[RM-2396] Upload record via WebDAV fails with org.alfresco.repo.security.permissions.AccessDeniedException Created: 16-Oct-12  Updated: 17-Jul-20  Resolved: 05-Apr-17

Status: Done
Project: Records Management
Component/s: File Protocols
Affects Version/s: RM 2.2, RM 2.3, RM 2.4
Fix Version/s: RM 2.4.1

Type: Bug
Reporter: Alfresco QA Team (Inactive) Assignee: Unassigned
Resolution: Done Votes: 0
Labels: triaged
Remaining Estimate: 0 minutes
Time Spent: 1 week, 3 days, 6 hours
Original Estimate: 4 days
Environment:

Alfresco Enterprise v4.1.1 (b159 latest) + RM Module v2.0.1 (b124); QALAB Stack 2 - Windows Server 2008 R2 x64, Oracle 10g v10.2.0.5, Ojdbc6.jar use 'jdbc:oracle:thin' in db_url, JBoss 5.1.1 EAP, JDK 6 U33 X64, NTLM with SSO, Clustering Schema 1; Client: IE9, Windows 7, Windows Explorer as WebDAV client.


Attachments: PNG File CouldNotFindItem.png     PNG File Items.png     PNG File Screen Shot 2017-03-20 at 17.12.19.png     PNG File Screen Shot 2017-03-20 at 17.12.40.png     Text File alfresco.log     File catalina_webdav_multiple_files.out     Zip Archive log.zip     PNG File screen1.png     PNG File screen2.png     PNG File screen3.png    
Issue Links:
Duplicate
duplicates MNT-5882 WebDAV: An error occurs on drag&drop ... Closed
duplicates MNT-10966 4.1.7 breaks onContentUpdate policies... Closed
Related
is related to by RM-4997 Electronic Records added into unfiled... Done
Bug Priority:
Category 1
Sprint: RM Sprint 26, Flamebird 9 - The Leader, Flamebird 10 - Apocalypse
Story Points: 3

 Description   

Steps to reproduce:

1. Log on the Share as admin user;
2. Create RM site;
3. Create any category, e.g. webdav;
4. Create any folder under the category, e.g. f1;
5. Map WebDAV connection from a client machine (using 'Map network drive' action) to http://172.30.40.148:8080/alfresco/webdav as admin user;
6. Open the RM site > webdav > f1 directory;
7. Try to upload any unempty document to the directory, e.g. cifs-B.txt.

Result: An error occurs (the screenshot and the log are attached):

17:29:01,566 INFO  [STDOUT] 2012-10-16 17:29:01,565  ERROR [alfresco.webdav.protocol] [http-0.0.0.0-8080-4] java.io.PrintWriter@304998b3
 HTTP Status Code: 403 caused by: org.alfresco.repo.security.permissions.AccessDeniedException: 091643079 Access Denied.  You do not have the appropriate permissions to perform this operation.
        at org.alfresco.repo.webdav.WebDAVMethod.execute(WebDAVMethod.java:349)
        at org.alfresco.repo.webdav.WebDAVServlet.service(WebDAVServlet.java:139)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:136)
        at sun.reflect.GeneratedMethodAccessor954.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:103)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
        at $Proxy503.doFilter(Unknown Source)
        at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:61)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:183)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)
        at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
        at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:599)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)
        at java.lang.Thread.run(Thread.java:662)
Caused by: org.alfresco.repo.security.permissions.AccessDeniedException: 091643079 Access Denied.  You do not have the appropriate permissions to perform this operation.
        at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:50)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.alfresco.repo.audit.AuditMethodInterceptor.proceedWithAudit(AuditMethodInterceptor.java:245)
        at org.alfresco.repo.audit.AuditMethodInterceptor.proceed(AuditMethodInterceptor.java:211)
        at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:164)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
        at $Proxy291.lock(Unknown Source)
        at org.alfresco.repo.webdav.WebDAVLockService.lock(WebDAVLockService.java:250)
        at org.alfresco.repo.webdav.LockMethod.createLock(LockMethod.java:399)
        at org.alfresco.repo.webdav.LockMethod.executeImpl(LockMethod.java:358)
        at org.alfresco.repo.webdav.WebDAVMethod$2.execute(WebDAVMethod.java:336)
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:388)
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:278)
        at org.alfresco.repo.webdav.WebDAVMethod.execute(WebDAVMethod.java:344)
        ... 37 more
Caused by: net.sf.acegisecurity.AccessDeniedException: Access is denied.
        at net.sf.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:93)
        at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:398)
        at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46)
        ... 53 more

