Uploaded image for project: 'Alfresco One Platform'
  1. Alfresco One Platform
  2. ACE-5725

Multi tenant with CAS (external authentication) gives some permission denied exceptions sometimes

    Details

    • ACT Numbers:

      Community

      Description

      External Authentication with CAS is still a problem in 201611
      How to reproduce:
      Install with alfresco-community-installer-201611-EA-linux-x64.bin
      Enable external authentication with CAS as per the instructions in the documentation: http://docs.alfresco.com/community/concepts/auth-external-intro.html
      Surf to /share
      Login with CAS
      After succesfull login with CAS the dashboard page is fully loaded and no additional authentication is necessary.
      seems to work fine until this step using the fix from ACE-5661

      I also tested with Multitenancy and there still is a problem:
      Login to localhost:8080/share is succesfull
      however the alfresco.log will show errors (see below)
      the result of the errors is that sometimes part of the user dashboard is not present
      How to reproduce:

      • Create a tenant via the tenant-console (e.g. test.com)
      • Make sure there is a user like testuser@test.com in the ldap which is connected to CAS
      • Login with this user
      • This error will show up only once in between restarting alfresco. So it will show up again after restarting.
        The part from the alfresco.log which contains the errors:
        2016-12-19 20:14:52,917 ERROR [org.springframework.extensions.webscripts.AbstractRuntime] [http-apr-8080-exec-6] Exception from executeScript: 11190018 Access Denied.  You do not have the appropriate permissions to perform this operation.
        org.alfresco.repo.security.permissions.AccessDeniedException: 11190018 Access Denied.  You do not have the appropriate permissions to perform this operation.
                at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:57)
                at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
                at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:166)
                at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
                at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
                at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
                at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
                at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
                at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
                at com.sun.proxy.$Proxy84.setOwner(Unknown Source)
                at org.alfresco.repo.web.scripts.bean.ADMRemoteStore.resolveNodePath(ADMRemoteStore.java:879)
                at org.alfresco.repo.web.scripts.bean.ADMRemoteStore.resolveNodePath(ADMRemoteStore.java:806)
                at org.alfresco.repo.web.scripts.bean.ADMRemoteStore.access$300(ADMRemoteStore.java:111)
                at org.alfresco.repo.web.scripts.bean.ADMRemoteStore$4.doWork(ADMRemoteStore.java:485)
                at org.alfresco.repo.web.scripts.bean.ADMRemoteStore$4.doWork(ADMRemoteStore.java:481)
                at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:555)
                at org.alfresco.repo.web.scripts.bean.ADMRemoteStore.writeDocument(ADMRemoteStore.java:480)
                at org.alfresco.repo.web.scripts.bean.ADMRemoteStore.createDocument(ADMRemoteStore.java:395)
                at org.alfresco.repo.web.scripts.bean.BaseRemoteStore.execute(BaseRemoteStore.java:284)
                at org.alfresco.repo.web.scripts.RepositoryContainer$3.execute(RepositoryContainer.java:512)
                at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:464)
                at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:587)
                at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:656)
                at org.alfresco.repo.web.scripts.RepositoryContainer.executeScriptInternal(RepositoryContainer.java:428)
                at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:308)
                at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:399)
                at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:210)
                at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:132)
                at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
                at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
                at org.alfresco.module.aosmodule.service.ContextRootFilter.doFilter(ContextRootFilter.java:93)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
                at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
                at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
                at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
                at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
                at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
                at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
                at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2466)
                at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2455)
                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
                at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                at java.lang.Thread.run(Thread.java:745)
        Caused by: net.sf.acegisecurity.AccessDeniedException: Access is denied.
                at net.sf.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:86)
                at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:398)
                at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77)
                at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
                at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:53)
                ... 55 more
        2016-12-19 20:14:53,001 ERROR [org.springframework.extensions.webscripts.AbstractRuntime] [http-apr-8080-exec-8] Exception from executeScript: 11190019 Access Denied.  You do not have the appropriate permissions to perform this operation.
        org.alfresco.repo.security.permissions.AccessDeniedException: 11190019 Access Denied.  You do not have the appropriate permissions to perform this operation.
                at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:57)
                at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
                at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:166)
                at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
                at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
                at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
                at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
                at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
                at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
                at com.sun.proxy.$Proxy84.setOwner(Unknown Source)
                at org.alfresco.repo.web.scripts.bean.ADMRemoteStore.resolveNodePath(ADMRemoteStore.java:879)
                at org.alfresco.repo.web.scripts.bean.ADMRemoteStore.resolveNodePath(ADMRemoteStore.java:806)
                at org.alfresco.repo.web.scripts.bean.ADMRemoteStore.access$300(ADMRemoteStore.java:111)
                at org.alfresco.repo.web.scripts.bean.ADMRemoteStore$4.doWork(ADMRemoteStore.java:485)
                at org.alfresco.repo.web.scripts.bean.ADMRemoteStore$4.doWork(ADMRemoteStore.java:481)
                at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:555)
                at org.alfresco.repo.web.scripts.bean.ADMRemoteStore.writeDocument(ADMRemoteStore.java:480)
                at org.alfresco.repo.web.scripts.bean.ADMRemoteStore.createDocument(ADMRemoteStore.java:395)
                at org.alfresco.repo.web.scripts.bean.BaseRemoteStore.execute(BaseRemoteStore.java:284)
                at org.alfresco.repo.web.scripts.RepositoryContainer$3.execute(RepositoryContainer.java:512)
                at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:464)
                at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:587)
                at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:656)
                at org.alfresco.repo.web.scripts.RepositoryContainer.executeScriptInternal(RepositoryContainer.java:428)
                at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:308)
                at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:399)
                at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:210)
                at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:132)
                at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
                at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
                at org.alfresco.module.aosmodule.service.ContextRootFilter.doFilter(ContextRootFilter.java:93)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
                at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
                at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
                at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
                at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
                at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
                at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
                at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2466)
                at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2455)
                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
                at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                at java.lang.Thread.run(Thread.java:745)
        Caused by: net.sf.acegisecurity.AccessDeniedException: Access is denied.
                at net.sf.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:86)
                at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:398)
                at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77)
                at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
                at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:53)
                ... 55 more
        

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                closedissues Closed Issues
                Reporter:
                arebegea Andrei Rebegea [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: