Back | Next | Contents Cams Administrator's Guide

Troubleshooting Cams FAQ

This section contains a list of questions and answers to access control configuration errors, debugging techniques, etc.

  1. How can I find out if a security domain's access control service is loading, initializing, starting, and stopping correctly?
  2. How can I tell if a security domain's access control policy is correctly loading and initializing?
  3. How can I tell if a security domain is handling a specific access control request?
  4. How can I see the contents of an access control request when it is being evaluated by an access control policy?
  5. How can I see which permission and access control rule are protecting a resource?
  6. How can I tell if a security domain is delegating an access control request?
  7. How can I see the contents of an access control response?
  8. How can I see how an access control rule evaluates an access control request?

How can I find out if a security domain's access control service is loading, initializing, starting, and stopping correctly?

As a security domain's access control service is being loaded, initialized, started, and stopped, various DEBUG, INFO, WARNING, ERROR, and/or FATAL messages may be written to the security domain-specific trace log.

If the security domain's access control service is correctly loaded, you will see the following two (not necessarily consecutive) messages in that security domain's trace log file:

INFO - Loading AccessControlService
INFO - Loaded AccessControlService

If the security domain's access control service is correctly initialized, you will see the following two (not necessarily consecutive) messages in that security domain's trace log file:

INFO - Initializing AccessControlService
INFO - Initialized AccessControlService

If the security domain's access control service is correctly started, you will see the following two messages that security domain's trace log file:

INFO - Starting AccessControlService
INFO - Started AccessControlService 

If the security domain's access control service is correctly stopped, you will see the following two messages that security domain's trace log file:

INFO - Stopping AccessControlService
INFO - Stopped AccessControlService 

If any of these message pairs has an intervening "ERROR" or "FATAL" message, then the load, initialization, start, or stop process failed and the message should give sufficient context to start debugging the configuration problem.

How can I tell if a Cams security domain's access control policy is correctly initializing and loading?

As a security domain's access control policy is being initialized and loaded, various DEBUG, INFO, WARNING, ERROR, and/or FATAL messages may be written to the security domain-specific trace log.

If the security domain's access control policy is correctly loaded, you will see the following two (not necessarily consecutive) messages in that security domain's trace log file:

INFO - Initializing AccessControlService
INFO - Initialized AccessControlService

If the security domain's access control service is correctly initialized, you will see the following two (not necessarily consecutive) messages in that security domain's trace log file:

INFO - Loading AccessControlService
INFO - Loaded AccessControlService

If any of these message pairs has an intervening "ERROR" or "FATAL" message, then the load, initialization, start, or stop process failed and the message should give sufficient context to start debugging the configuration problem.

How can I tell if a security domain is handling a specific access control request?

The easiest way to tell if a security domain is handling an access control request for a particular resource is to look in the access control transaction Log for that security domain. For example, suppose a security domain is supposed to protect an "http" resource corresponding to the following resource request:

Actions=GET,
Resource Id=
http://localhost:8080/examples/index.jsp

If you attempt to access the resource via a web browser and the security domain access control transaction logging is enabled, you should see a new record resembling the following line appear at the bottom of the transaction log file:

[10/Jul/2002:09:23:59 -0700] 127.0.0.1 - - http http://localhost:8080/examples/index.jsp "GET" 2 10

If the record does not appear, then the security domain is either not receiving the request or an error is occuring during the access control check. Check the security domain's trace log for an ERROR or FATAL message related to the access control request. If not present, then check the general cams-server.log and the system security domain's trace log.

Another possible cause of the problem could be that the system (or some other) security domain is not properly delegating the access control request. Check the system security domain's access control transaction log to make sure it is receiving the initial access control request. If it is, you may need to enable DEBUG-level messages for the system security domain's access control policy. Those DEBUG messages will tell you whether the access control check is being handled by the system security domain or if it is being delegated to another security domain. If delegated, you will need to check each intermediate security domain's access control policy to ensure that delegation rules are setup properly.

How can I see the contents of an access control request when it is being evaluated by an access control policy?

