[Fedora-commons-users] fedora commons muradora and XACML authn/authz woes..

Kevin P. Foote Fri, 09 Oct 2009 13:21:06 -0700

Hi all trying to get a full combo of fedora-commons and muradora up and
working together nicely (same Tomcat container).


FedoraCommons = 3.1
Muradora = 1.4.0 (and all its prerequisites)

It looks like from my error that all the Muradora parts are responding
properly with the final result being allow .. but then FedoraCommons
stops the delivery of the datastream.

I'm wondering if there is any thing I have wrong in my fedora.fcfg to
cause this ... What are the required settings for API-A, XACML, and API-M for
use with muradora ..

--- >% snip of fedora.fcfg
   <module role="fedora.server.security.Authorization"
class="fedora.server.security.DefaultAuthorization">
     <comment>Builds and manages Fedora's authorization
structure.</comment>
     <param name="REPOSITORY-POLICIES-DIRECTORY"
value="data/fedora-xacml-policies/repository-policies"
isFilePath="true"/>
     <param name="REPOSITORY-POLICY-GUITOOL-POLICIES-DIRECTORY"
value="data/fedora-xacml-policies/repository-policies-generated-by-policyguitool"
isFile
Path="true">
       <comment>This parameter is for future use.</comment>
     </param>
     <param name="XACML-COMBINING-ALGORITHM"
value="com.sun.xacml.combine.OrderedDenyOverridesPolicyAlg"/>
     <param name="ENFORCE-MODE" value="enforce-policies"/>
     <param name="POLICY-SCHEMA-PATH"
value="xsd/cs-xacml-schema-policy-01.xsd"/>
     <param name="VALIDATE-REPOSITORY-POLICIES" value="true"/>
     <param name="VALIDATE-OBJECT-POLICIES-FROM-FILE" value="false"/>
     <param name="VALIDATE-OBJECT-POLICIES-FROM-DATASTREAM"
value="false"/>
   </module>
--- >%


I can access most anything through the mura UI as fedora admin (or other
admin role) but cant get at anything when as public (or student, etc).
Here is what Fedora logs when I try and access something as public.


--- >% logs/fedora.log

INFO 2009-10-08 16:07:26.642 [TP-Processor24] (Cache) Authenticating
user [public]
ERROR 2009-10-08 16:07:27.217 [TP-Processor16]
(ExtendedHttpServletRequestWrapper) decoded user/password is lacks user
. . . returning 0-length strings
ERROR 2009-10-08 16:07:27.221 [TP-Processor16]
(ExtendedHttpServletRequestWrapper) decoded user/password is lacks user
. . . returning 0-length strings
INFO 2009-10-08 16:07:27.534 [TP-Processor20] (Cache) Authenticating
user [public]
INFO 2009-10-08 16:07:27.722 [TP-Processor21] (Cache) Authenticating
user [public]
INFO 2009-10-08 16:07:28.386 [TP-Processor21] (DefaultManagement)
Completed getDatastreams(pid: iupmisc:3, asOfDateTime: null, state:
null)
ERROR 2009-10-08 16:07:28.389 [TP-Processor21]
(FedoraAPIMBindingSOAPHTTPImpl) Error getting datastreams
fedora.server.errors.authorization.AuthzDeniedException:
         at
fedora.server.security.PolicyEnforcementPoint.enforce(PolicyEnforcementPoint.java:450)
         at
fedora.server.security.DefaultAuthorization.enforceGetDatastreams(DefaultAuthorization.java:925)
         at
fedora.server.management.DefaultManagement.getDatastreams(DefaultManagement.java:1098)
         at sun.reflect.GeneratedMethodAccessor119.invoke(Unknown Source)
         at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at
fedora.server.messaging.NotificationInvocationHandler.invoke(NotificationInvocationHandler.java:70)
         at $Proxy4.getDatastreams(Unknown Source)
         at
fedora.server.management.ManagementModule.getDatastreams(ManagementModule.java:294)
         at
fedora.server.management.FedoraAPIMBindingSOAPHTTPImpl.getDatastreams(FedoraAPIMBindingSOAPHTTPImpl.java:430)
         at
fedora.server.management.FedoraAPIMBindingSOAPHTTPSkeleton.getDatastreams(FedoraAPIMBindingSOAPHTTPSkeleton.java:414)
         at sun.reflect.GeneratedMethodAccessor118.invoke(Unknown Source)
         at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at
org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:397)
         at
org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:186)
         at
org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323)
         at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
         at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
         at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
         at
org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453)
         at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281)
         at
org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
         at
org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
         at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
         at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
         at melcoe.fedora.pep.rest.PEP.doFilter(PEP.java:150)
         at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
         at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
         at
fedora.server.security.servletfilters.FilterSetup.doFilter(FilterSetup.java:235)
         at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
         at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
         at
fedora.server.security.servletfilters.FilterSetup.doFilter(FilterSetup.java:235)
         at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
         at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
         at melcoe.fedora.pep.rest.PEP.doFilter(PEP.java:150)
         at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
         at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
         at
fedora.server.security.servletfilters.FilterSetup.doFilter(FilterSetup.java:235)
         at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
         at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
         at
fedora.server.security.servletfilters.FilterSetup.doFilter(FilterSetup.java:235)
         at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
         at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at
fedora.server.security.servletfilters.FilterSetup.doFilter(FilterSetup.java:235)
         at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
         at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
         at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
         at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
         at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525)
         at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
         at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
         at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
         at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
         at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)
         at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
         at
org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:773)
         at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
         at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895)
         at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
         at java.lang.Thread.run(Thread.java:619)


Hope some one can shed some light on this..

------
thanks
   kevin.foote

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users

[Fedora-commons-users] fedora commons muradora and XACML authn/authz woes..

Reply via email to