Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-44739

403 Forbidden error on Rubrics Web Services requests

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: OPEN
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 19.6, 20.2, 21.0 [Tentative], 22.0 [Tentative]
    • Fix Version/s: None
    • Component/s: Rubrics, Web Services
    • Labels:
      None
    • Test Plan:
      Hide
      1. comment out webservices.allow= in sakai.properties.
        1. Or set it to IP addresses that won't include your test user's computer
        2. Do NOT set it to .+
      2. start tomcat
      3. add the Rubrics tool to a site
      4. open the Browser's Web Developer Console or Network tab
      5. create a new rubric
      6. reload the tool
      7. 403 errors on the URLs in this jira's description
      Show
      comment out webservices.allow= in sakai.properties. Or set it to IP addresses that won't include your test user's computer Do NOT set it to .+ start tomcat add the Rubrics tool to a site open the Browser's Web Developer Console or Network tab create a new rubric reload the tool 403 errors on the URLs in this jira's description

      Description

      Rubrics tool requests to webservices URLs

      /sakai-ws/rest/sakai/getSiteTitle?sessionid=abcd-1234&siteid=abcd-1234

      /sakai-ws/rest/sakai/getUserDisplayName?sessionid=abcd1234&eid=abcd

      fail with 403 forbidden errors when sakai.properties' webservices.allow= doesn't contain the end user's IP address, which it shouldn't because normally you would set the webservices.allow= to specific servers you want to give access. end users shouldn't normally be allowed to use the webservices. (note that the nightly qa servers allow anyone (.+) to use webservices)

      checking the tomcat logs there's an error

      org.sakaiproject.webservices.interceptor.RemoteHostMatcher.isAllowed Access denied (implicit): x.x.x.x/x.x.x.x

      where, again, the ip address, is the end user's address. The error makes sense because the end user's IP address isn't in the whitelist, but why does rubrics need to call the webservcies to get the site title and user name? aren't there other ways of getting that data? Or is it because the Rubrics tool make heavy use of Javascript? (instead of e.g. jsp, velocity, wicket, etc?)

        Gliffy Diagrams

          Zeplin

            Attachments

              Activity

                People

                Assignee:
                Unassigned Unassigned
                Reporter:
                austinUH Austin
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                  Dates

                  Created:
                  Updated:

                    Git Integration