Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-16338

Nuxeo Drive keeps connected after token revocation if anonymous authentication is activated

    XMLWordPrintable

    Details

      Description

      To reproduce:

      • Connect Drive to a Nuxeo instance with anonymous auth activated, see http://doc.nuxeo.com/x/qwQz
      • Revoke token => Drive should switch to offline mode, grey icon, synchronization interrupted, credentials required. Yet it keeps on checking for changes, icon is green, credentials are not required.
      • Apply any local change, for instance creating a file in one of the sync roots => getting this stack trace server-side:
        2015-01-12 15:45:06,590 ERROR [http-bio-0.0.0.0-8080-exec-1] [org.nuxeo.ecm.core.api.CoreSession] Permission 'Read' is not granted to 'Guest' on document /default-domain/workspaces/Test Sync (d57757d8-8469-4512-8420-81c21b501687 - Workspace)
        2015-01-12 15:45:06,595 ERROR [http-bio-0.0.0.0-8080-exec-1] [org.nuxeo.ecm.automation.server.jaxrs.batch.BatchManagerComponent] Error while executing automation batch 
        org.nuxeo.ecm.automation.TraceException: 
        
        ****** chain ******
        Name: NuxeoDrive.CreateFile
        Exception: OperationException
        Caught error: Failed to invoke operation NuxeoDrive.CreateFile
        Caused by: org.nuxeo.ecm.core.api.DocumentSecurityException: Privilege 'Read' is not granted to 'Guest'
        ****** Hierarchy calls ******
        	org.nuxeo.drive.operations.NuxeoDriveCreateFile
        
        	at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:228)
        	at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:113)
        	at org.nuxeo.ecm.automation.server.jaxrs.batch.BatchManagerComponent.execute(BatchManagerComponent.java:182)
        	at org.nuxeo.ecm.automation.server.jaxrs.batch.BatchManagerComponent.execute(BatchManagerComponent.java:160)
        	at org.nuxeo.ecm.automation.server.jaxrs.batch.BatchResource.exec(BatchResource.java:206)
        	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        	at java.lang.reflect.Method.invoke(Method.java:606)
        	at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
        	at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ObjectOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:258)
        	at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
        	at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
        	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
        	at com.sun.jersey.server.impl.uri.rules.SubLocatorRule.accept(SubLocatorRule.java:137)
        	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
        	at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
        	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
        	at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
        	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
        	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
        	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
        	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
        	at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
        	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
        	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
        	at org.nuxeo.ecm.webengine.app.jersey.WebEngineServlet.containerService(WebEngineServlet.java:178)
        	at org.nuxeo.ecm.webengine.app.jersey.WebEngineServlet.service(WebEngineServlet.java:153)
        	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.nuxeo.ecm.webengine.jaxrs.session.SessionCleanupFilter.run(SessionCleanupFilter.java:45)
        	at org.nuxeo.ecm.webengine.jaxrs.HttpFilter.doFilter(HttpFilter.java:43)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.nuxeo.ecm.webengine.app.WebEngineFilter.doFilter(WebEngineFilter.java:92)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.nuxeo.ecm.webengine.jaxrs.context.RequestContextFilter.run(RequestContextFilter.java:42)
        	at org.nuxeo.ecm.webengine.jaxrs.HttpFilter.doFilter(HttpFilter.java:43)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.nuxeo.wss.servlet.BaseWSSFilter.doFilter(BaseWSSFilter.java:137)
        	at org.nuxeo.wss.servlet.FailSafeWSSFilter.doFilter(FailSafeWSSFilter.java:55)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.nuxeo.ecm.core.management.jtajca.internal.Log4jWebFilter.doFilter(Log4jWebFilter.java:67)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.nuxeo.ecm.platform.ui.web.rest.FancyURLFilter.doFilter(FancyURLFilter.java:129)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoThreadTrackerFilter.doFilter(NuxeoThreadTrackerFilter.java:28)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.nuxeo.ecm.webdav.service.WIRequestFilter.doFilter(WIRequestFilter.java:58)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoRequestControllerFilter.doFilter(NuxeoRequestControllerFilter.java:139)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doFilterInternal(NuxeoAuthenticationFilter.java:585)
        	at org.nuxeo.ecm.platform.ui.web.auth.service.NuxeoAuthFilterChain.doFilter(NuxeoAuthFilterChain.java:36)
        	at org.nuxeo.ecm.platform.ui.web.auth.oauth2.NuxeoOAuth2Filter.doFilter(NuxeoOAuth2Filter.java:68)
        	at org.nuxeo.ecm.platform.ui.web.auth.service.NuxeoAuthFilterChain.doFilter(NuxeoAuthFilterChain.java:34)
        	at org.nuxeo.ecm.platform.ui.web.auth.oauth.NuxeoOAuthFilter.doFilter(NuxeoOAuthFilter.java:119)
        	at org.nuxeo.ecm.platform.ui.web.auth.service.NuxeoAuthFilterChain.doFilter(NuxeoAuthFilterChain.java:34)
        	at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doFilter(NuxeoAuthenticationFilter.java:398)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoCorsFilter.doFilter(NuxeoCorsFilter.java:52)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.nuxeo.ecm.platform.web.common.exceptionhandling.NuxeoExceptionFilter.doFilter(NuxeoExceptionFilter.java:78)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.nuxeo.ecm.platform.web.common.encoding.NuxeoEncodingFilter.doFilter(NuxeoEncodingFilter.java:73)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
        	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
        	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
        	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
        	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
        	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
        	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        	at java.lang.Thread.run(Thread.java:745)
        Caused by: org.nuxeo.ecm.automation.OperationException: Failed to invoke operation NuxeoDrive.CreateFile
        	at org.nuxeo.ecm.automation.core.impl.InvokableMethod.invoke(InvokableMethod.java:151)
        	at org.nuxeo.ecm.automation.core.impl.CompiledChainImpl.doInvoke(CompiledChainImpl.java:127)
        	at org.nuxeo.ecm.automation.core.impl.CompiledChainImpl.invoke(CompiledChainImpl.java:113)
        	at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:204)
        	... 95 more
        Caused by: org.nuxeo.ecm.core.api.DocumentSecurityException: Privilege 'Read' is not granted to 'Guest'
        	at org.nuxeo.ecm.core.api.AbstractSession.checkPermission(AbstractSession.java:203)
        	at org.nuxeo.ecm.core.api.AbstractSession.getDocument(AbstractSession.java:1020)
        	at sun.reflect.GeneratedMethodAccessor64.invoke(Unknown Source)
        	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        	at java.lang.reflect.Method.invoke(Method.java:606)
        	at org.nuxeo.ecm.core.api.TransactionalCoreSessionWrapper.invoke(TransactionalCoreSessionWrapper.java:131)
        	at com.sun.proxy.$Proxy63.getDocument(Unknown Source)
        	at org.nuxeo.drive.service.impl.AbstractFileSystemItemFactory.getDocumentById(AbstractFileSystemItemFactory.java:248)
        	at org.nuxeo.drive.service.impl.AbstractFileSystemItemFactory.getDocumentByFileSystemId(AbstractFileSystemItemFactory.java:202)
        	at org.nuxeo.drive.service.impl.AbstractFileSystemItemFactory.getFileSystemItemById(AbstractFileSystemItemFactory.java:155)
        	at org.nuxeo.drive.service.impl.FileSystemItemManagerImpl.getFileSystemItemById(FileSystemItemManagerImpl.java:136)
        	at org.nuxeo.drive.service.impl.FileSystemItemManagerImpl.createFile(FileSystemItemManagerImpl.java:210)
        	at org.nuxeo.drive.operations.NuxeoDriveCreateFile.run(NuxeoDriveCreateFile.java:72)
        	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        	at java.lang.reflect.Method.invoke(Method.java:606)
        	at org.nuxeo.ecm.automation.core.impl.InvokableMethod.doInvoke(InvokableMethod.java:137)
        	at org.nuxeo.ecm.automation.core.impl.InvokableMethod.invoke(InvokableMethod.java:143)
        	... 98 more
        

      This is due to the inclusion of the ANONYMOUS_AUTH authentication plugin in the "Automation" specificAuthenticationChain, see https://github.com/nuxeo/nuxeo-platform-login/blob/master/nuxeo-platform-login-token/src/main/resources/OSGI-INF/token-authentication-contrib.xml:

          <specificAuthenticationChain name="Automation">
            <urlPatterns>
              <url>(.*)/automation.*</url>
            </urlPatterns>
            <replacementChain>
              <plugin>AUTOMATION_BASIC_AUTH</plugin>
              <plugin>TOKEN_AUTH</plugin>
              <plugin>ANONYMOUS_AUTH</plugin>
            </replacementChain>
          </specificAuthenticationChain>
      

      and the base contribution https://github.com/nuxeo/nuxeo/blob/master/nuxeo-features/nuxeo-automation/nuxeo-automation-server/src/main/resources/OSGI-INF/auth-contrib.xml:

          <specificAuthenticationChain name="Automation">
              <urlPatterns>
                  <url>(.*)/automation.*</url>
              </urlPatterns>
      
              <replacementChain>
                  <plugin>AUTOMATION_BASIC_AUTH</plugin>
                  <plugin>ANONYMOUS_AUTH</plugin>
              </replacementChain>
          </specificAuthenticationChain>
      

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: