy file completely (for the >> purposes of >> testing) and run the fedora-reload-policies tool: >> >> fed...@fedora:~/fedora-dev/fedora-32/server$ find . | grep deny >> ./fedora-internal-use/fedora-internal-use-repository-policies- >> approximating-2.0/deny-reloadPolicies-if-not-localhost.xml >> ./fedora-internal-use/fedora-internal-use-repository-policies- >> approximating-2.0/deny-purge-datastream-if-active-or-inactive.xml >> ./fedora-internal-use/fedora-internal-use-repository-policies- >> approximating-2.0/deny-serverShutdown-if-not-localhost.xml >> ./fedora-internal-use/fedora-internal-use-repository-policies- >> approximating-2.0/deny-policy-management-if-not-administrator.xml >> ./fedora-internal-use/fedora-internal-use-repository-policies- >> approximating-2.0/deny-inactive-or-deleted-objects-or-datastre >> ams-if-not-administrator.xml >> ./fedora-internal-use/fedora-internal-use-repository-policies- >> approximating-2.0/deny-purge-object-if-active-or-inactive.xml >> >> fed...@fedora:~/fedora-dev/fedora-32/server/bin$ >> ./fedora-reload-policies.sh http fedoraAdmin ***** >> SUCCESS: Policies have been reloaded >> >> but am still seeing exactly the same results. >> >> I then tried modifying the deny-apim-if-not-localhost.xml, >> changing the >> Apply rules as follows: >> >> <Rule RuleId="1" Effect="Deny"> >> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> >> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> >> <!-- Apply >> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-le >> ast-one-member-of"> >> >> <EnvironmentAttributeDesignator >> AttributeId="urn:fedora:names:fedora:2.1:environment:httpReque >> st:clientIpAddress" >> DataType="http://www.w3.org/2001/XMLSchema#string"/> >> <Apply >> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";>127.0.0.1</ >> AttributeValue> >> >> </Apply> >> </Apply --> >> <Apply >> FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-strin >> g-match"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";>.*</AttributeValue> >> <Apply >> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-a >> nd-only"> >> <EnvironmentAttributeDesignator >> AttributeId="urn:fedora:names:fedora:2.1:environment:httpReque >> st:clientIpAddress" >> DataType="http://www.w3.org/2001/XMLSchema#string"/> >> </Apply> >> </Apply> >> </Apply> >> </Condition> >> </Rule> >> >> I believe, from the documentation in the file, that this should mean >> that any IP address which matches the regular expression .* >> (so, all of >> them) will be permitted to access the API. This approach also failed. >> >> I tried also restarting tomcat after policy reloads, without effect. >> >> Any thoughts? >> >> Cheers, >> >> Richard >> >> >> Steve Bayliss wrote: >> >>> Hi Richard >>> >>> You don't by any chance have the >>> >> deny-apim-if-not-localhost.xml policy on >> >>> the new machine? This policy will (unedited) prevent API-M >>> >> access unless >> >>> you're accessing Fedora from the same machine on which it >>> >> is installed. >> >>> Regards >>> Steve >>> >>> >>> >>>> -----Original Message----- >>>> From: Richard Jones [mailto:[email protected]] >>>> Sent: 21 June 2010 15:24 >>>> To: [email protected] >>>> Subject: [Fedora-commons-developers] Authorisation Error using API >>>> >>>> >>>> Hi Folks, >>>> >>>> I'm having a bizarre problem with my Fedora 3.2. I've >>>> >> been using the >> >>>> desktop admin client to create objects in the repository, >>>> >> and today I >> >>>> have moved my fedora repository onto another machine. Now when I >>>> attempt to create new objects through both the SOAP (using >>>> the desktop >>>> client) or the REST API's I get these >>>> >> AuthzDeniedExceptions. I have >> >>>> used the desktop client to successfully authenticate onto >>>> >> the Fedora >> >>>> instance, and I can perform READ operations such as search >>>> and retrieve, >>>> but when I ask it to create a new object I get this error >>>> >> in the logs. >> >>>> Any suggestions? >>>> >>>> Cheers, >>>> >>>> Richard >>>> >>>> >>>> ERROR 2010-06-21 14:18:06.793 [http-8080-Processor24] >>>> (FedoraAPIMBindingSOAPHTTPImpl) Error getting next PID >>>> fedora.server.errors.authorization.AuthzDeniedException: >>>> at >>>> fedora.server.security.PolicyEnforcementPoint.enforce(PolicyEn >>>> forcementPoint.java:457) >>>> at >>>> fedora.server.security.DefaultAuthorization.enforceGetNextPid( >>>> DefaultAuthorization.java:637) >>>> at >>>> fedora.server.management.DefaultManagement.getNextPID(DefaultM >>>> anagement.java:1181) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess >>>> orImpl.java:57) >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth >>>> odAccessorImpl.java:43) >>>> at java.lang.reflect.Method.invoke(Method.java:616) >>>> at >>>> fedora.server.messaging.NotificationInvocationHandler.invoke(N >>>> >>>> >>> otificationInvocationHandler.java:92) >>> >>> >>>> at $Proxy0.getNextPID(Unknown Source) >>>> at >>>> fedora.server.management.ManagementModule.getNextPID(Managemen >>>> tModule.java:323) >>>> at >>>> fedora.server.management.FedoraAPIMBindingSOAPHTTPImpl.getNext >>>> PID(FedoraAPIMBindingSOAPHTTPImpl.java:507) >>>> at >>>> fedora.server.management.FedoraAPIMBindingSOAPHTTPSkeleton.get >>>> NextPID(FedoraAPIMBindingSOAPHTTPSkeleton.java:432) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess >>>> orImpl.java:57) >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth >>>> odAccessorImpl.java:43) >>>> at java.lang.reflect.Method.invoke(Method.java:616) >>>> at >>>> org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCPro >>>> vider.java:397) >>>> at >>>> org.apache.axis.providers.java.RPCProvider.processMessage(RPCP >>>> rovider.java:186) >>>> at >>>> org.apache.axis.providers.java.JavaProvider.invoke(JavaProvide >>>> r.java:323) >>>> at >>>> org.apache.axis.strategies.InvocationStrategy.visit(Invocation >>>> Strategy.java:32) >>>> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) >>>> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) >>>> at >>>> >>>> >> org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) >> >>>> at >>>> >> org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) >> >>>> at >>>> org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet. >>>> java:699) >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) >>>> at >>>> org.apache.axis.transport.http.AxisServletBase.service(AxisSer >>>> vletBase.java:327) >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt >>>> er(ApplicationFilterChain.java:269) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli >>>> cationFilterChain.java:188) >>>> at >>>> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil >>>> terSetup.java:256) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt >>>> er(ApplicationFilterChain.java:215) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli >>>> cationFilterChain.java:188) >>>> at >>>> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil >>>> terSetup.java:256) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt >>>> er(ApplicationFilterChain.java:215) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli >>>> cationFilterChain.java:188) >>>> at >>>> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil >>>> terSetup.java:256) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt >>>> er(ApplicationFilterChain.java:215) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli >>>> cationFilterChain.java:188) >>>> at >>>> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil >>>> terSetup.java:256) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt >>>> er(ApplicationFilterChain.java:215) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli >>>> cationFilterChain.java:188) >>>> at >>>> fedora.server.security.servletfilters.FilterSetup.doFilter(Fil >>>> terSetup.java:256) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilt >>>> er(ApplicationFilterChain.java:215) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli >>>> cationFilterChain.java:188) >>>> at >>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardW >>>> rapperValve.java:213) >>>> at >>>> org.apache.catalina.core.StandardContextValve.invoke(StandardC >>>> ontextValve.java:174) >>>> at >>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Aut >>>> henticatorBase.java:525) >>>> at >>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHost >>>> Valve.java:127) >>>> at >>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReport >>>> Valve.java:117) >>>> at >>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEn >>>> gineValve.java:108) >>>> at >>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdap >>>> ter.java:174) >>>> at >>>> org.apache.coyote.http11.Http11Processor.process(Http11Process >>>> or.java:874) >>>> at >>>> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHa >>>> ndler.processConnection(Http11BaseProtocol.java:665) >>>> at >>>> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolT >>>> cpEndpoint.java:528) >>>> at >>>> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(Le >>>> >>>> >>> aderFollowerWorkerThread.java:81) >>> >>> >>>> at >>>> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run( >>>> ThreadPool.java:689) >>>> at java.lang.Thread.run(Thread.java:636) >>>> >>>> Cheers, >>>> >>>> Richard >>>> >>>> -- >>>> Richard Jones >>>> Head of Repository Systems, Symplectic Limited >>>> e: [email protected] >>>> t: 0845 026 4755 >>>> t: +44 (0)207 7334036 >>>> w: http://www.symplectic.co.uk/ >>>> >>>> >>>> -------------------------------------------------------------- >>>> ---------------- >>>> ThinkGeek and WIRED's GeekDad team up for the Ultimate >>>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the >>>> lucky parental unit. See the prize list and enter to win: >>>> http://p.sf.net/sfu/thinkgeek-promo >>>> _______________________________________________ >>>> Fedora-commons-developers mailing list >>>> [email protected] >>>> >>>> >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers >> >>>> >>> >>> >> -- >> Richard Jones >> Head of Repository Systems, Symplectic Limited >> e: [email protected] >> t: 0845 026 4755 >> t: +44 (0)207 7334036 >> w: http://www.symplectic.co.uk/ >> >> >> > > -- Richard Jones Head of Repository Systems, Symplectic Limited e: [email protected] t: 0845 026 4755 t: +44 (0)207 7334036 w: http://www.symplectic.co.uk/ ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Fedora-commons-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