8. Refresh Windows Explorer window.

Result: The empty document is present.

9. Open the directory in the Share.

Result: The empty undeclared record is present.

Expected result: The document should be successfully uploaded at step 7. Its content should not be lost.

ChristinaSh



 Comments   
Comment by Roy Wetherall (Inactive) [ 06-Aug-13 ]

Could we look at whether this is still an issue for 2.1 and if so where the problem lies.

Comment by Roy Wetherall (Inactive) [ 19-Sep-13 ]

Bouncing to 2.1.N

At this stage I don't consider WebDav upload as a critical issue for 2.1 release.

Comment by Ana Bozianu [X] (Inactive) [ 27-Nov-14 ]

I tested both on WebDAV and CIFS and the bug reproduced on WebDAV regardless of whether or not the file is empty. The issue does not reproduce on CIFS because the CIFS protocol is transactional.

I identified the following steps in WebDAV communication:

  • 1(client) : Sends PUT request to create the file file.txt
  • 2(server) : Renames the file to file<timestamp1>.txt and declares it as a record
  • 3(client) : Sends a LOCK request for file.txt file -> a new file file.txt is created
  • 4(server) : Renames the newly created file to file<timestamp2>.txt and declares it as a record
  • 5(client) : Sends a PUT request to write data to file.txt but the file is not there -> it creates a new file.txt and writes data to it
  • 6(server) : Renames the newly created file to file<timestamp3>.txt and declares it as a record
  • 7(client) : Tries to set attributes to file.txt but the file is not there -> realizes the previous steps failed -> retries steps 1-6 with the same behavior

This way we end up with 6 records from which 4 are of length 0.
I'm currently looking for a solution to delay the record declaration until WebDAV has finished.

Comment by Ana Bozianu [X] (Inactive) [ 02-Dec-14 ]

So far I tried to postpone the file from being declared as a record but this results in an error when a list is being performed on the containing folder. Further on, I plan postponing only the file renaming until the file was successfully uploaded.

I also noticed that the lock request WebDAV sends on the file has no effect on server. If it did, step 4 shouldn't be possible.

Comment by Ana Bozianu [X] (Inactive) [ 05-Dec-14 ]

Here is what I discovered:

  • The PutMethod::executeImpl method handles the PUT requests coming from WebDAV. A WebDAV file upload process starts with a PUT request that creates the file. This is the point where we can lock the file until the upload is done
  • The UnlockMethod::executeImpl method handles the UNLOCK request. A WebDAV file upload process ends with an UNLOCK request. After this point it is safe to rename the file
  • The RecordServiceImpl:makeRecord method declares a file as a record and renames it

Observing the code around I came up with this idea:

  • as soon as the file is created we add an aspect to it to indicate the upload is still in progress
  • when the file created trigger is fired and RecordServiceImpl:makeRecord is executed, I check if the node has that aspect and if it does the record will not be renamed
  • When the unlock request is sent on a file via webdav, I remove the aspect and rename the file accordingly.

The struggle I'm facing is the following: the file created trigger is fired inside the method that creates the file preventing me from adding any aspect to the file to indicate it was created trough WebDAV . This means that when makeRecord is called, the aspect is not added yet so the RM module cannot tell the file is created trough WebDAV and is not safe to rename yet. Another problem is that the RM will have to use the last version of alfresco as I need to add a new QName in the ContentModel to be available to alfresco base as well as to remote management module.

