XACML has me stumped

Josh

unread,

Aug 10, 2016, 2:57:46 PM8/10/16

to islandora

I'm having some trouble with XACML and I'm hoping someone can point me in the right direction.

If I add an object-level embargo It seems to work as intended. Anonymous users can't see the citation in the search results, and they get an access denied page if they try to go to the URL directly. The problem comes when I lift the embargo. Once it's lifted the citation appears in the search results (though it won't load the thumbnail) but when anonymous users click on it they get "The website encountered an unexpected error" message. If I delete the POLICY datastream everything goes back to normal. Even when the page is failing for anonymous users it still works fine when logged in as an admin.

Nothing appears in the fedora or apache logs, but if I look in the "recent log messages" through Drupal I see a RepositoryException: Unauthorized in RepositoryConnection->parseFedoraExceptions() (line 229 of /usr/local/drupal/sites/all/libraries/tuque/RepositoryConnection.php).

I also can't make datastream embargoes work at all. I get the same error message as above when the datastream embargo is applied and after it is lifted.

Editing XACML through the object policy tab has the same effect so it does not appear related to embargoes.

I'm running 7.x-1.7 which has been updated with each new version since 1.4 I believe. I also have 1.7 of Islandora Tuque. I'm wondering if maybe something has changed since our initial install.

I've wiped my default xacml policies (deleted the default folder and restarted tomcat), added permit-apim-to-authenticated.xml and removed deny-purge-*. I also downloaded the most recent islandora-xacml-policies from github.

I checked the POLICY datastream that is left when an embargo is lifted against the one created in the 1.7 virtual machine image and it is the same. It seems the POLICY datastream is fine.

I have a multisite setup (not sure if that makes any difference). I have modified my filter-drupal.xml to have both sites and everything else seems to work fine, it's just when there is a POLICY datastream that issues come up.

Any insight into this would be greatly appreciated.

Thanks

Jordan Dukart

unread,

Aug 11, 2016, 8:42:21 AM8/11/16

to isla...@googlegroups.com

What does your global XACML policy folder look like? Usually located at $FEDORA_HOME/data/fedora-xacml-policies. This is old documentation but the listing should still remain the same: https://wiki.duraspace.org/display/ISLANDORA714/a.+Installing+Fedora#a.InstallingFedora-SettingXACMLPolicies.

Jordan

--
For more information about using this group, please read our Listserv Guidelines: http://islandora.ca/content/welcome-islandora-listserv
---
You received this message because you are subscribed to the Google Groups "islandora" group.
To unsubscribe from this group and stop receiving emails from it, send an email to islandora+...@googlegroups.com.
Visit this group at https://groups.google.com/group/islandora.
To view this discussion on the web visit https://groups.google.com/d/msgid/islandora/fcdae2c5-72cd-4555-b7df-a6578e281001%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Amanda Lehman

unread,

Aug 11, 2016, 11:25:57 AM8/11/16

to islandora

We encountered this same problem in development and just disabled the embargo module (and restarted Tomcat to clear the RepositoryConnection errors) for now. So +1 on figuring out why embargo and XACML don't play nice.

Josh

unread,

Aug 11, 2016, 1:25:57 PM8/11/16

to islandora

Thanks for the suggestions.

I have checked my files in the fedora-xacml-poicies folder against that list and they are the same.

I also disabled and unistalled the xacml api, xacml editor, and scholar embargo modules, reinstalled them, and restarted tomcat. Still getting the same behaviour.

Josh

unread,

Aug 11, 2016, 2:55:38 PM8/11/16

to islandora

I just realized that I was looking at the tomcat log instead of the fedora log. When I try to access something which has had the embargo removed I get the following log message:

WARN 2016-08-11 15:40:39.531 [http-8080-2] (BaseRestResource) Authorization failed; unable to fulfill REST API request

org.fcrepo.server.errors.authorization.AuthzDeniedException:

at org.fcrepo.server.security.impl.DefaultPolicyEnforcementPoint.enforce(DefaultPolicyEnforcementPoint.java:143) ~[fcrepo-server-3.7.0.jar:na]

at org.fcrepo.server.security.DefaultAuthorization.enforceGetDatastreamDissemination(DefaultAuthorization.java:955) ~[fcrepo-server-3.7.0.jar:na]

at org.fcrepo.server.access.DefaultAccess.getDatastreamDissemination(DefaultAccess.java:1116) ~[fcrepo-server-3.7.0.jar:na]

at org.fcrepo.server.rest.DatastreamResource.getDatastream(DatastreamResource.java:251) ~[fcrepo-server-3.7.0.jar:na]

at sun.reflect.GeneratedMethodAccessor67.invoke(Unknown Source) ~[na:na]

