search

ging / fiware-idm-deprecated

DEPRECATED - Identity Manager - Keyrock
Apache License 2.0
18 stars 25 forks source link

Error in XML-Request sent to AuthZForce? #70

Closed AnotherCodeArtist closed 8 years ago

AnotherCodeArtist commented 8 years ago

After some while I managed to setup IdM, PEP and AuthZForce and as long as I use Level 1 Authentication everything works fine. However, enabling Level 2 leeds to the following problems:

When making a request from my demo app, the PEP log comes up with the following message:

2016-08-18 07:10:25.999  - INFO: IDM-Client - Checking token with IDM...
2016-08-18 07:10:26.027  - INFO: AZF-Client - Checking auth with AZF...
2016-08-18 07:10:26.027  - INFO: AZF-Client - Checking authorization to roles [ 'dbacabd2db70433e9ea12400cc2b7023' ] to do  GET  on  v2/entities and app  239c530ac97748e4a84bac5f7ea62d4d
2016-08-18 07:10:26.030  - INFO: AZF-Client - Checking auth with AZF...
2016-08-18 07:10:26.057  - ERROR: Server - Caught exception: Error: There are errors in your xml file: syntax error

So I initially thought that there's something wrong with PEP/WILMA but analyzing the log of AuthZForce brought me to this message that always appears when I save the role configuration in the IdM web interface (that does not come up with an error but pretends that everything is fine):

2016-08-18 08:48:29,864|WARN |http-apr-8080-exec-4|org.apache.cxf.jaxrs.provider.AbstractJAXBProvider:689|javax.xml.bind.UnmarshalException
 - with linked exception:
[org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 150; cvc-complex-type.2.4.a: Invalid content was found starting with element 'rootPolicyRefExpression'. One of '{"http://authzforce.github.io/rest-api-model/xmlns/authz/5":feature, "http://authzforce.github.io/rest-api-model/xmlns/authz/5":rootPolicyRefExpression}' is expected.]
    at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallerImpl.handleStreamException(UnmarshallerImpl.java:420)
    at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal0(UnmarshallerImpl.java:357)
    at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:327)
    at org.apache.cxf.jaxrs.provider.JAXBElementProvider.unmarshalFromInputStream(JAXBElementProvider.java:291)
    at org.apache.cxf.jaxrs.provider.JAXBElementProvider.doUnmarshal(JAXBElementProvider.java:242)
    at org.apache.cxf.jaxrs.provider.JAXBElementProvider.readFrom(JAXBElementProvider.java:191)
    at org.apache.cxf.jaxrs.utils.JAXRSUtils.readFromMessageBodyReader(JAXRSUtils.java:1337)
    at org.apache.cxf.jaxrs.utils.JAXRSUtils.readFromMessageBody(JAXRSUtils.java:1288)
    at org.apache.cxf.jaxrs.utils.JAXRSUtils.processParameter(JAXRSUtils.java:824)
    at org.apache.cxf.jaxrs.utils.JAXRSUtils.processParameters(JAXRSUtils.java:787)
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:268)
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:271)
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:271)
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:99)
    at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
    at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
    at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
    at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
    at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
    at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPut(AbstractHTTPServlet.java:229)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:653)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:268)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.ow2.authzforce.webapp.ExceptionFilter.doFilter(ExceptionFilter.java:87)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1082)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:623)
    at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2454)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Caused by: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 150; cvc-complex-type.2.4.a: Invalid content was found starting with element 'rootPolicyRefExpression'. One of '{"http://authzforce.github.io/rest-api-model/xmlns/authz/5":feature, "http://authzforce.github.io/rest-api-model/xmlns/authz/5":rootPolicyRefExpression}' is expected.
    at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:198)
    at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(ErrorHandlerWrapper.java:134)
    at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:396)
    at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:327)
    at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:284)
    at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(XMLSchemaValidator.java:452)
    at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.reportSchemaError(XMLSchemaValidator.java:3230)
    at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(XMLSchemaValidator.java:1790)
    at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.startElement(XMLSchemaValidator.java:740)
    at com.sun.org.apache.xerces.internal.jaxp.validation.ValidatorHandlerImpl.startElement(ValidatorHandlerImpl.java:570)
    at com.sun.xml.internal.bind.v2.runtime.unmarshaller.ValidatingUnmarshaller.startElement(ValidatingUnmarshaller.java:86)
    at com.sun.xml.internal.bind.v2.runtime.unmarshaller.StAXStreamConnector.handleStartElement(StAXStreamConnector.java:231)
    at com.sun.xml.internal.bind.v2.runtime.unmarshaller.StAXStreamConnector.bridge(StAXStreamConnector.java:165)
    at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal0(UnmarshallerImpl.java:355)
    ... 48 more

