### [RM-2396] Upload record via WebDAV fails with org.alfresco.repo.security.permissions.AccessDeniedException Created: 16-Oct-12  Updated: 17-Jul-20  Resolved: 05-Apr-17

Status: Done
Project: Records Management
Component/s: File Protocols
Affects Version/s: RM 2.2, RM 2.3, RM 2.4
Fix Version/s: RM 2.4.1

 Type: Bug Reporter: Alfresco QA Team (Inactive) Assignee: Unassigned Resolution: Done Votes: 0 Labels: triaged Remaining Estimate: 0 minutes Time Spent: 1 week, 3 days, 6 hours Original Estimate: 4 days Environment: Alfresco Enterprise v4.1.1 (b159 latest) + RM Module v2.0.1 (b124); QALAB Stack 2 - Windows Server 2008 R2 x64, Oracle 10g v10.2.0.5, Ojdbc6.jar use 'jdbc:oracle:thin' in db_url, JBoss 5.1.1 EAP, JDK 6 U33 X64, NTLM with SSO, Clustering Schema 1; Client: IE9, Windows 7, Windows Explorer as WebDAV client.

Attachments: CouldNotFindItem.png     Items.png     Screen Shot 2017-03-20 at 17.12.19.png     Screen Shot 2017-03-20 at 17.12.40.png     alfresco.log     catalina_webdav_multiple_files.out     log.zip     screen1.png     screen2.png     screen3.png
 Steps to reproduce: 1. Log on the Share as admin user; 2. Create RM site; 3. Create any category, e.g. webdav; 4. Create any folder under the category, e.g. f1; 5. Map WebDAV connection from a client machine (using 'Map network drive' action) to http://172.30.40.148:8080/alfresco/webdav as admin user; 6. Open the RM site > webdav > f1 directory; 7. Try to upload any unempty document to the directory, e.g. cifs-B.txt. Result: An error occurs (the screenshot and the log are attached): 17:29:01,566 INFO [STDOUT] 2012-10-16 17:29:01,565 ERROR [alfresco.webdav.protocol] [http-0.0.0.0-8080-4] java.io.PrintWriter@304998b3 HTTP Status Code: 403 caused by: org.alfresco.repo.security.permissions.AccessDeniedException: 091643079 Access Denied. You do not have the appropriate permissions to perform this operation. at org.alfresco.repo.webdav.WebDAVMethod.execute(WebDAVMethod.java:349) at org.alfresco.repo.webdav.WebDAVServlet.service(WebDAVServlet.java:139) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:136) at sun.reflect.GeneratedMethodAccessor954.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:103) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at$Proxy503.doFilter(Unknown Source) at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:61) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:183) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:599) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451) at java.lang.Thread.run(Thread.java:662) Caused by: org.alfresco.repo.security.permissions.AccessDeniedException: 091643079 Access Denied. You do not have the appropriate permissions to perform this operation. at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:50) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.repo.audit.AuditMethodInterceptor.proceedWithAudit(AuditMethodInterceptor.java:245) at org.alfresco.repo.audit.AuditMethodInterceptor.proceed(AuditMethodInterceptor.java:211) at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:164) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at $Proxy291.lock(Unknown Source) at org.alfresco.repo.webdav.WebDAVLockService.lock(WebDAVLockService.java:250) at org.alfresco.repo.webdav.LockMethod.createLock(LockMethod.java:399) at org.alfresco.repo.webdav.LockMethod.executeImpl(LockMethod.java:358) at org.alfresco.repo.webdav.WebDAVMethod$2.execute(WebDAVMethod.java:336) at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:388) at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:278) at org.alfresco.repo.webdav.WebDAVMethod.execute(WebDAVMethod.java:344) ... 37 more Caused by: net.sf.acegisecurity.AccessDeniedException: Access is denied. at net.sf.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:93) at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:398) at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46) ... 53 more  8. Refresh Windows Explorer window. Result: The empty document is present. 9. Open the directory in the Share. Result: The empty undeclared record is present. Expected result: The document should be successfully uploaded at step 7. Its content should not be lost. ChristinaSh
