Mailing List webobjects-dev@wocommunity.org Message #215
From: Markus Ruggiero (rucotec) <webobjects-dev@wocommunity.org>
Subject: Re: [WO-DEV] Deployment issue on Catalina "You don't have permission to access this resource"
Date: Sat, 19 Jun 2021 10:00:08 +0200
To: WebObjects & WOnder Development <webobjects-dev@wocommunity.org>
Signed Data (Text SHA256)
Man I love you (well, sort of anyway😇).

Thanks a lot, the location thing was it. Now everything works.

Have a great day
---markus---

On 18 Jun 2021, at 14:25, Ralf Schuchardt <webobjects-dev@wocommunity.org> wrote:

Do you have a „Location“ based access grant in your config?

In my (CentOS) Apache config I have this statement:

# Specific to Apache 2.4
<Location /cgi-bin/WebObjects/>
    <Limit GET POST OPTIONS >
      Require all granted
    </Limit>
    Require all denied
</Location>

I have also commented out all ScriptAlias* directives in all apache config files.

Logging can be enabled by setting a WebObjectsLog directive:

# To change the logging options, read the following comments:
# The option name is "WebObjectsLog" and the first value indicates the path of the log file.
# The second value indicates the log level. There are five, in decreasing informational order:
#       "Debug",    "Info",    "Warn",    "Error",    "User"
#
# Note: To enable logging, touch '/tmp/logWebObjects' as the administrator user (usually root).
# After apache starts, you'll have to change the owner permissions to 'www'.
# Type: sudo chown www /Library/WebObjects/Logs/WebObjects.log
# See <rdar://problem/5296267> /tmp/logWebObjects insecure tempfile in WebObjects
#
# The following line is the default:
# WebObjectsLog /tmp/WebObjects.log Debug

For simple applications you could also completely discard the WOAdaptor and use the standard proxy mechanism. Single instance deployments don’t even need a balancer setup:

# in the site config:
ProxyPass /cgi-bin/WebObjects/App.woa http://localhost:2001/cgi-bin/WebObjects/App.woa
ProxyPassReverse /cgi-bin/WebObjects/App.woa  http://localhost:2001/cgi-bin/WebObjects/App.woa

<Proxy http://localhost:2001/cgi-bin/WebObjects/App.woa/>
	Require all granted
    Options none
    RequestHeader append x-webobjects-adaptor-version "mod_proxy"
</Proxy>

Ralf

On 18 Jun 2021, at 12:48, Markus Ruggiero (rucotec) wrote:

Thanks Jesse, yeah, I tried all. All files are w:r including /Library/WebObjects/Configuration/* where SiteConfig.xml lives. JavaMonitor is writing the SiteConfig.xml, wotaskd uses it and it is readable for anything Apache.

Apache running under _www or, as I just now tried running it under my own uid, makes no difference. The error_log shows this line:
[Fri Jun 18 10:39:44.022934 2021] [authz_core:error] [pid 50274] [client 127.0.0.1:60139] AH01630: client denied by server configuration: /apps, referer: http://localhost:3333/cgi-bin/WebObjects/JavaMonitor.woa/wo/6tRZCAqtsrsCiSrXLUPUMg/0.0.1.0

I tried with cgi-bin as well as apps.

For me this indicates something in WOAdaptor not being right. When I google this error everyone is pointing to Apache config where in some places Require all allowed is needed. That is there and Apache can serve static filesystem based resources. 
As the error points to /apps as the resource that is not accessible this again points to WOAdaptor. /apps is NOT a file system path (no <Directory> block in http.conf) but is part of the adaptor URL (set in JavaMonitor as http://woapps/apps/WebObjects). Seems that WOAdaptor does not properly take over and then of course Apache would try to access this non-existing path.

This brings me to the next question: how do I debug WOAdaptor? Or am I going nuts?

Something else: I compared all the LoadModule directives in httpd.conf with those on the customer deployment and made sure there weren’t modules excluded. Nothing helped. Next is probably to virtualise the client deployment machine, strip it down to the bare minimum and run it as a test deployment server inside VMWare. Maybe last resort....

---markus---

On 17 Jun 2021, at 17:07, Jesse Tayler <webobjects-dev@wocommunity.org> wrote:

Well, gosh, it just has to be apache and the OS — run down the list of suspects

"client denied by server configuration" is reported so that’s basically the OS saying you can’t read — I think?

