Hello Graeme, In order to make this work you have to use file:/myfilesystem (only one slash after the scheme) instead of file://myfilesystem for the content location. The reason for this is that java.io.File (which is used internally by Fedora to pull the content) doesn't permit an authority component[1], denoted by // in the URI[2].
Consequently, the regex in the policy is also defined with one slash only. Regards, Kai [1] http://java.sun.com/javase/6/docs/api/java/io/File.html#File%28java.net.URI%29 [2] http://tools.ietf.org/html/rfc3986#section-3.2 2010/6/16 West, Graeme <[email protected]>: > Hello all, > I'm trying to get Fedora (SVN trunk revision 8643) to accept file:// URLs as > part of an ingest, and am running into odd problems. > > The error I get is this: > >> # fedora-ingest.sh f ~/filetemp.xml info:fedora/fedora-system:FOXML-1.1 >> localhost:8080 fedoraAdmin [my password here] http >> Error : org.fcrepo.server.errors.HttpServiceNotFoundException: >> [DefaultExternalContentManager] returned an error. The underlying error was >> a org.fcrepo.server.errors.HttpServiceNotFoundException The message was >> "[FileExternalContentManager] returned an error. The underlying error was a >> java.lang.IllegalArgumentException The message was "URI has an authority >> component" . " . > > The relevant part of my FoXML looks like this: > >> <foxml:datastream CONTROL_GROUP="M" ID="AUDIODOWNLOAD" STATE="A" >> VERSIONABLE="true"> >> <foxml:datastreamVersion LABEL="MP3" >> ID="AUDIODOWNLOAD.0" MIMETYPE="audio/mpeg" SIZE="0"> >> <foxml:contentDigest TYPE="SHA-512"/> >> <foxml:contentLocation >> REF="file://myfilesystem/something.mp3" TYPE="URL" /> >> </foxml:datastreamVersion> >> </foxml:datastream> > > > I have modified the XACML policy deny-unallowed-file-resolution.xml as > suggested in its internal notes and at [1]. It's copied in at the bottom of > the email, along with a diff comparing my version to the distribution > version. I did wonder if perhaps the regex contained a typo of a missing > slash ( ^file:/ as opposed to ^file:// ), but I've tried it with and without > the slash to no avail. > > Fedora has the appropriate privileges to access the filesystem. The full > file:// URLs used in the ingest don't involve symlinks, and I've been > restarting Tomcat in between attempts. I'm running Fedora on Debian Lenny > with the Sun JDK 1.6.0_12. > > I'd appreciate any pointers on how to overcome this issue, as it'd speed up > my ingest considerably. > > Regards, > > Graeme > > > Graeme West > Digital Repository Developer > Information Services > Glasgow Caledonian University > [email protected] > > [1] > http://fedora-commons.org/confluence/display/FCR30/Ingest+with+the+file+URI+scheme > > > deny-unallowed-file-resolution.xml: > >> <?xml version="1.0" encoding="UTF-8"?> >> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> PolicyId="deny-file-resolve-if-not-allowed-dir" >> >> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> >> <Description>deny any file datastream resolution if not in allowed file >> patterns</Description> >> <Target> >> <Subjects> >> <AnySubject/> >> </Subjects> >> <Resources> >> <AnyResource/> >> </Resources> >> <Actions> >> <Action> >> <ActionMatch >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:id-retrieveFile</AttributeValue> >> <ActionAttributeDesignator >> DataType="http://www.w3.org/2001/XMLSchema#string"; >> AttributeId="urn:fedora:names:fedora:2.1:action:id"/> >> </ActionMatch> >> </Action> >> </Actions> >> </Target> >> <!-- uncomment (and change the deny rule id) if access via the file >> protocol is desired. >> The regular expression determines the locations and files allowed for >> retrieval; it must match the canonical file URI for a resource. >> Restricting access to administrators will allow datastreams in control >> group 'M' to be ingested from the file system. >> Restricting access by URI only will allow datastreams in control group >> 'E' to be located on the file system. >> --> >> >> <Rule RuleId="1" Effect="Permit"> >> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> >> <Apply >> FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";>^file://myfilesystem/*$</AttributeValue> >> <Apply >> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> >> <ResourceAttributeDesignator >> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:fileUri" >> DataType="http://www.w3.org/2001/XMLSchema#string"/> >> </Apply> >> </Apply> >> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";>administrator</AttributeValue> >> <SubjectAttributeDesignator AttributeId="fedoraRole" >> DataType="http://www.w3.org/2001/XMLSchema#string"/> >> </Apply> >> </Condition> >> </Rule> >> >> <Rule RuleId="2" Effect="Deny"> >> </Rule> >> </Policy> > > Diff from distribution version of deny-unallowed-file-resolution.xml: > > 28c28 > < > --- >> <!-- > 32c32 > < <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>^file://ouachita/*$</AttributeValue> > --- >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";>^file:/allowed/.*$</AttributeValue> > 41c41 > < </Apply> > --- >> </Apply> > 44,45c44,45 > < > < <Rule RuleId="2" Effect="Deny"> > --- >> --> >> <Rule RuleId="1" Effect="Deny"> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of the > Year 2009 and Herald Society's Education Initiative of the Year 2009 > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > ------------------------------------------------------------------------------ > ThinkGeek and WIRED's GeekDad team up for the Ultimate > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the > lucky parental unit. See the prize list and enter to win: > http://p.sf.net/sfu/thinkgeek-promo > _______________________________________________ > Fedora-commons-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Fedora-commons-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