 Comment by Roy Wetherall (Inactive) [ 06-Aug-13 ] Could we look at whether this is still an issue for 2.1 and if so where the problem lies. Comment by Roy Wetherall (Inactive) [ 19-Sep-13 ] Bouncing to 2.1.N At this stage I don't consider WebDav upload as a critical issue for 2.1 release. Comment by Ana Bozianu [X] (Inactive) [ 27-Nov-14 ] I tested both on WebDAV and CIFS and the bug reproduced on WebDAV regardless of whether or not the file is empty. The issue does not reproduce on CIFS because the CIFS protocol is transactional. I identified the following steps in WebDAV communication: 1(client) : Sends PUT request to create the file file.txt 2(server) : Renames the file to file.txt and declares it as a record 3(client) : Sends a LOCK request for file.txt file -> a new file file.txt is created 4(server) : Renames the newly created file to file.txt and declares it as a record 5(client) : Sends a PUT request to write data to file.txt but the file is not there -> it creates a new file.txt and writes data to it 6(server) : Renames the newly created file to file.txt and declares it as a record 7(client) : Tries to set attributes to file.txt but the file is not there -> realizes the previous steps failed -> retries steps 1-6 with the same behavior This way we end up with 6 records from which 4 are of length 0. I'm currently looking for a solution to delay the record declaration until WebDAV has finished. Comment by Ana Bozianu [X] (Inactive) [ 02-Dec-14 ] So far I tried to postpone the file from being declared as a record but this results in an error when a list is being performed on the containing folder. Further on, I plan postponing only the file renaming until the file was successfully uploaded. I also noticed that the lock request WebDAV sends on the file has no effect on server. If it did, step 4 shouldn't be possible. Comment by Ana Bozianu [X] (Inactive) [ 05-Dec-14 ] Here is what I discovered: The PutMethod::executeImpl method handles the PUT requests coming from WebDAV. A WebDAV file upload process starts with a PUT request that creates the file. This is the point where we can lock the file until the upload is done The UnlockMethod::executeImpl method handles the UNLOCK request. A WebDAV file upload process ends with an UNLOCK request. After this point it is safe to rename the file The RecordServiceImpl:makeRecord method declares a file as a record and renames it Observing the code around I came up with this idea: as soon as the file is created we add an aspect to it to indicate the upload is still in progress when the file created trigger is fired and RecordServiceImpl:makeRecord is executed, I check if the node has that aspect and if it does the record will not be renamed When the unlock request is sent on a file via webdav, I remove the aspect and rename the file accordingly. The struggle I'm facing is the following: the file created trigger is fired inside the method that creates the file preventing me from adding any aspect to the file to indicate it was created trough WebDAV . This means that when makeRecord is called, the aspect is not added yet so the RM module cannot tell the file is created trough WebDAV and is not safe to rename yet. Another problem is that the RM will have to use the last version of alfresco as I need to add a new QName in the ContentModel to be available to alfresco base as well as to remote management module. An easy solution would be to skip file renaming during the record declaration (for all files, not only for those uploaded trough WebDAV) but this is an architecture decision I cannot predict the