An easy solution would be to skip file renaming during the record declaration (for all files, not only for those uploaded trough WebDAV) but this is an architecture decision I cannot predict the side effects for.

A second solution would be to change the createFile method declaration by adding a list of initial aspects and assign them to the file before the trigger is fired.

Comment by Ana Bozianu [X] (Inactive) [ 10-Dec-14 ]

Provided a temporary workaround to this problem:

  • in the first WebDAV request (PUT) after the file is created, I check if the file has been renamed and, if it has, I create an aspect with it's new name (the one provided by RM module) and rename it with the original name.
  • in the last WebDAV request (UNLOCK), if the file has the aspect I rename the file with the aspect's content and remove the aspect

After the WebDAV upload the folder still needs to be refreshed for the file to appear with the new name but there is only one file created and it's content is consistent. I created a new aspect to avoid creating other problems.

I think there could be a problem if Record Management module would try to find the file by its name but I couldn't find a test case for this.

I commited the changes with revision R92142 in branch DEV/NESS/HEAD-BUG-FIX_2014_12_10

Comment by Roy Wetherall (Inactive) [ 14-Jul-15 ]

Moved to RM project as suggested.

Comment by Roy Wetherall (Inactive) [ 22-Sep-16 ]

Category 1: Data loss

Comment by Build And Packaging (Inactive) [ 08-Mar-17 ]

Silviu Dinuta mentioned this issue in a merge request of records-management/records-management:
'RM-2396: first draft solution'

Comment by Kristijan Conkas [X] (Inactive) [ 20-Mar-17 ]

Results of CIFS testing using prepared fileplan:

c1 (category) / f1 (folder)
              / sc1 (sub-category)
  • Share listing is functional:
    MBP-KCONKAS-0915:~ kconkas$ smbclient -L '\\192.168.33.10' -U test01
    Enter test01's password: 
    Domain=[WORKGROUP] OS=[Java] Server=[Alfresco CIFS Server 6.0.0]
    
    	Sharename       Type      Comment
    	---------       ----      -------
    	Alfresco        Disk      
    	IPC$            IPC       
    Domain=[WORKGROUP] OS=[Java] Server=[Alfresco CIFS Server 6.0.0]
    
    	Server               Comment
    	---------            -------
    
    	Workgroup            Master
    	---------            -------
    MBP-KCONKAS-0915:~ kconkas$ smbclient -U test01 '\\192.168.33.10\Alfresco'
    Enter test01's password: 
    Domain=[WORKGROUP] OS=[Java] Server=[Alfresco CIFS Server 6.0.0]
    smb: \> dir
      .                                   D        0  Mon Mar 20 16:33:36 2017
      ..                                  D        0  Mon Mar 20 16:33:36 2017
      __ShowDetails.exe                       393216  Mon Mar 20 16:33:49 2017
      __CheckInOut.exe                        393216  Mon Mar 20 16:33:49 2017
      Shared                              D        0  Mon Mar 20 16:33:26 2017
      Imap Attachments                    D        0  Mon Mar 20 16:33:26 2017
      Guest Home                          D        0  Mon Mar 20 16:33:26 2017
      User Homes                          D        0  Mon Mar 20 16:38:06 2017
      Sites                               D        0  Mon Mar 20 16:33:47 2017
      Data Dictionary                     D        0  Mon Mar 20 16:33:55 2017
      IMAP Home                           D        0  Mon Mar 20 16:33:27 2017
    
    		40284 blocks of size 1048576. 36795 blocks available
    smb: \> cd \Sites\rm\documentLibrary
    smb: \Sites\rm\documentLibrary\> dir
      .                                   D        0  Mon Mar 20 16:42:37 2017
      ..                                  D        0  Mon Mar 20 16:38:21 2017
      __ShowDetails.exe                       393216  Mon Mar 20 16:33:49 2017
      __CheckInOut.exe                        393216  Mon Mar 20 16:33:49 2017
      Unfiled Records                     D        0  Mon Mar 20 16:38:19 2017
      c1                                  D        0  Mon Mar 20 16:42:50 2017
      Transfers                           D        0  Mon Mar 20 16:38:19 2017
      Holds                               D        0  Mon Mar 20 16:38:19 2017
    
