trouble with Fuseki UI and one AJAX request (/$/stats)

[peutch]

Version

5.1.0-SNAPSHOT

Question

Hi,

The Fuseki UI webapp is setup with a contextPath (/fuseki). Whatever the panels (query, add data, edit, info) of a dataset, one of the AJAX queries is failing: http://localhost:3030/fuseki/$/stats/XXXXXX where XXXXXX is the dataset concerned. Such a request returns an HTTP 403 (Forbidden) and opens an "AxiosError" pop-up.

Is it something related to the configuration or a possible bug?

For info, the shiro.ini contains:

[urls]

Control functions open to anyone

/$/status = anon /$/server = anon /$/ping = anon /$/metrics = anon /$/stats = anon

Many thanks, Patrice

[afs]

@peutch -- I can't reproduce (5.1.0-SNAPSHOT from git) because I get 404 not 403.

Could you show all of shiro.ini and the command like used to start Fuseki please?

[peutch]

Here is the shiro.ini full content:

# Licensed under the terms of http://www.apache.org/licenses/LICENSE-2.0

[main]
# Development
ssl.enabled = false 

plainMatcher=org.apache.shiro.authc.credential.SimpleCredentialsMatcher
#iniRealm=org.apache.shiro.realm.text.IniRealm 
iniRealm.credentialsMatcher = $plainMatcher

localhostFilter=org.apache.jena.fuseki.authz.LocalhostFilter

[users]
# Implicitly adds "iniRealm =  org.apache.shiro.realm.text.IniRealm"
admin=pw

[roles]

[urls]
## Control functions open to anyone
/$/status  = anon
/$/server  = anon
/$/ping    = anon
/$/metrics = anon
/$/stats   = anon

## and the rest are restricted to localhost.
/$/** = localhostFilter

## If you want simple, basic authentication user/password
## on the operations, 
##    1 - set a better password in [users] above.
##    2 - comment out the "/$/** = localhost" line and use:
## "/$/** = authcBasic,user[admin]"

## or to allow any access.
#/$/** = anon

# Everything else
/**=anon

It is almost the same as the one provided by jena-fuseki2/jena-fuseki-webapp/src/main/resources/org/apache/jena/fuseki/webapp/shiro.ini, unless the add for '/$/stats', could this explain your 404?

[peutch]

The only option for the command line is: --contextPath=/fuseki

[peutch]

In fact it is impossible on my side to reproduce if the client (a browser) is on the same host as the one of the webapp running. So it is not easy to see why UI is doing such a request only in a «remote» case and to finally get an error back? And the shiro.ini change is no help.

[kinow]

(On mobile, after a long week/conference)

Maybe you can try building the UI project with the context too. Yarn build --base=fuseki

Can't recall if we fixed it so that the UI works with any custom prefix, or if it needs to be rebuild.

[afs]

In fact it is impossible on my side to reproduce if the client (a browser) is on the same host as the one of the webapp running. So it is not easy to see why UI is doing such a request only in a «remote» case and to finally get an error back? And the shiro.ini change is no help.

If you use the network IP address of the machine, not localhost or 127.0.0.0 or [: :1], then it acts as a remote request.

I was trying to reproduce using curl calling the server, not via the UI. It's not behaving in a way I'd expect with any choice of path.

[afs]

Using curl and the current latest code base and in shiro.ini - add

/$/stats   = anon

• Fuseki webapp combined jar +UI (i.e. not in tomcat)
• --contextPath=/ABC
• There is a dataset at "ds" created via the UI.

curl 'http://localhost:3030/ABC/ds' => 200 curl 'http://localhost:3030/ABC/$/stats' => 200 curl 'http://localhost:3030/ABC/$/stats/ds' => 200 curl 'http://localhost:3030/ABC/$/stats/other' => 404

and with remote IP address:

curl 'http://192.168.1.13:3030/ABC/ds' => 200 curl 'http://192.168.1.13:3030/ABC/$/stats' => 200 curl 'http://192.168.1.13:3030/ABC/$/stats/ds' => 403 curl 'http://192.168.1.13:3030/ABC/$/stats/other' => 403

If shiro.ini changes to: (NB ** matches zero paths)

/$/stats/**   = anon

curl 'http://192.168.1.13:3030/ABC/$/stats' => 200 curl 'http://192.168.1.13:3030/ABC/$/stats/ds' => 200 curl 'http://192.168.1.13:3030/ABC/$/stats/other' => 404

Notes:

• --contextPath=ABC (no slash) messes things up. It's a bug.
• The UI works without rebuilding.

[peutch]

Great, I confirm that it works fine by simply adjusting the configuration file (shiro.ini). Many thanks @afs!

[peutch]

• Does having this '/$/stats/** = anon' default or at least commented in its source file here: jena-fuseki2/jena-fuseki-webapp/src/main/resources/org/apache/jena/fuseki/webapp/shiro.ini would help users?
• Or adding clues in the documentation, maybe here https://jena.apache.org/documentation/fuseki2/fuseki-security.html?