Documentation: API-X can't load services/ontologies when Fcrepo is behind authentication
Still working on Fedora 5.0.0. Fcrepo-api-x-jena can't create the /apix/services, /apix/ontologies and /apix/extensions containers.
java.lang.RuntimeException: Error executing HttpPut request to http://localhost:8080/fcrepo/rest/apix/extensions
at org.fcrepo.apix.jena.impl.LdpContainerRegistry.put(LdpContainerRegistry.java:240)
at org.fcrepo.apix.jena.impl.LdpContainerRegistry.lambda$init$8(LdpContainerRegistry.java:135)
at org.fcrepo.apix.jena.impl.InitMgr$1.lambda$$11(InitMgr.java:70)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)[:1.8.0_191]
at java.util.concurrent.FutureTask.run(FutureTask.java:266)[:1.8.0_191]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)[:1.8.0_191]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)[:1.8.0_191]
at java.lang.Thread.run(Thread.java:748)[:1.8.0_191]
Caused by: java.lang.RuntimeException: Resource creation failed: HTTP/1.1 403 Forbidden; <!DOCTYPE html><html><head><title>Apache Tomcat/8.0.32 (Ubuntu) - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 403 - </h1><div class="line"></div><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>Access to the specified resource has been forbidden.</u></p><hr class="line"><h3>Apache Tomcat/8.0.32 (Ubuntu)</h3></body></html>
at org.fcrepo.apix.jena.impl.LdpContainerRegistry.lambda$put$9(LdpContainerRegistry.java:234)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:223)[158:org.apache.httpcomponents.httpclient:4.5.3]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:165)[158:org.apache.httpcomponents.httpclient:4.5.3]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:140)[158:org.apache.httpcomponents.httpclient:4.5.3]
at org.fcrepo.apix.jena.impl.LdpContainerRegistry.put(LdpContainerRegistry.java:226)
... 7 more
I remember @dannylamb and @ajs6f had to do some fancy footwork to GET JWTs passed through API-X before, but not sure if this was where.
whikloj
All 11 comments
Related to #966
whikloj
on 14 Dec 2018
What happened last time was that we ended up sending a PR to API-X to allow it to be configured with a custom HTTP client. Then in CLAW, we configured API-X with an HTTP client that is pre-equipped to understand authN. I don't know what is different now-- are you sure the changes aren't in the Fedora product?
ajs6f
on 14 Dec 2018
No I don't know that for sure. Where are we configuring the HTTP client for API-X? Maybe I need to make some changes there.
whikloj
on 14 Dec 2018
I don't know, but I would guess it's in the XML config. Doesn't API-X use Spring? Do we have a fork of it somewhere?
ajs6f
on 14 Dec 2018
@dannylamb just showed my in IRC we do it in Alpaca and assume it gets picked up as the default. https://github.com/Islandora-CLAW/Alpaca/tree/master/islandora-http-client
I'll try trace the incoming requests from the Fedora side and see if they are using our client or if something else is happening.
whikloj
on 14 Dec 2018
Here looks to be where the service is declared. If API-X is still looking for the type org.apache.http.client.HttpClient to inject (and @birkland would know, and I don't know why that would have changed) then I'd be more inclined to look at the Fedora application to find the problem.
ajs6f
on 14 Dec 2018
This section of API-X does look more complex than I remember. Maybe something has changed?
ajs6f
on 14 Dec 2018
Nothing has changed on the API-X end so far as I am aware. The factory referenced would be ignored/unused if an HttpClient provided as a service. It'll just latch onto the one that was published to OSGi.
Tracing the requests is a good idea @whikloj to see if the requests are what you think they are (i.e. they have the appropriate Authorization)
That being said, this is a 403. Usually, that happens when authentication is OK, but the server spikes the request due to authz (i.e. an ACL). That sticks in my head as a possibility here
birkland
on 14 Dec 2018
The interceptor that @ajs6f wrote uses that static "Bearer islandora" token instead of an actual JWT, so I'm thinking it may be interplay with how we handle that in Syn and Fedora 5
dannylamb
on 14 Dec 2018
Ohhhhh thank you all. I've got it.
With the updates to Syn I assign the "fedoraAdmin" user role only to users that come in with that role, so I need to update the claw-playbook to have the "islandora" token have a "fedoraAdmin" role.
I'm working on the same thing for the "admin" Drupal user, they need to have a "fedoraAdmin" role to get super-user access (otherwise we'll need to add a default WebAC ruleset).
So that is the problem, the user is coming in with a "fedoraUser" role and no permissions to write. This is not an issue at all and I will update the claw-playbook config as part of my PRs.
Good job team
whikloj
on 14 Dec 2018
ajs6f
on 14 Dec 2018
Related issues
DiegoPino
路
5Comments
ruebot
路
4Comments
akuckartz
路
3Comments
ruebot
路
3Comments
jonathangreen
路
3Comments
Most helpful comment
https://www.youtube.com/watch?v=enw6kcU3niY