side effects for. A second solution would be to change the createFile method declaration by adding a list of initial aspects and assign them to the file before the trigger is fired. Comment by Ana Bozianu [X] (Inactive) [ 10-Dec-14 ] Provided a temporary workaround to this problem: in the first WebDAV request (PUT) after the file is created, I check if the file has been renamed and, if it has, I create an aspect with it's new name (the one provided by RM module) and rename it with the original name. in the last WebDAV request (UNLOCK), if the file has the aspect I rename the file with the aspect's content and remove the aspect After the WebDAV upload the folder still needs to be refreshed for the file to appear with the new name but there is only one file created and it's content is consistent. I created a new aspect to avoid creating other problems. I think there could be a problem if Record Management module would try to find the file by its name but I couldn't find a test case for this. I commited the changes with revision R92142 in branch DEV/NESS/HEAD-BUG-FIX_2014_12_10 Comment by Roy Wetherall (Inactive) [ 14-Jul-15 ] Moved to RM project as suggested. Comment by Roy Wetherall (Inactive) [ 22-Sep-16 ] Category 1: Data loss Comment by Build And Packaging (Inactive) [ 08-Mar-17 ] Silviu Dinuta mentioned this issue in a merge request of records-management/records-management: 'RM-2396: first draft solution' Comment by Kristijan Conkas [X] (Inactive) [ 20-Mar-17 ] Results of CIFS testing using prepared fileplan: c1 (category) / f1 (folder) / sc1 (sub-category)  Share listing is functional: MBP-KCONKAS-0915:~ kconkas$smbclient -L '\\192.168.33.10' -U test01 Enter test01's password: Domain=[WORKGROUP] OS=[Java] Server=[Alfresco CIFS Server 6.0.0] Sharename Type Comment --------- ---- ------- Alfresco Disk IPC$ IPC Domain=[WORKGROUP] OS=[Java] Server=[Alfresco CIFS Server 6.0.0] Server Comment --------- ------- Workgroup Master --------- ------- MBP-KCONKAS-0915:~ kconkas$smbclient -U test01 '\\192.168.33.10\Alfresco' Enter test01's password: Domain=[WORKGROUP] OS=[Java] Server=[Alfresco CIFS Server 6.0.0] smb: \> dir . D 0 Mon Mar 20 16:33:36 2017 .. D 0 Mon Mar 20 16:33:36 2017 __ShowDetails.exe 393216 Mon Mar 20 16:33:49 2017 __CheckInOut.exe 393216 Mon Mar 20 16:33:49 2017 Shared D 0 Mon Mar 20 16:33:26 2017 Imap Attachments D 0 Mon Mar 20 16:33:26 2017 Guest Home D 0 Mon Mar 20 16:33:26 2017 User Homes D 0 Mon Mar 20 16:38:06 2017 Sites D 0 Mon Mar 20 16:33:47 2017 Data Dictionary D 0 Mon Mar 20 16:33:55 2017 IMAP Home D 0 Mon Mar 20 16:33:27 2017 40284 blocks of size 1048576. 36795 blocks available smb: \> cd \Sites\rm\documentLibrary smb: \Sites\rm\documentLibrary\> dir . D 0 Mon Mar 20 16:42:37 2017 .. D 0 Mon Mar 20 16:38:21 2017 __ShowDetails.exe 393216 Mon Mar 20 16:33:49 2017 __CheckInOut.exe 393216 Mon Mar 20 16:33:49 2017 Unfiled Records D 0 Mon Mar 20 16:38:19 2017 c1 D 0 Mon Mar 20 16:42:50 2017 Transfers D 0 Mon Mar 20 16:38:19 2017 Holds D 0 Mon Mar 20 16:38:19 2017 40284 blocks of size 1048576. 36795 blocks available smb: \Sites\rm\documentLibrary\c1\> mkdir f2 NT_STATUS_ACCESS_DENIED making remote directory \Sites\rm\documentLibrary\c1\f2  Can't create folder within subfolder: smb: \Sites\rm\documentLibrary\c1\f1\> mkdir f2 NT_STATUS_IO_TIMEOUT making remote directory \Sites\rm\documentLibrary\c1\f1\f2  Can put file and it gets declared a record: smb: \Sites\rm\documentLibrary\c1\f1\> put jenkins_token.txt putting file jenkins_token.txt as \Sites\rm\documentLibrary\c1\f1\jenkins_token.txt (0.1 kb/s) (average 0.1 kb/s) smb: \Sites\rm\documentLibrary\c1\f1\> dir . D 0 Mon Mar 20 16:47:32 2017 .. D 0 Mon Mar 20 16:42:50 2017 __ShowDetails.exe 393216 Mon Mar 20 16:33:49 2017 __CheckInOut.exe 393216 Mon Mar 20 16:33:49 2017 jenkins_token (2017-1490028452760).txt 41 Mon Mar 20 16:47:32 2017 smb: \Sites\rm\documentLibrary\c1\f1\> put catalina.out putting file catalina.out as \Sites\rm\documentLibrary\c1\f1\catalina.out (122.3 kb/s) (average 51.2 kb/s) smb: \Sites\rm\documentLibrary\c1\f1\> dir . D 0 Mon Mar 20 16:53:41 2017 .. D 0 Mon Mar 20 16:42:50 2017 __ShowDetails.exe 393216 Mon Mar 20 16:33:49 2017 __CheckInOut.exe 393216 Mon Mar 20 16:33:49 2017 catalina (2017-1490028821213).out 50341 Mon Mar 20 16:53:41 2017 jenkins_token (2017-1490028452760).txt 41 Mon Mar 20 16:47:32 2017 40284 blocks of size 1048576. 