You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@marmotta.apache.org by Scott Vanderbilt <li...@datagenic.com> on 2013/08/19 23:10:18 UTC
3.0.0 - Still getting Basic Auth Challenges
I followed Sebastien's steps for changing security profile (using curl
method in his email) to standard. I have confirmed this change was made
in the configuration page. However, I am still receiving Basic Auth
security challenges every time I attempt to modify the configuration. In
order to confirm that I am using the correct password, I would like to
try a password reset for the new account I created. Is there a facility
for doing this?
Also, I still don't understanding what the login link in the top-right
corner of the page is for. Each time I click it, the page is submitted
to the server, but I get no log-in prompt or anything else different
than the page I was already on. Is this link functional, or does it have
some other purpose than the one I assume?
Thank you.
- Scott
Re: 3.0.0 - Still getting Basic Auth Challenges
Posted by Scott Vanderbilt <li...@datagenic.com>.
On 8/20/2013 12:25 AM, Jakob Frank wrote:
> you have to set security.configured to false, otherwise the
> security.profile will not be (re)loaded.
That did the trick. After setting security.configured to false, the next
time I was challenged, it accepted the default admin credentials. All
other configuration changes are now being successfully accepted. Excellent.
> if you want to reset the password for the admin user to the default
> value just set the following config-value:
> user.admin.pwhash = :plain::pass123
> The same way you can (re)set the password for any user, the generic pattern is
> user.<username>.pwhash = :<algo>::<hash>
That's good to know. Hopefully, I won't need to do this, but it's good
to have that information.
Thank you!
- Scott
Re: 3.0.0 - Still getting Basic Auth Challenges
Posted by Jakob Frank <ja...@apache.org>.
Hi Scott,
On 20 August 2013 00:17, Scott Vanderbilt <li...@datagenic.com> wrote:
> To eliminate any possible configuration errors, I deleted my previous
> system-config.properties file so that marmotta would be forced to create a
> new one. Then, from a shell on the server, I manually edited the config file
> to set the security.profile to 'standard'. Here are the security settings
> from my newly created system-config.properties (omitting
> security.permissions.* and security.restrictions.*)
>
> security.configured = true
> security.profile = standard
you have to set security.configured to false, otherwise the
security.profile will not be (re)loaded.
> These settings are not in the properties file, but are visible in the
> browser configuration page (presumably they are default values):
>
> security.enabled = true
> security.method = BASIC
> security.realm = Linked Media Framework
>
> I now return to the browser and attempt to add a new user taking the
> following steps:
>
> 1. Click Users : users
> 2. Click New Account button
> 3. Enter a new user name in the dialog and click OK.
> 4. I then receive a Basic Auth challenge.
> 5. I enter 'admin' as user name and 'pass123' as password.
> 6. I then receive another Basic Auth challenge.
> 7. I click Cancel.
>
> I cannot understand why this fails. With a new properties file, in theory
> the default admin account credentials should work, but they do not.
The steps you listed above look correct, maybe the problem is related
to the security.profile not being correctly loaded.
if you want to reset the password for the admin user to the default
value just set the following config-value:
user.admin.pwhash = :plain::pass123
The same way you can (re)set the password for any user, the generic pattern is
user.<username>.pwhash = :<algo>::<hash>
Best,
Jakob
Re: 3.0.0 - Still getting Basic Auth Challenges
Posted by Scott Vanderbilt <li...@datagenic.com>.
On 8/19/2013 2:55 PM, Sebastian Schaffert wrote:
> The security profile "standard" means: you can access the system from
> everywhere, but changing the system settings requires admin privileges.
> The admin login is usually "admin" and "pass123" as password by default.
> Have you tried with these credentials?
Yes. It still fails.
To eliminate any possible configuration errors, I deleted my previous
system-config.properties file so that marmotta would be forced to create
a new one. Then, from a shell on the server, I manually edited the
config file to set the security.profile to 'standard'. Here are the
security settings from my newly created system-config.properties
(omitting security.permissions.* and security.restrictions.*)
security.configured = true
security.profile = standard
These settings are not in the properties file, but are visible in the
browser configuration page (presumably they are default values):
security.enabled = true
security.method = BASIC
security.realm = Linked Media Framework
I now return to the browser and attempt to add a new user taking the
following steps:
1. Click Users : users
2. Click New Account button
3. Enter a new user name in the dialog and click OK.
4. I then receive a Basic Auth challenge.
5. I enter 'admin' as user name and 'pass123' as password.
6. I then receive another Basic Auth challenge.
7. I click Cancel.
I cannot understand why this fails. With a new properties file, in
theory the default admin account credentials should work, but they do not.
Any suggestions for how I can proceed from here?
Sorry for being such a nuisance.
Thank you.
- Scott
Re: 3.0.0 - Still getting Basic Auth Challenges
Posted by Sebastian Schaffert <se...@gmail.com>.
Hi Scott,
The security profile "standard" means: you can access the system from
everywhere, but changing the system settings requires admin privileges. The
admin login is usually "admin" and "pass123" as password by default. Have
you tried with these credentials?
To summarize: there are 3 pre-defined security profiles (i.e. bundles of
security rules):
- simple: write access allowed only from localhost, read access allowed
from everywhere
- standard: write access allowed from everywhere in case admin user login
is given, read access from everywhere
- restricted: write access allowed from everywhere in case admin user login
is given, read access only if any user login (admin or not) is given
Authentication is always done using HTTP basic authentication to allow
webservice calls to work without problems (e.g. CURL). We are also
considering OAuth for the future. The "login" link on top is just a way of
requesting a login dialog even if you are currently not performing actions
requiring authentication. Clicking it will simply trigger the server to
issue a 401 authentication required response. In theory, the system can
have many users with different roles and permissions. But this has never
been tried extensively.
Security is also still a major issue on our task list. The big problem is
not really the implementation, it is more on the conceptual level (so if
you have any suggestions we'd be happy):
1. configuring security needs to be user friendly; the system currently
uses a complex set of rules and access control lists to define who has
access and who not; to simplify, we introduced the notion of "profiles",
but this is still (as you experienced) not very straightforward
2. security is currently only on the web service level, not on the data
level; data access control for RDF has been discussed a bit in theory, but
most approaches that are powerful enough (like PPO -
http://vocab.deri.ie/ppo) are a performance killer when dealing with larger
systems and a hassle to configure for non-experts
Hope this helps a bit in understanding the issues.
Greetings,
Sebastian
2013/8/19 Scott Vanderbilt <li...@datagenic.com>
> I followed Sebastien's steps for changing security profile (using curl
> method in his email) to standard. I have confirmed this change was made in
> the configuration page. However, I am still receiving Basic Auth security
> challenges every time I attempt to modify the configuration. In order to
> confirm that I am using the correct password, I would like to try a
> password reset for the new account I created. Is there a facility for doing
> this?
>
> Also, I still don't understanding what the login link in the top-right
> corner of the page is for. Each time I click it, the page is submitted to
> the server, but I get no log-in prompt or anything else different than the
> page I was already on. Is this link functional, or does it have some other
> purpose than the one I assume?
>
> Thank you.
>
> - Scott
>