It turns out that the underlying reason for this is that Auth credentials are not picked up - when credentials are supplied with the request they are ignored.
AuthFilterJAAS correctly skips forcing a login for API-A if Auth is not required, but does not pick up any pre-emptively supplied credentials, related to the change in r8467 http://fedora-commons.svn.sourceforge.net/viewvc/fedora-commons?revision=846 7&view=revision. https://jira.duraspace.org/browse/FCREPO-753 raised for this. Steve > -----Original Message----- > From: Steve Bayliss [mailto:[email protected]] > Sent: 29 July 2010 14:11 > To: 'Edwin Shin'; 'fedora-dev net sourceforge.' > Subject: Re: [Fedora-commons-developers] getObjectProfile for > inactiveobjectsfailing in trunk > > > Confirmed in trunk. Using ConfigB, but with api-a auth set > to false. FeSL > AuthN true. > > Not had chance to test against 3.4 RC1 yet. > > Seems also to be the case for getDatastreamDissemination. > > The PolicyFinderModule is picking up both the > "permit-apia-unrestricted" and > "deny-inactive-or-deleted-objects-or-datastreams-if-not-admini > strator" but > somehow the overall result being returned is "deny". The combining > algorithm seems to be OrderedDenyOverridesPOlicyAlg - so the > result actually > seems to make sense (deny from "deny-inactive..." and permit from > "permit-apia-unrestricted" = overall deny?). > > Would be interesting to see if this occurs when FeSL AuthN is > false. Could > this somehow be due to different versions of XACML being used > by native > Fedora XACML and by FeSL? > > The integration tests (configA) *should* have picked this up. > > Steve > > > > > -----Original Message----- > > From: Edwin Shin [mailto:[email protected]] > > Sent: 26 July 2010 02:39 > > To: fedora-dev net sourceforge. > > Subject: [Fedora-commons-developers] getObjectProfile for > > inactive objectsfailing in trunk > > > > > > Hoping someone else can confirm this one, and even better, > > run this down, since I'm not seeing anything obvious in the > > post 3.4RC1 commits that would suggest this behavior change. > > > > To reproduce: > > - change the status of an object to Inactive > > - attempt to fetch it, e.g., > > http://localhost:8080/fedora/objects/demo:foo > > > > I'm getting a 401 with trunk. But works fine with RC1. > > > > Noticed this while testing fedora-client against trunk, but > > easy enough to reproduce w/ the web admin client. > > -------------------------------------------------------------- > > ---------------- > > The Palm PDK Hot Apps Program offers developers who use the > > Plug-In Development Kit to bring their C/C++ apps to Palm > for a share > > of $1 Million in cash or HP Products. Visit us here for > more details: > > http://ad.doubleclick.net/clk;226879339;13503038;l? > > http://clk.atdmt.com/CRS/go/247765532/direct/01/ > > _______________________________________________ > > Fedora-commons-developers mailing list > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > > > > > -------------------------------------------------------------- > ---------------- > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://p.sf.net/sfu/dev2dev-palm > _______________________________________________ > Fedora-commons-developers mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers > ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Fedora-commons-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