36793 blocks available  Can't put file directly into a record category or sub-category: smb: \Sites\rm\documentLibrary\c1\> put catalina.out NT_STATUS_NO_SUCH_FILE opening remote file \Sites\rm\documentLibrary\c1\catalina.out smb: \Sites\rm\documentLibrary\c1\> dir . D 0 Mon Mar 20 16:42:50 2017 .. D 0 Mon Mar 20 16:42:37 2017 __ShowDetails.exe 393216 Mon Mar 20 16:33:49 2017 __CheckInOut.exe 393216 Mon Mar 20 16:33:49 2017 f1 D 0 Mon Mar 20 16:47:32 2017 sc1 D 0 Mon Mar 20 16:42:45 2017 40284 blocks of size 1048576. 36794 blocks available smb: \Sites\rm\documentLibrary\c1\> cd sc1 smb: \Sites\rm\documentLibrary\c1\sc1\> put catalina.out NT_STATUS_NO_SUCH_FILE opening remote file \Sites\rm\documentLibrary\c1\sc1\catalina.out smb: \Sites\rm\documentLibrary\c1\sc1\> dir . D 0 Mon Mar 20 16:42:45 2017 .. D 0 Mon Mar 20 16:42:50 2017 __ShowDetails.exe 393216 Mon Mar 20 16:33:49 2017 __CheckInOut.exe 393216 Mon Mar 20 16:33:49 2017 40284 blocks of size 1048576. 36794 blocks available  Can't delete a record: smb: \Sites\rm\documentLibrary\c1\> cd f1 smb: \Sites\rm\documentLibrary\c1\f1\> dir . D 0 Mon Mar 20 16:47:32 2017 .. D 0 Mon Mar 20 16:42:50 2017 __ShowDetails.exe 393216 Mon Mar 20 16:33:49 2017 __CheckInOut.exe 393216 Mon Mar 20 16:33:49 2017 jenkins_token (2017-1490028452760).txt 41 Mon Mar 20 16:47:32 2017 40284 blocks of size 1048576. 36794 blocks available smb: \Sites\rm\documentLibrary\c1\f1\> del "jenkins_token (2017-1490028452760).txt" NT_STATUS_ACCESS_DENIED deleting remote file \Sites\rm\documentLibrary\c1\f1\jenkins_token (2017-1490028452760).txt NT_STATUS_ACCESS_DENIED listing \Sites\rm\documentLibrary\c1\f1\jenkins_token (2017-1490028452760).txt smb: \Sites\rm\documentLibrary\c1\f1\> dir . D 0 Mon Mar 20 16:47:32 2017 .. D 0 Mon Mar 20 16:42:50 2017 __ShowDetails.exe 393216 Mon Mar 20 16:33:49 2017 __CheckInOut.exe 393216 Mon Mar 20 16:33:49 2017 jenkins_token (2017-1490028452760).txt 41 Mon Mar 20 16:47:32 2017 40284 blocks of size 1048576. 36794 blocks available  Can't delete record folder: smb: \Sites\rm\documentLibrary\c1\> rmdir f1 NT_STATUS_DIRECTORY_NOT_EMPTY removing remote directory file \Sites\rm\documentLibrary\c1\f1  Can't delete record category: smb: \Sites\rm\documentLibrary\c1\> rmdir sc1 NT_STATUS_DIRECTORY_NOT_EMPTY removing remote directory file \Sites\rm\documentLibrary\c1\sc1  Can't file into Unfiled Records: smb: \Sites\rm\documentLibrary\> cd "Unfiled Records" smb: \Sites\rm\documentLibrary\Unfiled Records\> dir . D 0 Mon Mar 20 16:38:19 2017 .. D 0 Mon Mar 20 16:42:37 2017 __ShowDetails.exe 393216 Mon Mar 20 16:33:49 2017 __CheckInOut.exe 393216 Mon Mar 20 16:33:49 2017 40284 blocks of size 1048576. 36793 blocks available smb: \Sites\rm\documentLibrary\Unfiled Records\> put catalina.out NT_STATUS_ACCESS_DENIED opening remote file \Sites\rm\documentLibrary\Unfiled Records\catalina.out smb: \Sites\rm\documentLibrary\Unfiled Records\> dir . D 0 Mon Mar 20 16:38:19 2017 .. D 0 Mon Mar 20 16:42:37 2017 __ShowDetails.exe 393216 Mon Mar 20 16:33:49 2017 __CheckInOut.exe 393216 Mon Mar 20 16:33:49 2017 40284 blocks of size 1048576. 36793 blocks available  Can't file directly into any special container: smb: \Sites\rm\documentLibrary\> dir . D 0 Mon Mar 20 16:42:37 2017 .. D 0 Mon Mar 20 16:38:21 2017 __ShowDetails.exe 393216 Mon Mar 20 16:33:49 2017 __CheckInOut.exe 393216 Mon Mar 20 16:33:49 2017 Unfiled Records D 0 Mon Mar 20 16:38:19 2017 c1 D 0 Mon Mar 20 16:42:50 2017 Transfers D 0 Mon Mar 20 16:38:19 2017 Holds D 0 Mon Mar 20 16:38:19 2017 40284 blocks of size 1048576. 