    		40284 blocks of size 1048576. 36795 blocks available
    smb: \Sites\rm\documentLibrary\c1\> mkdir f2
    NT_STATUS_ACCESS_DENIED making remote directory \Sites\rm\documentLibrary\c1\f2
    
  • Can't create folder within subfolder:
    smb: \Sites\rm\documentLibrary\c1\f1\> mkdir f2
    NT_STATUS_IO_TIMEOUT making remote directory \Sites\rm\documentLibrary\c1\f1\f2
    
  • Can put file and it gets declared a record:
    smb: \Sites\rm\documentLibrary\c1\f1\> put jenkins_token.txt
    putting file jenkins_token.txt as \Sites\rm\documentLibrary\c1\f1\jenkins_token.txt (0.1 kb/s) (average 0.1 kb/s)
    smb: \Sites\rm\documentLibrary\c1\f1\> dir
      .                                   D        0  Mon Mar 20 16:47:32 2017
      ..                                  D        0  Mon Mar 20 16:42:50 2017
      __ShowDetails.exe                       393216  Mon Mar 20 16:33:49 2017
      __CheckInOut.exe                        393216  Mon Mar 20 16:33:49 2017
      jenkins_token (2017-1490028452760).txt              41  Mon Mar 20 16:47:32 2017
    smb: \Sites\rm\documentLibrary\c1\f1\> put catalina.out
    putting file catalina.out as \Sites\rm\documentLibrary\c1\f1\catalina.out (122.3 kb/s) (average 51.2 kb/s)
    smb: \Sites\rm\documentLibrary\c1\f1\> dir
      .                                   D        0  Mon Mar 20 16:53:41 2017
      ..                                  D        0  Mon Mar 20 16:42:50 2017
      __ShowDetails.exe                       393216  Mon Mar 20 16:33:49 2017
      __CheckInOut.exe                        393216  Mon Mar 20 16:33:49 2017
      catalina (2017-1490028821213).out           50341  Mon Mar 20 16:53:41 2017
      jenkins_token (2017-1490028452760).txt              41  Mon Mar 20 16:47:32 2017
    
    		40284 blocks of size 1048576. 36793 blocks available
    
  • Can't put file directly into a record category or sub-category:
    smb: \Sites\rm\documentLibrary\c1\> put catalina.out
    NT_STATUS_NO_SUCH_FILE opening remote file \Sites\rm\documentLibrary\c1\catalina.out
    smb: \Sites\rm\documentLibrary\c1\> dir
      .                                   D        0  Mon Mar 20 16:42:50 2017
      ..                                  D        0  Mon Mar 20 16:42:37 2017
      __ShowDetails.exe                       393216  Mon Mar 20 16:33:49 2017
      __CheckInOut.exe                        393216  Mon Mar 20 16:33:49 2017
      f1                                  D        0  Mon Mar 20 16:47:32 2017
      sc1                                 D        0  Mon Mar 20 16:42:45 2017
    
    		40284 blocks of size 1048576. 36794 blocks available
    smb: \Sites\rm\documentLibrary\c1\> cd sc1
    smb: \Sites\rm\documentLibrary\c1\sc1\> put catalina.out
    NT_STATUS_NO_SUCH_FILE opening remote file \Sites\rm\documentLibrary\c1\sc1\catalina.out
    smb: \Sites\rm\documentLibrary\c1\sc1\> dir
      .                                   D        0  Mon Mar 20 16:42:45 2017
      ..                                  D        0  Mon Mar 20 16:42:50 2017
      __ShowDetails.exe                       393216  Mon Mar 20 16:33:49 2017
      __CheckInOut.exe                        393216  Mon Mar 20 16:33:49 2017
    
