AccessException Access Denied HTML does not properly do the authentication in 61

Hi,

We having this access denied weird error. The access denied error was generated by the initial request for logon prompt. Since the request was sent to the IS server without logon info it throws an error into the error log. It doesn’t matter which services I invoke it the invocation do not have authentication information it will generate this error in the error log. Do anyone aware or experience this problem? If it has been resolved could you let me know how to resolve it?

Thanks,

Hi Keith Leung,
I am not sure, if I got your problem description right.

The way I understood is that you get this Access Denied error in the error.log each time you access any service with incorrect or incomplete authentication. So, I think, IS is behaving the way it should. But, you dont want that irritating error to occur (and possibly generate an email) in error.log. Correct?

I think, one way to approach will be to reduce the logging level and see if it helps.

Another way will be to remove the 0012 (Authentication) Facility from logging.

I wont say these are recommended to do in any webM env, but you be the judge for that (based on your needs).

  • Saurabh.

The access denied error occur whenever there is an invoke of a service before the prompt of the logon information were presented not when incorrect or incomplete authentication. I have even test this in a new 6.1 install, I do not get this error, except in our production server. Looks like there is some configuration that is causing it.

Hi Keith,

Have you configured the port at which connection made to invoke service? If it is deny by default, you have to add the services that you want to be accessed.

Say, if you are accessing through http, port 80 should have been configured with services that are allowed to be accessed through this port. Else you may get Access Denied.

Krishnan

Hi Keith,
Let me make another attempt at understanding your problem.

A Svc Invoke is made
-> AccessDenied error occurs
Logon Prompt
-> correct user/passwd entered
Svc Invoke is completed successfully.

Is above sequence of events correct?

Also, please let us know these too.
Do you have v6.1 in PROD?
What is the ACL on the Svc being invoked? (please give all ACL info for the Svc you are having problem with)

And Lastly, how are you invoking the Svc? through a browser or developer?

  • Saurabh.

Yes the sequence is correct. When I type in the invoke url at my browser it will prompt me for userid/password. This right away generate an error into the error log as access denied. Before I have a chance to type in the userid/password. If invoke through the developer is ok because I need to logon 1st. This is happening to the services in wmPublic with default ACL and also to services that we develop.

I tried it in my test fres install (W2k server) I have no issue. In prod we have the problem which is running on AIX.

Hi Keith,
I guess there may not be access rights for webMethods files in the OS. In Win2k, by default Everyone has access to all files. I do not know about AIX.

I guess this because, Developer can access, which is possible as the client system and server have been mapped with some user id which has access rights to files.

But when you access from browser, the server will use the default user configured at OS level to connect to webMethods server. Hence, you are thrown Access denied to even get the login prompt.

HTH.

I have attempt to simulate this on my W2k machine by only giving rights to a particular user for the whole wM dir(and all the subdir). Even administrator cannot view anything below the wM dir. I do not get any access denied in the error log, when I attempt to invoke the services. So it looks like it is not due to files/dir permission issues. Could it be some settings in wM?

Keith Leung,
were you able to resolve this yet? or do you still need help on this one.

  • Saurabh.

Hi Keith,

We had exactly that problem with our webMethods v6.1 environment. webMethods have advised me that the problem has been fixed in “webMethods Integration Server 6.1 Fix 35”. We are yet to apply this service pack, although expect to do so over the next couple of weeks. Please also note that this service pack requires you to install Fix 7, Fix 9 and Fix 15 for IS6-1.

For reference, I have pasted a blurb out of the Fix35 ReadMe that describes the problem. I believe this is the one you have described:

"1-RS2JB, 1-RRZV0
IS issues HTTP 401 errors and triggers notifications when IS
does not receive authorization infomation in the http header.

This fix ensures that HTTP 401 Access Denied conditions in
response to an ordinary HTTP challenge-response will no longer
be logged as an error condition and trigger notification
by default, unless the server.cnf property
watt.server.strictAccessExceptionLogging is set to true."

Regards,

Peter

Interesting… Thanks Peter for the update.

Keith,
Please apply the fixes mentioned and let us know if this resolves your issue.

Rgds,
Saurabh.

Thanks I will test it out.

hmmmmm…

We just applied the patches to our test environment, and are still getting the exception. I have just notified webMethods. Will advise the results.

Regards,

Peter

It turned out that one of the jar files (the Fix35 one) supplied by webMethods had an error in it. webMethods gave us another version of the jar file, and the exception is now fixed.

Regards,

Peter