I can’t read your rules, but since apache doesn’t seem to barf did you check user and OS level stuff carefully?

- the user that is running apache?
- the actual folder and parent folder settings?
- read those folders as that user from the command line?

Other random tests regarding OS level file permissions?

I’m no expert here, but I’m pretty sure those files gotta be 755 and it seems like the apache log is reporting a filesystem level permission error…?




On Jun 17, 2021, at 10:59 AM, Markus Ruggiero (rucotec) <webobjects-dev@wocommunity.org> wrote:

This is a new setup. Up to now I have had a dedicated deployment machine that works. As this is for a customer I do not want to touch it.

We have a weird problem that only shows when more than one instance of the same app is running. To be able to debug and analyze this I thought I’d configure my dev machine so that I can deploy to it easily without disturbing anything productive.

Yes, of course mod_webobjects is loaded. This is the full wo_apache.config:

LoadModule WebObjects_module /Users/Shared/Developer/Libraries/Wonder/ApacheWOAdaptor/Apache2.4/macOS/mod_WebObjects.so
WebObjectsAlias /apps/WebObjects
WebObjectsConfig http://woapps:1085 10

all the other nice stuff in there is commented and not active.

If on a command line I type
apachectl -F

I get a whole list of known directives and there are many WO related ons. Where else would Apache get those if not through mod_webobjects? This indicates that the module is properly loaded.


On 17 Jun 2021, at 16:44, Jesse Tayler <webobjects-dev@wocommunity.org> wrote:

Sounds like apache, are you sure things like mod_webobjects are loaded and those base things?

I can’t read apache rules…sorry! They are all just random characters to me…I guess the questions is what’s changed or is this a new setup giving you a hard time?

On Jun 17, 2021, at 10:40 AM, Markus Ruggiero (rucotec) <webobjects-dev@wocommunity.org> wrote:

Probably missing something so basic that I simply do not see it. Must be too hot outside (33 Celsius) and no aircon in the office (31 Celsius). 
Hope someone can point me in the right direction.

Deployment setup on my dev machine (MBpro, macOS Catalina, JRE 15). Apache installed via homebrew (Apache/2.4.46 (Unix)), Apple's Apache not in use

Apache configured with various virtual hosts, resolved through /etc/hosts. This all works, Apache serves static resources from these hosts.

JavaMonitor runs, wotaskd runs, Apache loads WOAdaptor by including wo_apache.conf
apachectl -F knows about WOAdaptor, so I assume it is properly loaded

wo_apache.conf has this line:
WebObjectsAlias   /apps/WebObjects 

The Apache config file http.conf has this line
# ScriptAliasMatch ^/cgi-bin/((?!(?i:webobjects)).*$) "/usr/local/var/www/CGI-Executables/$1"
ScriptAliasMatch ^/apps/((?!(?i:webobjects)).*$) "/usr/local/var/www/CGI-Executables/$1"

(tried both variants, with cgi-bin and the one with apps)

In WOMonitor this is the URL to the adaptor:
(woapps being one of my virtual hosts)

When I try to access an installed app the browser reports an error
"You don't have permission to access this resource”

and Apache puts a message into the error log file:
[Thu Jun 17 13:43:57.329921 2021] [authz_core:error] [pid 42093] [client 127.0.0.1:64420] AH01630: client denied by server configuration: /apps

/apps is not a directory but the first part of the WO URL and thus should go to the WOAdaptor. Has the ScriptAliasMatch (see above) anything to do with this?

Thanks for any help
---markus---


Markus Ruggiero

rucotec GmbH                        web https://rucotec.ch
Steinenvorstadt 79                email markus.ruggiero@rucotec.ch
4051 Basel / Switzerland         mobile +41 79 508 4701













Markus Ruggiero

rucotec GmbH                        web https://rucotec.ch
Steinenvorstadt 79                email markus.ruggiero@rucotec.ch
4051 Basel / Switzerland         mobile +41 79 508 4701











Markus Ruggiero

rucotec GmbH                        web https://rucotec.ch
Steinenvorstadt 79                email markus.ruggiero@rucotec.ch
4051 Basel / Switzerland         mobile +41 79 508 4701




Markus Ruggiero


rucotec GmbH                        web https://rucotec.ch
Steinenvorstadt 79                email markus.ruggiero@rucotec.ch
4051 Basel / Switzerland         mobile +41 79 508 4701








Content Unaltered as verified By:
<markus.ruggiero@rucotec.ch>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster