Tomcat returning 401 to Islandora with drupal-filter 3.8.1 on separate server.

[Ian McBride]

I'm in the process of setting up Islandora, which has gone great thanks to the excellent documentation, but I've run into one snag that I can't seem to find mentioned with the Drupal authentication filter. I have two RHEL 7.2 servers, one for running Islandora, the other for running Fedora, and a third RHEL 6.8 server that has the MySQL databases for both services.

islandora_server:
PHP version: 5.6.24
Drupal version: 7.50
Islandora version: 7.x-1.7
Apache version: 2.4.6

fedora_server:
Java version: 1.8.0_102-b14 (Oracle)
Fedora version: 3.8.1
Tomcat version: 7.0.55
drupalauthfilter version: 3.8.1

mysql_server:
MySQL version: 5.6.32

I enabled XACML on install and ENFORCE-MODE is set to "permit-all-requests" in fedora.fcfg:

  <module role="org.fcrepo.server.security.Authorization" class="org.fcrepo.server.security.DefaultAuthorization">
    <comment>Builds and manages Fedora's authorization structure.</comment>
    <param name="REPOSITORY-POLICIES-DIRECTORY" value="data/fedora-xacml-policies/repository-policies" isFilePath="true"/>
    <param name="VALIDATE-REPOSITORY-POLICIES" value="true"/>
    <param name="VALIDATE-OBJECT-POLICIES-FROM-DATASTREAM" value="false"/>
    <param name="REPOSITORY-POLICY-GUITOOL-POLICIES-DIRECTORY" value="data/fedora-xacml-policies/repository-policies-generated-by-policyguitool" isFilePath="true">
      <comment>This parameter is for future use.</comment>
    </param>
    <param name="XACML-COMBINING-ALGORITHM" value="org.jboss.security.xacml.sunxacml.combine.OrderedDenyOverridesPolicyAlg"/>
    <param name="POLICY-SCHEMA-PATH" value="xsd/cs-xacml-schema-policy-01.xsd"/>
    <param name="VALIDATE-OBJECT-POLICIES-FROM-FILE" value="false"/>
    <param name="ENFORCE-MODE" value="permit-all-requests"/>
  </module>

I placed fcrepo-drupalauthfilter-3.8.1.jar from this URL in $CATALINA_HOME/webapps/fedora/WEB-INF/lib

I've placed the XACML policy files in $FEDORA_HOME/data/fedora_xacml_policies and removed the deny-purge-* policies. My tree now looks like:

fedora-xacml-policies/
└── repository-policies
    ├── default
    │   ├── deny-apim-if-not-localhost.xml
    │   ├── deny-inactive-or-deleted-objects-or-datastreams-if-not-administrator.xml
    │   ├── deny-policy-management-if-not-administrator.xml
    │   ├── deny-reloadPolicies-if-not-localhost.xml
    │   ├── deny-unallowed-file-resolution.xml
    │   ├── permit-anything-to-administrator.xml
    │   ├── permit-apia-unrestricted.xml
    │   ├── permit-dsstate-check-unrestricted.xml
    │   ├── permit-oai-unrestricted.xml
    │   ├── permit-serverStatus-unrestricted.xml
    │   └── readme.txt
    └── islandora
        ├── permit-apim-to-authenticated-user.xml
        ├── permit-getDatastreamHistory-unrestricted.xml
        ├── permit-getDatastream-unrestricted.xml
        └── permit-upload-to-authenticated-user.xml

I placed filter-drupal.xml in $FEDORA_HOME/server/config and it looks like this:

<FilterDrupal_Connection>
  <connection server="mysql_server" dbname="mysql_database" user="mysql_user" password="mysql_password" port="3306">
    <sql>
                  <!--Different sql statement for each connection.  This is for drupal multisites that are setup using one database with
                  table prefixes.  We don't do this but some people might.-->
                  SELECT DISTINCT u.uid AS userid, u.name AS Name, u.pass AS Pass, r.name AS Role FROM (users u LEFT JOIN users_roles ON u.uid=users_roles.uid) LEFT JOIN role r ON r.rid=users_roles.rid WHERE u.name=? AND u.pass=?;
    </sql>
  </connection>
</FilterDrupal_Connection>

My jaas.conf file is in the same directory and begins:

fedora-auth
{
  org.fcrepo.server.security.jaas.auth.module.XmlUsersFileModule required
  debug=true;
  ca.upei.roblib.fedora.servletfilter.DrupalAuthModule required
  debug=true;
};

In Drupal I created an admin user with the name "admin" and gave it the password "password" to test out the connection. On /admin/islandora/configure I get the message "Unable to authenticate when connecting to to Fedora Server (Version 3.8.1). Please configure the Drupal Filter." for the Fedora base URL http://fedora_server:8080/fedora.

