Hyland Connect

luca · ‎09-25-2009

Hi,
I have a permission problem:
sometimes the Web Client return AccessDeniedException after updates from WebServices:

org.alfresco.repo.security.permissions.AccessDeniedException: Access Denied. You do not have the appropriate permissions
to perform this operation.
caused by:
net.sf.acegisecurity.AccessDeniedException: Access Denied‍‍‍‍

It doesn't happen every time, so I'm not sure what is the problem and also I don't understand the step to reproduce it.

The WebService create some spaces and add them the permissions, but if I check the permissions, logging in as administrator, I can see that the permissions are correct.

I don't know if permissions check is based on Lucene index, so it could be that Lucene indexes aren't updated.
Or if it uses the database, so it could be a permission cache problem.
Or it is a problem caused by the cluster environment?

What can I check?

Sorry, but I can't be very specific because I can't reproduce it and I don't find any log about them in catalina.out.

We are using Alfresco Labs 3.0 with Tomcat in a cluster with two machines (two separate directory for the Lucene indexes and one database with Postgres).

Thanks,
Luca

luca · ‎10-05-2009

Hi All,
it seems that all the problem it is caused from ExternalAccessServlet.

I don't know if it is a bug or a wrong configuration, but it seems that if I try to access directly to it, it doesn't call the login page if the user is'nt already logged.
For example:
/alfresco/navigate/browse/webdav/myFolder

I use CAS to authenticate users.

Can Anyone help?

luca · ‎10-07-2009

I found that the /navigate/* urls were not under the CAS filter, so the user couldn't authenticate resulting in ADE Exception.

Now I add it, but it result in an infinite loop! :shock:

I found that the ExternalAccessServlet, after a correct authentication through the CAS filter, resend me to the login page, which call the CAS filter again who found that the user is authenticated and so it resend me to the page that I called first, so I return to the ExternalAccessServlet to start the round again. :cry:

Now I'll see if there is a solution, if anyone has an idea, please help!

luca · ‎10-09-2009

I have inspected more deep into the code and I found that the problem is that the ExternalAccessServlet try to authenticate the user using the ticket sent from the cas, but it doesn't find any Alfresco ticket in its cache and throws an ADE Exception.

Does anyone have similar problem?

jdbrown · ‎12-18-2009

Are you clustering the Alfresco ticketCache? See /extension/ehcache-custom.sample.cluster.xml. I think that would be needed since CAS may get ticket against Alf1 and then your servlet tries to authenticate against Alf2.