| Back | Next | Contents | Cams Administrator's Guide |
This section contains a list of questions and answers to access control configuration errors, debugging techniques, etc.
As a security domain's access control service is being loaded, initialized, started, and stopped, various DEBUG, INFO, WARNING, ERROR, and/or FATAL messages may be written to the security domain-specific trace log.
If the security domain's access control service is correctly loaded, you will
see the following two (not necessarily consecutive) messages in that security
domain's trace log file:
INFO - Loading AccessControlService INFO - Loaded AccessControlService
If the security domain's access control service is correctly initialized, you will see the following two (not necessarily consecutive) messages in that security domain's trace log file:
INFO - Initializing AccessControlService INFO - Initialized AccessControlService
If the security domain's access control service is correctly started, you will see the following two messages that security domain's trace log file:
INFO - Starting AccessControlService INFO - Started AccessControlService
If the security domain's access control service is correctly stopped, you will see the following two messages that security domain's trace log file:
INFO - Stopping AccessControlService INFO - Stopped AccessControlService
If any of these message pairs has an intervening "ERROR" or "FATAL" message, then the load, initialization, start, or stop process failed and the message should give sufficient context to start debugging the configuration problem.
As a security domain's access control policy is being initialized and loaded, various DEBUG, INFO, WARNING, ERROR, and/or FATAL messages may be written to the security domain-specific trace log.
If the security domain's access control policy is correctly loaded, you will
see the following two (not necessarily consecutive) messages in that security
domain's trace log file:
INFO - Initializing AccessControlService INFO - Initialized AccessControlService
If the security domain's access control service is correctly initialized, you will see the following two (not necessarily consecutive) messages in that security domain's trace log file:
INFO - Loading AccessControlService INFO - Loaded AccessControlService
If any of these message pairs has an intervening "ERROR" or "FATAL" message, then the load, initialization, start, or stop process failed and the message should give sufficient context to start debugging the configuration problem.
The easiest way to tell if a security domain is handling an access control request for a particular resource is to look in the access control transaction Log for that security domain. For example, suppose a security domain is supposed to protect an "http" resource corresponding to the following resource request:
Actions=GET,
Resource Id=http://localhost:8080/examples/index.jsp
If you attempt to access the resource via a web browser and the security domain access control transaction logging is enabled, you should see a new record resembling the following line appear at the bottom of the transaction log file:
[10/Jul/2002:09:23:59 -0700] 127.0.0.1 - - http http://localhost:8080/examples/index.jsp "GET" 2 10
If the record does not appear, then the security domain is either not receiving the request or an error is occuring during the access control check. Check the security domain's trace log for an ERROR or FATAL message related to the access control request. If not present, then check the general cams-server.log and the system security domain's trace log.
Another possible cause of the problem could be that the system (or some other) security domain is not properly delegating the access control request. Check the system security domain's access control transaction log to make sure it is receiving the initial access control request. If it is, you may need to enable DEBUG-level messages for the system security domain's access control policy. Those DEBUG messages will tell you whether the access control check is being handled by the system security domain or if it is being delegated to another security domain. If delegated, you will need to check each intermediate security domain's access control policy to ensure that delegation rules are setup properly.
To see the contents of an access control request as received by a security domain's access control policy, you'll need to:
Example 1 shows what you'll see for each access control request in the trace log once debugging is enabled:
DEBUG - ------------------ Start Access Control Check ------------------------- |
| Example 1 - Sample access control request DEBUG-level messages |
More information is provided on how to interpret these messages in Troubleshooting Cams Access Control.
To see which permission and access control rule are protecting a resource:
The security domain's trace logger will contain DEBUG message like those in Example 2.
DEBUG - ------------------ Start Access Control Check ------------------------- |
| Example 2 - Sample access control policy permission DEBUG-level messages |
The permission and access control rule information for the request are shown in red.
To see is a security domain is delegating an access control request:
The security domain's trace logger will contain DEBUG message like those shown in Example 3.
DEBUG - ------------------ Start Access Control Check ------------------------- |
| Example 3 - Sample access control policy DEBUG messages showing forwarding of an access control request |
In the example, the "Owner" security domain is declared to be "examples" (which means that these DEBUG messages are from another security domain's trace log). The "... Forwarding ..." message will indicate the security domain to which the access control check is being delegated.
To see the contents of an access control response as returned by a security domain's access control policy, you'll need to:
Example 4 shows part of what you'll see for each access control response in the trace log once debugging enabled:
DEBUG - ------------------ Start Access Control Check ------------------------- |
| Example 4 - access control response DEBUG-level messages |
A sample access control response is shown in red.
To see how the access control rule referenced by a security domain's permission is evaluated by an access control policy:
Example 5 shows part of what you'll see for each access control response in the trace log once debugging enabled:
DEBUG - ------------------ Start Access Control Check ------------------------- |
| Example 5 - Sample DEBUG-level message showing the result of evaluating an access control rule |
The access control rule evaluation result is shown above in red. If the invoked access control rule is a compound rule like access control rule expression (XML "acr" tag), you may enable DEBUG-level messages for each nested access control rule to see more details on how each ACR evaluates the access control request.
© Copyright 1996-2004 Cafésoft LLC. All rights reserved.