When I look at the tomcat access log on the fedora_server, I see:

islandora_server - - [10/Aug/2016:15:36:07 -0400] "GET /fedora/describe?xml=true HTTP/1.1" 200 1289
islandora_server - - [10/Aug/2016:15:36:07 -0400] "GET /fedora/objects/fedora-system%3AContentModel-3.0/datastreams/DC?format=xml HTTP/1.1" 401 614

Browsing directly to the second URL gives me an authentication prompt. When I enter the Drupal credentials "admin" and "password", I get a 401 in my browser, but entering the credentials for the fedora admin account gives me the expected XML response.

I used the MySQL client on the fedora_server's command line to connect to the mysql_server and manually run the query from filter-drupal.xml using the hashed version of the Drupal account's password, which is (I believe) what the drupalauthfilter is receiving.

MySQL [mysql_database]> SELECT DISTINCT u.uid AS userid, u.name AS Name, u.pass AS Pass, r.name AS Role FROM (users u LEFT JOIN users_roles ON u.uid=users_roles.uid) LEFT JOIN role r ON r.rid=users_roles.rid WHERE u.name='admin' AND u.pass='$S$DK5aNZTYI1jbBjLcEDcMIPtz/7whyDOxw04efL8WXM1Nij.HsdNk';
+--------+-------+---------------------------------------------------------+-------------------------+
| userid | Name  | Pass                                                    | Role                    |
+--------+-------+---------------------------------------------------------+-------------------------+
|      1 | admin | $S$DK5aNZTYI1jbBjLcEDcMIPtz/7whyDOxw04efL8WXM1Nij.HsdNk | Web Services            |
|      1 | admin | $S$DK5aNZTYI1jbBjLcEDcMIPtz/7whyDOxw04efL8WXM1Nij.HsdNk | Islandora Administrator |
+--------+-------+---------------------------------------------------------+-------------------------+
2 rows in set (0.00 sec)

Trying a workaround, I added the Drupal credentials directly to fedora-users.xml in $FEDORA_HOME/server/config:

<?xml version='1.0' ?>
  <users>
    <user name="fedoraUser" password="fedoraPassword">
      <attribute name="fedoraRole">
        <value>administrator</value>
      </attribute>
    </user>
    <user name="admin" password="$S$DK5aNZTYI1jbBjLcEDcMIPtz/7whyDOxw04efL8WXM1Nij.HsdNk">
      <attribute name="fedoraRole">
        <value>administrator</value>
      </attribute>
    </user>
    <user name="fedoraIntCallUser" password="changeme">
      <attribute name="fedoraRole">
        <value>fedoraInternalCall-1</value>
        <value>fedoraInternalCall-2</value>
      </attribute>
    </user>
  </users>

The Islandora configuration page is now successfully connecting to Fedora, but I know that this method bypasses the Drupal Authentication Filter, which I would prefer to use so I don't have to keep credentials in multiple locations. Any tips on other tests I can try, configuration steps I may have missed, or known issues I've overlooked would be greatly appreciated.

[Jared Whiklo]

Ian,

Did you resolve this issue.

I'm probably still suffering from vacation hangover, but in
filter-drupal.xml did you enter the correct values for the

<connection server="mysql_server" dbname="mysql_database"
user="mysql_user" password="mysql_password" port="3306">

element?

cheers,
jared

On 2016-08-10 2:54 PM, Ian McBride wrote:
> I'm in the process of setting up Islandora, which has gone great thanks
> to the excellent documentation, but I've run into one snag that I can't
> seem to find mentioned with the Drupal authentication filter. I have two
> RHEL 7.2 servers, one for running Islandora, the other for running
> Fedora, and a third RHEL 6.8 server that has the MySQL databases for
> both services.
>
> islandora_server:
> PHP version: 5.6.24
> Drupal version: 7.50
> Islandora version: 7.x-1.7
> Apache version: 2.4.6
>
> fedora_server:
> Java version: 1.8.0_102-b14 (Oracle)
> Fedora version: 3.8.1
> Tomcat version: 7.0.55
> drupalauthfilter version: 3.8.1
>
> mysql_server:
> MySQL version: 5.6.32
>
> I enabled XACML on install and ENFORCE-MODE is set to
> "permit-all-requests" in fedora.fcfg:
>
> |
>

> <modulerole="org.fcrepo.server.security.Authorization"class="org.fcrepo.server.security.DefaultAuthorization">

> <comment>Builds and manages Fedora's authorization structure.</comment>
>

> <paramname="REPOSITORY-POLICIES-DIRECTORY"value="data/fedora-xacml-policies/repository-policies"isFilePath="true"/>

> <paramname="VALIDATE-REPOSITORY-POLICIES"value="true"/>
> <paramname="VALIDATE-OBJECT-POLICIES-FROM-DATASTREAM"value="false"/>
>

> <paramname="REPOSITORY-POLICY-GUITOOL-POLICIES-DIRECTORY"value="data/fedora-xacml-policies/repository-policies-generated-by-policyguitool"isFilePath="true">

> <comment>This parameter is for future use.</comment>
> </param>
>
> <paramname="XACML-COMBINING-ALGORITHM"value="org.jboss.security.xacml.sunxacml.combine.OrderedDenyOverridesPolicyAlg"/>
>
> <paramname="POLICY-SCHEMA-PATH"value="xsd/cs-xacml-schema-policy-01.xsd"/>
> <paramname="VALIDATE-OBJECT-POLICIES-FROM-FILE"value="false"/>

> <paramname="ENFORCE-MODE"value="permit-all-requests"/>

> </module>
> |
>
> I placed fcrepo-drupalauthfilter-3.8.1.jar from this URL

> <https://github.com/Islandora/islandora_drupal_filter/releases> in

> <connectionserver="mysql_server"dbname="mysql_database"user="mysql_user"password="mysql_password"port="3306">

> Name,u.passAS Pass,r.name AS RoleFROM (users u LEFT JOIN users_roles ON
> u.uid=users_roles.uid)LEFT JOIN role r ON r.rid=users_roles.rid WHERE

> u.name='admin'AND
> u.pass='$S$DK5aNZTYI1jbBjLcEDcMIPtz/7whyDOxw04efL8WXM1Nij.HsdNk';
> +--------+-------+---------------------------------------------------------+-------------------------+
> |userid |Name |Pass
> |Role |
> +--------+-------+---------------------------------------------------------+-------------------------+
> | 1|admin
> |$S$DK5aNZTYI1jbBjLcEDcMIPtz/7whyDOxw04efL8WXM1Nij.HsdNk|WebServices
> |
> | 1|admin
> |$S$DK5aNZTYI1jbBjLcEDcMIPtz/7whyDOxw04efL8WXM1Nij.HsdNk|IslandoraAdministrator|
> +--------+-------+---------------------------------------------------------+-------------------------+
> 2rows inset(0.00sec)
> |
>
> Trying a workaround, I added the Drupal credentials directly to
> fedora-users.xml in $FEDORA_HOME/server/config:
>
> |
> <?xml version='1.0'?>
> <users>
> <username="fedoraUser"password="fedoraPassword">

> <attributename="fedoraRole">

> <value>administrator</value>
> </attribute>
> </user>
>
> <username="admin"password="$S$DK5aNZTYI1jbBjLcEDcMIPtz/7whyDOxw04efL8WXM1Nij.HsdNk">

> <attributename="fedoraRole">

> <value>administrator</value>
> </attribute>
> </user>

> <username="fedoraIntCallUser"password="changeme">
> <attributename="fedoraRole">

> <value>fedoraInternalCall-1</value>
> <value>fedoraInternalCall-2</value>
> </attribute>
> </user>
> </users>
> |
>
> The Islandora configuration page is now successfully connecting to
> Fedora, but I know that this method bypasses the Drupal Authentication
> Filter, which I would prefer to use so I don't have to keep credentials
> in multiple locations. Any tips on other tests I can try, configuration
> steps I may have missed, or known issues I've overlooked would be
> greatly appreciated.
>

> --
> You received this message because you are subscribed to the Google
> Groups "islandora-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to islandora-de...@googlegroups.com
> <mailto:islandora-de...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/islandora-dev/7f549dc2-1ad6-4b03-9a72-0e5650b8342f%40googlegroups.com
> <https://groups.google.com/d/msgid/islandora-dev/7f549dc2-1ad6-4b03-9a72-0e5650b8342f%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.

--
Jared Whiklo
jwh...@gmail.com
--------------------------------------------------
George Washington's brother was the uncle of our country.

[Gary Phillips]

I'm sure this is just a transcription or formatting error but just to be certain, in your jaas.conf file:

> fedora-auth
> {
>    org.fcrepo.server.security.jaas.auth.module.XmlUsersFileModulerequired
>    debug=true;
>    ca.upei.roblib.fedora.servletfilter.DrupalAuthModulerequired
>    debug=true;
> };

There is a space before the word required in the two quoted lines above?

---

From: island...@googlegroups.com <island...@googlegroups.com> on behalf of Jared Whiklo <jwh...@gmail.com>
Sent: Monday, August 15, 2016 12:14:09 PM
To: island...@googlegroups.com
Subject: Re: [islandora-dev] Tomcat returning 401 to Islandora with drupal-filter 3.8.1 on separate server.

 

To unsubscribe from this group and stop receiving emails from it, send an email to islandora-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/islandora-dev/768209d6-5dcf-6d51-600c-0f656d275aa1%40gmail.com.

[Ian McBride]

Thanks for following up, Jared. I have not yet resolved the issue. I checked my filter-drupal.xml file and I have the correct information in the server, dbname, user, and password attributes for my environment.

[Ian McBride]

Thanks for following up, Greg. I checked my local jaas.conf file and there is a space before the word "required" on both those lines. I think, as you suggested, it just got removed in the group email.

[Ian McBride]

As a small update on this, I turned on MySQL logging and noticed that the server hosting Fedora never connects to MySQL when it receives a request to /fedora/objects/fedora-system%3AContentModel-3.0/datastreams/DC?format=xml, so I've narrowed down the issues to a misconfiguration of my Fedora application or a non-functioning fcrepo-drupalauthfilter-3.8.1.jar.