Closed peutch closed 4 months ago
@peutch -- I can't reproduce (5.1.0-SNAPSHOT from git) because I get 404 not 403.
Could you show all of shiro.ini and the command like used to start Fuseki please?
Here is the shiro.ini full content:
# Licensed under the terms of http://www.apache.org/licenses/LICENSE-2.0 [main] # Development ssl.enabled = false plainMatcher=org.apache.shiro.authc.credential.SimpleCredentialsMatcher #iniRealm=org.apache.shiro.realm.text.IniRealm iniRealm.credentialsMatcher = $plainMatcher localhostFilter=org.apache.jena.fuseki.authz.LocalhostFilter [users] # Implicitly adds "iniRealm = org.apache.shiro.realm.text.IniRealm" admin=pw [roles] [urls] ## Control functions open to anyone /$/status = anon /$/server = anon /$/ping = anon /$/metrics = anon /$/stats = anon ## and the rest are restricted to localhost. /$/** = localhostFilter ## If you want simple, basic authentication user/password ## on the operations, ## 1 - set a better password in [users] above. ## 2 - comment out the "/$/** = localhost" line and use: ## "/$/** = authcBasic,user[admin]" ## or to allow any access. #/$/** = anon # Everything else /**=anon
It is almost the same as the one provided by jena-fuseki2/jena-fuseki-webapp/src/main/resources/org/apache/jena/fuseki/webapp/shiro.ini, unless the add for '/$/stats', could this explain your 404?
The only option for the command line is: --contextPath=/fuseki
In fact it is impossible on my side to reproduce if the client (a browser) is on the same host as the one of the webapp running. So it is not easy to see why UI is doing such a request only in a «remote» case and to finally get an error back? And the shiro.ini change is no help.
(On mobile, after a long week/conference)
Maybe you can try building the UI project with the context too. Yarn build --base=fuseki
Can't recall if we fixed it so that the UI works with any custom prefix, or if it needs to be rebuild.
In fact it is impossible on my side to reproduce if the client (a browser) is on the same host as the one of the webapp running. So it is not easy to see why UI is doing such a request only in a «remote» case and to finally get an error back? And the shiro.ini change is no help.
If you use the network IP address of the machine, not localhost or 127.0.0.0 or [: :1], then it acts as a remote request.
I was trying to reproduce using curl calling the server, not via the UI. It's not behaving in a way I'd expect with any choice of path.
Using curl and the current latest code base and in shiro.ini - add
/$/stats = anon
--contextPath=/ABC
curl 'http://localhost:3030/ABC/ds'
=> 200
curl 'http://localhost:3030/ABC/$/stats'
=> 200
curl 'http://localhost:3030/ABC/$/stats/ds'
=> 200
curl 'http://localhost:3030/ABC/$/stats/other'
=> 404
and with remote IP address:
curl 'http://192.168.1.13:3030/ABC/ds'
=> 200
curl 'http://192.168.1.13:3030/ABC/$/stats'
=> 200
curl 'http://192.168.1.13:3030/ABC/$/stats/ds'
=> 403
curl 'http://192.168.1.13:3030/ABC/$/stats/other'
=> 403
If shiro.ini changes to: (NB **
matches zero paths)
/$/stats/** = anon
curl 'http://192.168.1.13:3030/ABC/$/stats'
=> 200
curl 'http://192.168.1.13:3030/ABC/$/stats/ds'
=> 200
curl 'http://192.168.1.13:3030/ABC/$/stats/other'
=> 404
Notes:
--contextPath=ABC
(no slash) messes things up. It's a bug.Great, I confirm that it works fine by simply adjusting the configuration file (shiro.ini). Many thanks @afs!
Version
5.1.0-SNAPSHOT
Question
Hi,
The Fuseki UI webapp is setup with a contextPath (/fuseki). Whatever the panels (query, add data, edit, info) of a dataset, one of the AJAX queries is failing: http://localhost:3030/fuseki/$/stats/XXXXXX where XXXXXX is the dataset concerned. Such a request returns an HTTP 403 (Forbidden) and opens an "AxiosError" pop-up.
Is it something related to the configuration or a possible bug?
For info, the shiro.ini contains:
[urls]
Control functions open to anyone
/$/status = anon /$/server = anon /$/ping = anon /$/metrics = anon /$/stats = anon
Many thanks, Patrice