The funny thing is, that it is classified as a warning.

Here's the content of pdp.properties:

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<ns2:pdpProperties lastModifiedTime="2016-08-18T09:11:05.106Z">
<ns2:feature type="urn:ow2:authzforce:feature-type:pdp:core" enabled="false">urn:ow2:authzforce:feature:pdp:core:xpath-eval</ns2:feature>
<ns2:feature type="urn:ow2:authzforce:feature-type:pdp:core" enabled="false">urn:ow2:authzforce:feature:pdp:core:strict-attribute-issuer-match</ns2:feature>
<ns2:feature type="urn:ow2:authzforce:feature-type:pdp:request-filter" enabled="true">urn:ow2:authzforce:feature:pdp:request-filter:default-lax</ns2:feature>
<ns2:feature type="urn:ow2:authzforce:feature-type:pdp:request-filter" enabled="false">urn:ow2:authzforce:feature:pdp:request-filter:multiple:repeated-attribute-categories-strict</ns2:feature>
<ns2:feature type="urn:ow2:authzforce:feature-type:pdp:request-filter" enabled="false">urn:ow2:authzforce:feature:pdp:request-filter:multiple:repeated-attribute-categories-lax</ns2:feature>
<ns2:feature type="urn:ow2:authzforce:feature-type:pdp:request-filter" enabled="false">urn:ow2:authzforce:feature:pdp:request-filter:default-strict</ns2:feature>
<ns2:rootPolicyRefExpression>root</ns2:rootPolicyRefExpression>
<ns2:applicablePolicies>
<ns2:rootPolicyRef Version="0.1.0">root</ns2:rootPolicyRef>
</ns2:applicablePolicies>
 </ns2:pdpProperties>

Here's the content of prp.properties:

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<ns2:prpProperties>
<ns2:maxPolicyCount>10</ns2:maxPolicyCount>
<ns2:maxVersionCountPerPolicy>10</ns2:maxVersionCountPerPolicy>
<ns2:versionRollingEnabled>true</ns2:versionRollingEnabled>
 </ns2:prpProperties>

Here's the content of attribute.providers:

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<ns2:attributeProviders />

Here's the content of `policies':

<ns2:resources>
<link rel="item" href="4afb36da-3f6d-437d-bd8c-b0280dd3581d" />
<link rel="item" href="4f29e6d1-0231-45ef-97cf-5723c9563d2d" />
<link rel="item" href="root" />
 </ns2:resources>

All three items listed in policies come up with the following content:

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<ns2:resources>
<link rel="item" href="1.0" />
</ns2:resources>
cdanger commented 8 years ago

Hello, I assume you are using Authzforce version 5.4.0 or later, in which case the format of IDM request to AZF for setting the root policy ID (rootPolicyRefExpression) is no longer valid. You have to change the content of IDM's template file openstack_dashboard/templates/access_control/policy_properties.xacml to this (basically the only change consists to remove the 'ns2' namespace prefix):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><pdpPropertiesUpdate xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5"><rootPolicyRefExpression>{{ policy_id }}</rootPolicyRefExpression></pdpPropertiesUpdate>

Could you try again with that configuration? Maybe you must restart the IDM dashboard first to apply the change.

federicofdez commented 8 years ago

Seems to be solved. Please feel free to reopen this issue otherwise.

Regards, Federico