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_74]

at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_74]

at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180) [cxf-api-2.7.3.jar:2.7.3]

at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) [cxf-api-2.7.3.jar:2.7.3]

at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:193) [cxf-rt-frontend-jaxrs-2.7.3.jar:2.7.3]

at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:102) [cxf-rt-frontend-jaxrs-2.7.3.jar:2.7.3]

at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58) [cxf-api-2.7.3.jar:2.7.3]

at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94) [cxf-api-2.7.3.jar:2.7.3]

at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) [cxf-api-2.7.3.jar:2.7.3]

at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-api-2.7.3.jar:2.7.3]

at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239) [cxf-rt-transports-http-2.7.3.jar:2.7.3]

at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:218) [cxf-rt-transports-http-2.7.3.jar:2.7.3]

at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:163) [cxf-rt-transports-http-2.7.3.jar:2.7.3]

at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:137) [cxf-rt-transports-http-2.7.3.jar:2.7.3]

at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:158) [cxf-rt-transports-http-2.7.3.jar:2.7.3]

at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:243) [cxf-rt-transports-http-2.7.3.jar:2.7.3]

at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:168) [cxf-rt-transports-http-2.7.3.jar:2.7.3]

at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) [servlet-api.jar:na]

at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:219) [cxf-rt-transports-http-2.7.3.jar:2.7.3]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.35]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.35]

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:369) [spring-security-web-3.0.7.RELEASE.jar:3.0.7.RELEASE]

at org.fcrepo.server.security.jaas.AuthFilterJAAS.doFilter(AuthFilterJAAS.java:329) [fcrepo-security-jaas-3.7.0.jar:na]

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381) [spring-security-web-3.0.7.RELEASE.jar:3.0.7.RELEASE]

at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:109) [spring-security-web-3.0.7.RELEASE.jar:3.0.7.RELEASE]

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381) [spring-security-web-3.0.7.RELEASE.jar:3.0.7.RELEASE]

at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168) [spring-security-web-3.0.7.RELEASE.jar:3.0.7.RELEASE]

at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) [spring-web-3.0.7.RELEASE.jar:3.0.7.RELEASE]

at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) [spring-web-3.0.7.RELEASE.jar:3.0.7.RELEASE]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.35]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.35]

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina.jar:6.0.35]

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.35]

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.35]

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.35]

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.35]

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) [catalina.jar:6.0.35]

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) [tomcat-coyote.jar:6.0.35]

at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602) [tomcat-coyote.jar:6.0.35]

at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.35]

at java.lang.Thread.run(Thread.java:745) [na:1.8.0_74]

If it helps, I got the following in the log when removing the embargo:

WARN 2016-08-11 15:39:16.858 [http-8080-3] (BaseRestResource) Authorization failed; unable to fulfill REST API request

org.fcrepo.server.errors.authorization.AuthzDeniedException:

at org.fcrepo.server.security.impl.DefaultPolicyEnforcementPoint.enforce(DefaultPolicyEnforcementPoint.java:143) ~[fcrepo-server-3.7.0.jar:na]

at org.fcrepo.server.security.DefaultAuthorization.enforceGetObjectProfile(DefaultAuthorization.java:1058) ~[fcrepo-server-3.7.0.jar:na]

at org.fcrepo.server.access.DefaultAccess.getObjectProfile(DefaultAccess.java:617) ~[fcrepo-server-3.7.0.jar:na]

at org.fcrepo.server.rest.FedoraObjectsResource.getObjectProfile(FedoraObjectsResource.java:351) ~[fcrepo-server-3.7.0.jar:na]

at sun.reflect.GeneratedMethodAccessor68.invoke(Unknown Source) ~[na:na]