    		40284 blocks of size 1048576. 36794 blocks available
    
  • Can't delete a record:
    smb: \Sites\rm\documentLibrary\c1\> cd f1
    smb: \Sites\rm\documentLibrary\c1\f1\> dir
      .                                   D        0  Mon Mar 20 16:47:32 2017
      ..                                  D        0  Mon Mar 20 16:42:50 2017
      __ShowDetails.exe                       393216  Mon Mar 20 16:33:49 2017
      __CheckInOut.exe                        393216  Mon Mar 20 16:33:49 2017
      jenkins_token (2017-1490028452760).txt              41  Mon Mar 20 16:47:32 2017
    
    		40284 blocks of size 1048576. 36794 blocks available
    smb: \Sites\rm\documentLibrary\c1\f1\> del "jenkins_token (2017-1490028452760).txt"
    NT_STATUS_ACCESS_DENIED deleting remote file \Sites\rm\documentLibrary\c1\f1\jenkins_token (2017-1490028452760).txt
    NT_STATUS_ACCESS_DENIED listing \Sites\rm\documentLibrary\c1\f1\jenkins_token (2017-1490028452760).txt
    smb: \Sites\rm\documentLibrary\c1\f1\> dir
      .                                   D        0  Mon Mar 20 16:47:32 2017
      ..                                  D        0  Mon Mar 20 16:42:50 2017
      __ShowDetails.exe                       393216  Mon Mar 20 16:33:49 2017
      __CheckInOut.exe                        393216  Mon Mar 20 16:33:49 2017
      jenkins_token (2017-1490028452760).txt              41  Mon Mar 20 16:47:32 2017
    
    		40284 blocks of size 1048576. 36794 blocks available
    
  • Can't delete record folder:
    smb: \Sites\rm\documentLibrary\c1\> rmdir f1
    NT_STATUS_DIRECTORY_NOT_EMPTY removing remote directory file \Sites\rm\documentLibrary\c1\f1
    
  • Can't delete record category:
    smb: \Sites\rm\documentLibrary\c1\> rmdir sc1
    NT_STATUS_DIRECTORY_NOT_EMPTY removing remote directory file \Sites\rm\documentLibrary\c1\sc1
    
  • Can't file into Unfiled Records:
    smb: \Sites\rm\documentLibrary\> cd "Unfiled Records"
    smb: \Sites\rm\documentLibrary\Unfiled Records\> dir
      .                                   D        0  Mon Mar 20 16:38:19 2017
      ..                                  D        0  Mon Mar 20 16:42:37 2017
      __ShowDetails.exe                       393216  Mon Mar 20 16:33:49 2017
      __CheckInOut.exe                        393216  Mon Mar 20 16:33:49 2017
    
    		40284 blocks of size 1048576. 36793 blocks available
    smb: \Sites\rm\documentLibrary\Unfiled Records\> put catalina.out
    NT_STATUS_ACCESS_DENIED opening remote file \Sites\rm\documentLibrary\Unfiled Records\catalina.out
    smb: \Sites\rm\documentLibrary\Unfiled Records\> dir
      .                                   D        0  Mon Mar 20 16:38:19 2017
      ..                                  D        0  Mon Mar 20 16:42:37 2017
      __ShowDetails.exe                       393216  Mon Mar 20 16:33:49 2017
      __CheckInOut.exe                        393216  Mon Mar 20 16:33:49 2017
    
    		40284 blocks of size 1048576. 36793 blocks available
    
  • Can't file directly into any special container:
    smb: \Sites\rm\documentLibrary\> dir
      .                                   D        0  Mon Mar 20 16:42:37 2017
      ..                                  D        0  Mon Mar 20 16:38:21 2017
      __ShowDetails.exe                       393216  Mon Mar 20 16:33:49 2017
      __CheckInOut.exe                        393216  Mon Mar 20 16:33:49 2017
      Unfiled Records                     D        0  Mon Mar 20 16:38:19 2017
      c1                                  D        0  Mon Mar 20 16:42:50 2017
      Transfers                           D        0  Mon Mar 20 16:38:19 2017
      Holds                               D        0  Mon Mar 20 16:38:19 2017
    
    		40284 blocks of size 1048576. 36793 blocks available
    smb: \Sites\rm\documentLibrary\> cd Transfers
    smb: \Sites\rm\documentLibrary\Transfers\> put catalina.out
    NT_STATUS_ACCESS_DENIED opening remote file \Sites\rm\documentLibrary\Transfers\catalina.out
    smb: \Sites\rm\documentLibrary\Transfers\> cd ..\Holds
    smb: \Sites\rm\documentLibrary\Holds\> put catalina.out
    NT_STATUS_ACCESS_DENIED opening remote file \Sites\rm\documentLibrary\Holds\catalina.out
    

My only observation was I was expecting to be able to upload (e.g. file) a record into Unfiled Records folder. Should this be in the scope of this ticket, Tuna Aksoy [X]?

Comment by Kristijan Conkas [X] (Inactive) [ 20-Mar-17 ]

WebDav uploads result with duplicate records: one with original name and the other with appender record ID (see the attachment).

Comment by Kristijan Conkas [X] (Inactive) [ 20-Mar-17 ]

New alfresco.log is available:

alfresco.log

Comment by Kristijan Conkas [X] (Inactive) [ 20-Mar-17 ]

The previous test was against a 5.1.0 installation. When tried with the latest 5.1 patch (5.1.2.1) results are different, an attempt to paste a file into a record folder using MacOS Finder client (as in the example above) throws the following exception:

2017-03-20 18:20:59,659 ERROR [org.alfresco.repo.webdav.ExceptionHandler] [http-apr-8080-exec-6] Exception thrown.
HTTP Status Code: 500 caused by: org.alfresco.error.AlfrescoRuntimeException: 02200337 Operation failed, because you can't place content directly into a record category.
	at org.alfresco.repo.webdav.WebDAVMethod.execute(WebDAVMethod.java:464)
	at org.alfresco.repo.webdav.WebDAVServlet.service(WebDAVServlet.java:156)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.alfresco.module.aosmodule.service.ContextRootFilter.doFilter(ContextRootFilter.java:93)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.alfresco.repo.webdav.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:259)
	at sun.reflect.GeneratedMethodAccessor1317.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:132)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
	at com.sun.proxy.$Proxy376.doFilter(Unknown Source)
	at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
	at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2466)
	at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2455)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)
Caused by: org.alfresco.error.AlfrescoRuntimeException: 02200337 Operation failed, because you can't place content directly into a record category.
	at org.alfresco.module.org_alfresco_module_rm.model.rma.type.RecordCategoryType.onCreateChildAssociation(RecordCategoryType.java:113)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at org.alfresco.repo.policy.JavaBehaviour$JavaMethodInvocationHandler.invoke(JavaBehaviour.java:181)
	at com.sun.proxy.$Proxy98.onCreateChildAssociation(Unknown Source)
	at sun.reflect.GeneratedMethodAccessor330.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at org.alfresco.repo.policy.PolicyFactory$MultiHandler.invoke(PolicyFactory.java:361)
	at org.alfresco.repo.policy.$Proxy275.onCreateChildAssociation(Unknown Source)
	at org.alfresco.repo.node.AbstractNodeServiceImpl.invokeOnCreateChildAssociation(AbstractNodeServiceImpl.java:635)
	at org.alfresco.repo.node.db.DbNodeServiceImpl.createNode_aroundBody24(DbNodeServiceImpl.java:440)
	at org.alfresco.repo.node.db.DbNodeServiceImpl$AjcClosure25.run(DbNodeServiceImpl.java:1)
	at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
	at org.alfresco.traitextender.RouteExtensions.intercept(RouteExtensions.java:100)
	at org.alfresco.repo.node.db.DbNodeServiceImpl.createNode(DbNodeServiceImpl.java:359)
	at sun.reflect.GeneratedMethodAccessor309.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
	at org.alfresco.repo.lock.mem.LockableAspectInterceptor.invoke(LockableAspectInterceptor.java:241)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
	at com.sun.proxy.$Proxy27.createNode(Unknown Source)
	at sun.reflect.GeneratedMethodAccessor309.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
	at org.alfresco.repo.tenant.MultiTNodeServiceInterceptor.invoke(MultiTNodeServiceInterceptor.java:111)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
	at com.sun.proxy.$Proxy27.createNode(Unknown Source)
	at sun.reflect.GeneratedMethodAccessor309.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at org.alfresco.repo.service.StoreRedirectorProxyFactory$RedirectorInvocationHandler.invoke(StoreRedirectorProxyFactory.java:231)
	at com.sun.proxy.$Proxy56.createNode(Unknown Source)
	at org.alfresco.repo.node.MLPropertyInterceptor.invoke(MLPropertyInterceptor.java:284)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.alfresco.enterprise.repo.sync.SyncPropertyInterceptor.invoke(SyncPropertyInterceptor.java:262)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.alfresco.repo.node.NodeRefPropertyMethodInterceptor.invoke(NodeRefPropertyMethodInterceptor.java:190)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
	at com.sun.proxy.$Proxy27.createNode(Unknown Source)
	at sun.reflect.GeneratedMethodAccessor309.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
	at com.sun.proxy.$Proxy27.createNode(Unknown Source)
	at org.alfresco.repo.model.filefolder.FileFolderServiceImpl.createImpl(FileFolderServiceImpl.java:1294)
	at org.alfresco.repo.model.filefolder.FileFolderServiceImpl.create(FileFolderServiceImpl.java:1261)
	at org.alfresco.repo.model.filefolder.ExtendedFileFolderServiceImpl.create(ExtendedFileFolderServiceImpl.java:61)
	at org.alfresco.repo.model.filefolder.ExtendedFileFolderServiceImpl.create(ExtendedFileFolderServiceImpl.java:50)
	at sun.reflect.GeneratedMethodAccessor972.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
	at org.alfresco.repo.model.ml.MLContentInterceptor.invoke(MLContentInterceptor.java:136)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.alfresco.repo.model.filefolder.MLTranslationInterceptor.invoke(MLTranslationInterceptor.java:275)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.alfresco.module.org_alfresco_module_rm.security.RMMethodSecurityInterceptor.invoke(RMMethodSecurityInterceptor.java:352)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:53)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.alfresco.repo.audit.AuditMethodInterceptor.proceedWithAudit(AuditMethodInterceptor.java:256)
	at org.alfresco.repo.audit.AuditMethodInterceptor.proceed(AuditMethodInterceptor.java:216)
	at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:171)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.alfresco.repo.model.filefolder.FilenameFilteringInterceptor.invoke(FilenameFilteringInterceptor.java:262)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
	at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
	at com.sun.proxy.$Proxy106.create(Unknown Source)
	at org.alfresco.repo.webdav.WebDAVHelper.createFile(WebDAVHelper.java:637)
	at org.alfresco.repo.webdav.PutMethod.executeImpl(PutMethod.java:193)
	at org.alfresco.repo.webdav.WebDAVMethod$2.execute(WebDAVMethod.java:404)
	at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:464)
	at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:352)
	at org.alfresco.repo.webdav.WebDAVMethod.execute(WebDAVMethod.java:412)
	... 40 more
Comment by Kristijan Conkas [X] (Inactive) [ 20-Mar-17 ]

I repeated the same test (Alfresco One 5.1.2.1 + RM 2.4.1 snapshot server) using a Windows 8.1 client. I didn't notice any exceptions but an attempt to upload a file into a record folder using WebDav is still failing with the "The file cannot be accessed by the system" error, irrespective of the user I tried with (e.g. "admin" versus a "normal" user).

