Menu
▾
▴
#1941 http 401 gives CIM_ERR_FAILED instead of CIM_ERR_ACCESS_DENI
closed-fixed
5
2010-06-15
2010-04-30
No
When connecing to HDS CIMOM with wrong username/pw CIMClient (2.1.4) returns general CIM_ERR_FAILED instead of WBEMException: CIM_ERR_ACCESS_DENIED (HTTP 401 - Unauthorized)
Stacktrace:
2010-04-30 15:51:42.345+01:00 HWN099993E Exception received while trying to connect to http://127.0.0.1:15988 due to CIM_ERR_FAILED @(-9223372036854775000;[-9223372036854774910,0,1];-9223372036854774882;DiskManagerThread-4 - testOneCIMOMConnection([CIMOM=http://127.0.0.1:15988, interop, system, ******]))
WBEMException: CIM_ERR_FAILED
at org.sblim.cimclient.internal.wbem.WBEMClientCIMXML.enumerateInstanceNames(WBEMClientCIMXML.java:997)
at sun.reflect.GeneratedMethodAccessor38.invoke(Unknown Source)
...
Caused by: java.lang.NullPointerException
at org.sblim.cimclient.internal.http.HttpClient.getResponseCode(HttpClient.java)
at org.sblim.cimclient.internal.http.HttpUrlConnection.getResponseCode(HttpUrlConnection.java:233)
at org.sblim.cimclient.internal.wbem.WBEMClientCIMXML.transmitRequest(WBEMClientCIMXML.java:1718)
at org.sblim.cimclient.internal.wbem.WBEMClientCIMXML.enumerateInstanceNames(WBEMClientCIMXML.java:981)
The HTTP Trace is:
POST /cimom HTTP/1.1
Connection: Keep-alive
Content-type: application/xml; charset="utf-8"
Content-Language: de-DE
CIMMethod: EnumerateInstanceNames
CIMOperation: MethodCall
Content-length: 370
CIMProtocolVersion: 1.0
TE: trailers
CIMObject: interop
Accept-Language: de-DE, en-US, *
Host: 127.0.0.1
Cache-Control: no-cache
Accept: text/html, text/xml, application/xml
<?xml version="1.0" encoding="UTF-8"?>
<CIM CIMVERSION="2.0" DTDVERSION="2.0"><MESSAGE ID="900894" PROTOCOLVERSION="1.0"><SIMPLEREQ><IMETHODCALL NAME="EnumerateInstanceNames"><LOCALNAMESPACEPATH><NAMESPACE NAME="interop"/></LOCALNAMESPACEPATH><IPARAMVALUE NAME="ClassName"><CLASSNAME NAME="CIM_RegisteredProfile"/></IPARAMVALUE></IMETHODCALL></SIMPLEREQ></MESSAGE></CIM>
HTTP/1.1 401 Unauthorized
Transfer-Encoding: chunked
CIMRoleAuthenticate: com.hitachi.hds.wbem.security.AuthenticationProvider
WWW-Authenticate: Basic realm="wbem@"
0
POST /cimom HTTP/1.1
Connection: Keep-alive
Content-type: application/xml; charset="utf-8"
Content-Language: de-DE
CIMMethod: EnumerateInstanceNames
CIMOperation: MethodCall
Authorization: Basic c3lzdGVtOmZhbHNlcHc=
Content-length: 370
CIMProtocolVersion: 1.0
TE: trailers
CIMObject: interop
Accept-Language: de-DE, en-US, *
Host: 127.0.0.1
Cache-Control: no-cache
Accept: text/html, text/xml, application/xml
<?xml version="1.0" encoding="UTF-8"?>
<CIM CIMVERSION="2.0" DTDVERSION="2.0"><MESSAGE ID="900894" PROTOCOLVERSION="1.0"><SIMPLEREQ><IMETHODCALL NAME="EnumerateInstanceNames"><LOCALNAMESPACEPATH><NAMESPACE NAME="interop"/></LOCALNAMESPACEPATH><IPARAMVALUE NAME="ClassName"><CLASSNAME NAME="CIM_RegisteredProfile"/></IPARAMVALUE></IMETHODCALL></SIMPLEREQ></MESSAGE></CIM>
HTTP/1.1 401 Unauthorized
Transfer-Encoding: chunked
0
It looks like the CIMOM does not add authenticate HTTP header again in 401 response when request includes user/password.
Don't know if this follows correct http protocol, but CIM Client should return the main error (401) and not some details that might be wrong.
WBEMClientCIMXML.transmitRequest() has not yet gotten to the point where it will throw the CIM_ERR_ACCESS_DENIED because a null pointer occurs within HttpClient.getResponseCode() ... unfortunately, it is a large (~250 LOC) routine and there is no line number in the stack trace. Is this an oversight? Any way you can debug thru that routine to see where null pointer is accessed?
Sorry, pasted the wrong stacktrace above where I tried to get around the problem,
here is the initial stacktrace:
010-04-30 11:16:19.595+01:00 HWN099993E Exception received while trying to connect to https://9.11.98.177:5989 due to CIM_ERR_FAILED @(-9223372036854775598;[-9223372036854775578,0,1];-9223372036854775524;DiskManagerThread-1 - testOneCIMOMConnection([CIMOM=https://9.11.98.177:5989, interop, username, ******]))
WBEMException: CIM_ERR_FAILED
at org.sblim.cimclient.internal.wbem.WBEMClientCIMXML.enumerateInstanceNames(WBEMClientCIMXML.java:997)
at sun.reflect.GeneratedMethodAccessor42.invoke(Unknown Source)
...
Caused by: java.lang.IllegalArgumentException: Invalid challenge
at org.sblim.cimclient.internal.http.Challenge.parseChallenge(Challenge.java:80)
at org.sblim.cimclient.internal.http.HttpClient.getAuthentication(HttpClient.java:872)
at org.sblim.cimclient.internal.http.HttpClient.getResponseCode(HttpClient.java:690)
at org.sblim.cimclient.internal.http.HttpUrlConnection.getResponseCode(HttpUrlConnection.java:233)
at org.sblim.cimclient.internal.wbem.WBEMClientCIMXML.transmitRequest(WBEMClientCIMXML.java:1718)
at org.sblim.cimclient.internal.wbem.WBEMClientCIMXML.enumerateInstanceNames(WBEMClientCIMXML.java:981)
... 13 more
Perhaps the HDS CIMOM should reread RFC2617:
"The 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user agent. This response MUST include a WWW-Authenticate header field containing at least one challenge applicable to the requested resource."
The user may be attempting something invalid but the CIMOM should still adhere to the spec. This is why the Java CIM Client does not check for a null from getField("WWW-Authenticate") - because it is supposed to be there.
That aside, the patch we discussed is the best solution to allow the client to return a better exception than CIM_ERR_FAILED.
Patch sent for community review. During a 2 week period any
exploiter may comment on the patch, request changes or turn it
down completely (with good reason). For the time being the patch is part of the "Experimental" branch in CVS.
Christoph's proposal
Patch against HEAD
The community review has completed and we received no substantial critisism. Therefore the patch has been approved and merged into the "HEAD" branch. The next release will pick it up.
The patch was picked up by release 2.1.5 and will therefore be closed.