AnsweredAssumed Answered

[webscripts & content rules] Security issue with admin

Question asked by rogier.oudshoorn on Nov 23, 2007
Latest reply on Dec 14, 2007 by kevinr
I am developing a community site, in which a Single Page Interface performs calls on our alfresco REST webscripts. We are using alfresco as pure storage, in which every user on the community site is a user in alfresco.

One of the things we're implementing is a mail system, so every user has 3 "boxes" in his homespace: Inbox (incoming mail), Outbox (outgoing mail) and Incoming (place where users can "drop" their mails). We have a content rule on the incoming folder, which removes the child from incoming and places the child in the inbox folder. This is a custom script:

var homespace = space.parent;
if( homespace ){
   var inbox = homespace.childByNamePath("Inbox");

   if(inbox){
      inbox.addNode(document);
      space.removeNode(document);
   }
}

The problem we're having, is that when the Administrator user is logged in, everything works. We can send a mail, create a secondary child association in the incoming, and the script moves this association towards the inbox.

However, when the administrator is NOT logged in, the webscript sending the email throws this error:


500 Description:    An error inside the HTTP server which prevented it from fulfilling the request.

Message:   A valid SecureContext was not provided in the RequestContext

Exception:   net.sf.acegisecurity.AuthenticationCredentialsNotFoundException - A valid SecureContext was not provided in the RequestContext
   
   net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:477)
   net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:355)
   net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77)
   org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
   org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:49)
   org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
   org.alfresco.repo.audit.AuditComponentImpl.auditImpl(AuditComponentImpl.java:256)
   org.alfresco.repo.audit.AuditComponentImpl.audit(AuditComponentImpl.java:191)
   org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:69)
   org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
   org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
   org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
   org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:210)
   $Proxy2.exists(Unknown Source)
   org.alfresco.repo.rule.RuleServiceImpl.checkForCopy(RuleServiceImpl.java:976)
   org.alfresco.repo.rule.RuleServiceImpl.canExecuteRule(RuleServiceImpl.java:951)
   org.alfresco.repo.rule.RuleServiceImpl.executePendingRule(RuleServiceImpl.java:884)
   org.alfresco.repo.rule.RuleServiceImpl.executePendingRulesImpl(RuleServiceImpl.java:857)
   org.alfresco.repo.rule.RuleServiceImpl.executePendingRules(RuleServiceImpl.java:830)
   org.alfresco.repo.rule.RuleTransactionListener.beforeCommit(RuleTransactionListener.java:69)
   org.alfresco.repo.transaction.AlfrescoTransactionSupport$TransactionSynchronizationImpl.doBeforeCommit(AlfrescoTransactionSupport.java:631)
   org.alfresco.repo.transaction.AlfrescoTransactionSupport$TransactionSynchronizationImpl.doBeforeCommit(AlfrescoTransactionSupport.java:613)
   org.alfresco.repo.transaction.AlfrescoTransactionSupport$TransactionSynchronizationImpl.beforeCommit(AlfrescoTransactionSupport.java:591)
   org.springframework.transaction.support.TransactionSynchronizationUtils.triggerBeforeCommit(TransactionSynchronizationUtils.java:48)
   org.springframework.transaction.support.AbstractPlatformTransactionManager.triggerBeforeCommit(AbstractPlatformTransactionManager.java:821)
   org.springframework.transaction.support.AbstractPlatformTransactionManager.processCommit(AbstractPlatformTransactionManager.java:637)
   org.springframework.transaction.support.AbstractPlatformTransactionManager.commit(AbstractPlatformTransactionManager.java:624)
   org.springframework.transaction.interceptor.TransactionAspectSupport.commitTransactionAfterReturning(TransactionAspectSupport.java:307)
   org.alfresco.util.transaction.SpringAwareUserTransaction.commit(SpringAwareUserTransaction.java:420)
   org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:242)
   org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:158)
   org.alfresco.web.scripts.WebScriptRuntime.executeScript(WebScriptRuntime.java:174)
   org.alfresco.web.scripts.WebScriptServlet.service(WebScriptServlet.java:106)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
   org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
   org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
   mypackage.filters.XSLTFilter.doFilter(Unknown Source)
   org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
   org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
   org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
   org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
   org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
   org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
   org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
   org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
   org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)
   org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
   org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:773)
   org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
   org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895)
   org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
   java.lang.Thread.run(Unknown Source)

Is this a bug? Bad coding on my part? What to do?

Thanks for reading!

Rogier

Outcomes