36793 blocks available smb: \Sites\rm\documentLibrary\> cd Transfers smb: \Sites\rm\documentLibrary\Transfers\> put catalina.out NT_STATUS_ACCESS_DENIED opening remote file \Sites\rm\documentLibrary\Transfers\catalina.out smb: \Sites\rm\documentLibrary\Transfers\> cd ..\Holds smb: \Sites\rm\documentLibrary\Holds\> put catalina.out NT_STATUS_ACCESS_DENIED opening remote file \Sites\rm\documentLibrary\Holds\catalina.out  My only observation was I was expecting to be able to upload (e.g. file) a record into Unfiled Records folder. Should this be in the scope of this ticket, Tuna Aksoy [X]? Comment by Kristijan Conkas [X] (Inactive) [ 20-Mar-17 ] WebDav uploads result with duplicate records: one with original name and the other with appender record ID (see the attachment). Comment by Kristijan Conkas [X] (Inactive) [ 20-Mar-17 ] New alfresco.log is available: Comment by Kristijan Conkas [X] (Inactive) [ 20-Mar-17 ] The previous test was against a 5.1.0 installation. When tried with the latest 5.1 patch (5.1.2.1) results are different, an attempt to paste a file into a record folder using MacOS Finder client (as in the example above) throws the following exception: 2017-03-20 18:20:59,659 ERROR [org.alfresco.repo.webdav.ExceptionHandler] [http-apr-8080-exec-6] Exception thrown. HTTP Status Code: 500 caused by: org.alfresco.error.AlfrescoRuntimeException: 02200337 Operation failed, because you can't place content directly into a record category. at org.alfresco.repo.webdav.WebDAVMethod.execute(WebDAVMethod.java:464) at org.alfresco.repo.webdav.WebDAVServlet.service(WebDAVServlet.java:156) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.alfresco.module.aosmodule.service.ContextRootFilter.doFilter(ContextRootFilter.java:93) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.alfresco.repo.webdav.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:259) at sun.reflect.GeneratedMethodAccessor1317.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:132) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy376.doFilter(Unknown Source) at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2466) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2455) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: org.alfresco.error.AlfrescoRuntimeException: 02200337 Operation failed, because you can't place content directly into a record category. at org.alfresco.module.org_alfresco_module_rm.model.rma.type.RecordCategoryType.onCreateChildAssociation(RecordCategoryType.java:113) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.alfresco.repo.policy.JavaBehaviour$JavaMethodInvocationHandler.invoke(JavaBehaviour.java:181) at com.sun.proxy.$Proxy98.onCreateChildAssociation(Unknown Source) at sun.reflect.GeneratedMethodAccessor330.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.alfresco.repo.policy.PolicyFactory$MultiHandler.invoke(PolicyFactory.java:361) at org.alfresco.repo.policy.$Proxy275.onCreateChildAssociation(Unknown Source) at org.alfresco.repo.node.AbstractNodeServiceImpl.invokeOnCreateChildAssociation(AbstractNodeServiceImpl.java:635) at org.alfresco.repo.node.db.DbNodeServiceImpl.createNode_aroundBody24(DbNodeServiceImpl.java:440) at org.alfresco.repo.node.db.DbNodeServiceImpl$AjcClosure25.run(DbNodeServiceImpl.java:1) at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) at org.alfresco.traitextender.RouteExtensions.intercept(RouteExtensions.java:100) at org.alfresco.repo.node.db.DbNodeServiceImpl.createNode(DbNodeServiceImpl.java:359) at sun.reflect.GeneratedMethodAccessor309.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.alfresco.repo.lock.mem.LockableAspectInterceptor.invoke(LockableAspectInterceptor.java:241) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy27.createNode(Unknown Source) at sun.reflect.GeneratedMethodAccessor309.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.alfresco.repo.tenant.MultiTNodeServiceInterceptor.invoke(MultiTNodeServiceInterceptor.java:111) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy27.createNode(Unknown Source) at sun.reflect.GeneratedMethodAccessor309.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.alfresco.repo.service.StoreRedirectorProxyFactory$RedirectorInvocationHandler.invoke(StoreRedirectorProxyFactory.java:231) at com.sun.proxy.$Proxy56.createNode(Unknown Source) at org.alfresco.repo.node.MLPropertyInterceptor.invoke(MLPropertyInterceptor.java:284) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.enterprise.repo.sync.SyncPropertyInterceptor.invoke(SyncPropertyInterceptor.java:262) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.repo.node.NodeRefPropertyMethodInterceptor.invoke(NodeRefPropertyMethodInterceptor.java:190) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy27.createNode(Unknown Source) at sun.reflect.GeneratedMethodAccessor309.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198) at com.sun.proxy.$Proxy27.createNode(Unknown Source) at org.alfresco.repo.model.filefolder.FileFolderServiceImpl.createImpl(FileFolderServiceImpl.java:1294) at org.alfresco.repo.model.filefolder.FileFolderServiceImpl.create(FileFolderServiceImpl.java:1261) at org.alfresco.repo.model.filefolder.ExtendedFileFolderServiceImpl.create(ExtendedFileFolderServiceImpl.java:61) at org.alfresco.repo.model.filefolder.ExtendedFileFolderServiceImpl.create(ExtendedFileFolderServiceImpl.java:50) at sun.reflect.GeneratedMethodAccessor972.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.alfresco.repo.model.ml.MLContentInterceptor.invoke(MLContentInterceptor.java:136) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.repo.model.filefolder.MLTranslationInterceptor.invoke(MLTranslationInterceptor.java:275) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.module.org_alfresco_module_rm.security.RMMethodSecurityInterceptor.invoke(RMMethodSecurityInterceptor.java:352) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:53) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.repo.audit.AuditMethodInterceptor.proceedWithAudit(AuditMethodInterceptor.java:256) at org.alfresco.repo.audit.AuditMethodInterceptor.proceed(AuditMethodInterceptor.java:216) at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:171) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.alfresco.repo.model.filefolder.FilenameFilteringInterceptor.invoke(FilenameFilteringInterceptor.java:262) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96) at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy106.create(Unknown Source) at org.alfresco.repo.webdav.WebDAVHelper.createFile(WebDAVHelper.java:637) at org.alfresco.repo.webdav.PutMethod.executeImpl(PutMethod.java:193) at org.alfresco.repo.webdav.WebDAVMethod$2.execute(WebDAVMethod.java:404) at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:464) at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:352) at org.alfresco.repo.webdav.WebDAVMethod.execute(WebDAVMethod.java:412) ... 40 more  Comment by Kristijan Conkas [X] (Inactive) [ 20-Mar-17 ] I repeated the same test (Alfresco One 5.1.2.1 + RM 2.4.1 snapshot server) using a Windows 8.1 client. I didn't notice any exceptions but an attempt to upload a file into a record folder using WebDav is still failing with the "The file cannot be accessed by the system" error, irrespective of the user I tried with (e.g. "admin" versus a "normal" user). Comment by Kristijan Conkas [X] (Inactive) [ 21-Mar-17 ] Detailed steps to reproduce WebDAV issue: 1. Install Alfresco One 5.1.2.1 (https://releases.alfresco.com/Enterprise-5.1/5.1.2/5.1.2.1/build-00021/ALL/) with RM 2.4.1 snapshot (in this test build 320 was used, https://bamboo.alfresco.com/bamboo/browse/RM-RM24ENT-320) As admin: 2. Create test user 3. Create rm site with the following structure: category / folder category / subcategory 4. Verify a record can be filed into the folder 5. From RM Admin tools add the test user to RM site with "Records Management Manager" privileges 6. Open file plan and grant the test user the "Read and file" permissions on record category As test user: 7. Log in to rm from Web interface 8. In File Plan navigate to record folder and verify you can file a record Verification - Windows 8.1: 9. Open File Explorer 10. Click "Add a Network Location" 11. Click "Next" 12. Clock "Choose a custom network location" 13. In "Internet or network address" field type the URL of the webdav access point 14. Click "Next" 15. In "Windows Security" prompt type the test user's credentials and click "OK" 16. Click "OK" 17. Click "Next" 18. Click "Finish" 19. Navigate through Sites/rm/documentLibrary to the record folder 20. Drag a document from desktop into the record folder Actual result: "The file cannot be accessed by the system" error occurs. Expected result: file is copied and made a record Important note: if after step 15 you should experience any Windows issues, this could be due to the use of the http webdav endpoint and security settings in Windows 8.1. The workaround for this is described in https://forums.iis.net/t/1207555.aspx?Windows+8+1+and+Webdav+Issue Verification - MacOS X: 21. Open Finder 22. From "Go" menu select "Connect to server" 23. In "Server address" enter the URL of the webdav access point 24. Click "Connect" 25. In "Enter your name and password" dialog enter the test user's credentials and click "Connect" 26. Navigate through Sites/rm/documentLibrary to the record folder 27. Drag a document from desktop onto the expanded record folder Actual result: "The Finder can’t complete the operation" error occurs. Expected result: file is copied and made a record. Comment by Build And Packaging (Inactive) [ 28-Mar-17 ] Tuna Aksoy mentioned this issue in a merge request of records-management/records-management: 'RM-2396 (Upload record via WebDAV fails with org.alfresco.repo.security.permissi…' Comment by Kristijan Conkas [X] (Inactive) [ 05-Apr-17 ] Tested on MacOS X: for a single file upload and rename works correctly. For multiple files an error is reported and one or two files (usually the first ones to be uploaded) get filed as records and have record ID in their names, while the rest do get filed but aren't named with their record IDs. Tested against Alfresco One 5.1.2.1 + RM build https://bamboo.alfresco.com/bamboo/browse/RM-RM24ENT-329/artifact I'll repeat this test on Windows platform. Comment by Kristijan Conkas [X] (Inactive) [ 05-Apr-17 ] More on my previous comment: after the errors reported while filing multiple files (resulting with some of them being correctly named, and some not), I found some NPEs in the server log catalina_webdav_multiple_files.out . I am not sure though whether they are related to this issue. The type of files to be filed also makes difference: while this behaviour is easily reproduced with about 15-20 .doc and .docx files, I managed to file 20 .pdf files without any errors. Is this behaviour related to some content transformation? Comment by Kristijan Conkas [X] (Inactive) [ 05-Apr-17 ] Multiple file upload works fine on Windows 8.1. I'll verify the behaviour on Windows 7 and Windows 10. Comment by Kristijan Conkas [X] (Inactive) [ 05-Apr-17 ] Windows 10 is also fine. Comment by Kristijan Conkas [X] (Inactive) [ 05-Apr-17 ] Verified on Windows 7 too. Given the very limited nature of the auto-renaming issue experienced (on a specific OS, related to a specific file type and intermittent) I am happy the fix addresses the issue for which this ticket was raised and will close this ticket off as verified and open a new ticket to address this specific issue (alongside some unrelated ones I also observed while testing this ticket).