Comment by Kristijan Conkas [X] (Inactive) [ 21-Mar-17 ]

Detailed steps to reproduce WebDAV issue:

1. Install Alfresco One 5.1.2.1 (https://releases.alfresco.com/Enterprise-5.1/5.1.2/5.1.2.1/build-00021/ALL/) with RM 2.4.1 snapshot (in this test build 320 was used, https://bamboo.alfresco.com/bamboo/browse/RM-RM24ENT-320)

As admin:
2. Create test user
3. Create rm site with the following structure:

  • category / folder
  • category / subcategory

4. Verify a record can be filed into the folder
5. From RM Admin tools add the test user to RM site with "Records Management Manager" privileges
6. Open file plan and grant the test user the "Read and file" permissions on record category

As test user:
7. Log in to rm from Web interface
8. In File Plan navigate to record folder and verify you can file a record

Verification - Windows 8.1:

9. Open File Explorer
10. Click "Add a Network Location"
11. Click "Next"
12. Clock "Choose a custom network location"
13. In "Internet or network address" field type the URL of the webdav access point
14. Click "Next"
15. In "Windows Security" prompt type the test user's credentials and click "OK"
16. Click "OK"
17. Click "Next"
18. Click "Finish"
19. Navigate through Sites/rm/documentLibrary to the record folder
20. Drag a document from desktop into the record folder

Actual result: "The file cannot be accessed by the system" error occurs.
Expected result: file is copied and made a record

Important note: if after step 15 you should experience any Windows issues, this could be due to the use of the http webdav endpoint and security settings in Windows 8.1. The workaround for this is described in https://forums.iis.net/t/1207555.aspx?Windows+8+1+and+Webdav+Issue

Verification - MacOS X:

21. Open Finder
22. From "Go" menu select "Connect to server"
23. In "Server address" enter the URL of the webdav access point
24. Click "Connect"
25. In "Enter your name and password" dialog enter the test user's credentials and click "Connect"
26. Navigate through Sites/rm/documentLibrary to the record folder
27. Drag a document from desktop onto the expanded record folder

Actual result: "The Finder can’t complete the operation" error occurs.
Expected result: file is copied and made a record.

Comment by Build And Packaging (Inactive) [ 28-Mar-17 ]

Tuna Aksoy mentioned this issue in a merge request of records-management/records-management:
'RM-2396 (Upload record via WebDAV fails with org.alfresco.repo.security.permissi…'

Comment by Kristijan Conkas [X] (Inactive) [ 05-Apr-17 ]

Tested on MacOS X: for a single file upload and rename works correctly. For multiple files an error is reported and one or two files (usually the first ones to be uploaded) get filed as records and have record ID in their names, while the rest do get filed but aren't named with their record IDs.

Tested against Alfresco One 5.1.2.1 + RM build https://bamboo.alfresco.com/bamboo/browse/RM-RM24ENT-329/artifact

I'll repeat this test on Windows platform.

Comment by Kristijan Conkas [X] (Inactive) [ 05-Apr-17 ]

More on my previous comment: after the errors reported while filing multiple files (resulting with some of them being correctly named, and some not), I found some NPEs in the server log catalina_webdav_multiple_files.out . I am not sure though whether they are related to this issue.

The type of files to be filed also makes difference: while this behaviour is easily reproduced with about 15-20 .doc and .docx files, I managed to file 20 .pdf files without any errors. Is this behaviour related to some content transformation?

Comment by Kristijan Conkas [X] (Inactive) [ 05-Apr-17 ]

Multiple file upload works fine on Windows 8.1. I'll verify the behaviour on Windows 7 and Windows 10.

Comment by Kristijan Conkas [X] (Inactive) [ 05-Apr-17 ]

Windows 10 is also fine.

Comment by Kristijan Conkas [X] (Inactive) [ 05-Apr-17 ]

Verified on Windows 7 too.

Given the very limited nature of the auto-renaming issue experienced (on a specific OS, related to a specific file type and intermittent) I am happy the fix addresses the issue for which this ticket was raised and will close this ticket off as verified and open a new ticket to address this specific issue (alongside some unrelated ones I also observed while testing this ticket).

Generated at Mon Mar 08 16:27:31 GMT 2021 using Jira 7.13.15#713015-sha1:7c5ddd2c3e1709974ae9c48c17df8edd3919fe2c.