To see the contents of an access control request as received by a security domain's access control policy, you'll need to:

  • Enable DEBUG-level messages for the security domain's trace logger
  • Enable DEBUG-level messages for the security domain's access control policy component

Example 1 shows what you'll see for each access control request in the trace log once debugging is enabled:

DEBUG - ------------------ Start Access Control Check -------------------------
DEBUG - AccessRequest
DEBUG - {
DEBUG - Security Domain=examples
DEBUG - Session Id=6578616d706c6573-31303236353136323034363934-6775657374-\ 4d2f4338a97cdaead51f2ccb35e94b2e8dcdce66
DEBUG - Remote Addr=127.0.0.1
DEBUG - Remote Host=localhost
DEBUG - Confidential=false
DEBUG - App Name=xml
DEBUG -
DEBUG - ResourceRequest
DEBUG - {
DEBUG - Id=http://localhost:8080/examples/index.jsp
DEBUG - Type=http
DEBUG - Actions=GET
DEBUG - Actions Mask=1 (dec) , 1 (bin)
DEBUG - }
DEBUG -
DEBUG - Session
DEBUG - {
DEBUG - Id=6578616d706c6573-31303236353136323034363934-6775657374-\ 4d2f4338a97cdaead51f2ccb35e94b2e8dcdce66
DEBUG - Creation Time=Fri Jul 12 16:23:24 PDT 2002
DEBUG - Last Touched Time=Fri Jul 12 16:23:25 PDT 2002
DEBUG - Status=ACTIVE
DEBUG - Subject
DEBUG - {
DEBUG - username=guest
DEBUG - principal: name=everyone, class=com.cafesoft.cams.auth.CSRolePrincipal
DEBUG - principal: name=guest, class=com.cafesoft.cams.auth.CSUserPrincipal
DEBUG - }
DEBUG - Attributes
DEBUG - {
DEBUG - default:namespace
DEBUG - {
DEBUG - }
DEBUG - }
DEBUG - }
DEBUG -
DEBUG - RequestDispatchStack
DEBUG - {
DEBUG - [1]=examples
DEBUG - [0]=system
DEBUG - }
DEBUG - }
DEBUG -
...
DEBUG - ------------------ End Access Control Check -------------------------
Example 1 - Sample access control request DEBUG-level messages

More information is provided on how to interpret these messages in Troubleshooting Cams Access Control.

How can I see which permission and access control rule are protecting a resource?

To see which permission and access control rule are protecting a resource:

  • Enable DEBUG-level messages for the security domain's trace logger
  • Enable DEBUG-level messages for the security domain's access control policy component

The security domain's trace logger will contain DEBUG message like those in Example 2.

DEBUG - ------------------ Start Access Control Check -------------------------
DEBUG - AccessRequest
DEBUG - {
...
DEBUG - }
DEBUG -
DEBUG - Permission
DEBUG - {
DEBUG - Description: Examples Content
DEBUG - ResourcePattern
DEBUG - {
DEBUG - Pattern=http://localhost:8080/examples/
DEBUG - Owner=NONE
DEBUG - }
DEBUG - Type=http
DEBUG - Actions=GET,POST
DEBUG - Actions Mask=3 (dec), 11 (bin)
DEBUG - ACR=allow role everyone
DEBUG - }

DEBUG -
DEBUG - ACR evaluated to "true": ACCESS GRANTED ...
DEBUG - AccessResponse
DEBUG - {
...
DEBUG - }
DEBUG - ------------------ End Access Control Check -------------------------
Example 2 - Sample access control policy permission DEBUG-level messages

The permission and access control rule information for the request are shown in red.

How can I tell if a security domain is delegating an access control request?

To see is a security domain is delegating an access control request:

  • Enable DEBUG-level messages for the security domain's trace logger
  • Enable DEBUG-level messages for the security domain's access control policy component

The security domain's trace logger will contain DEBUG message like those shown in Example 3.

DEBUG - ------------------ Start Access Control Check -------------------------
DEBUG - AccessRequest
DEBUG - {
...
DEBUG - }
DEBUG -
DEBUG - Permission
DEBUG - {
DEBUG - Description: Examples Content
DEBUG - ResourcePattern
DEBUG - {
DEBUG - Pattern=http://localhost:8080/examples/
DEBUG - Owner=examples
DEBUG - }
DEBUG - Type=http
DEBUG - Actions=GET,POST
DEBUG - Actions Mask=3 (dec), 11 (bin)
DEBUG - ACR=NONE
DEBUG - }
DEBUG -
DEBUG - ... Forwarding access control check to security domain: 'examples'
DEBUG - AccessResponse
DEBUG - {
...
DEBUG - }
DEBUG - ------------------ End Access Control Check -------------------------
Example 3 - Sample access control policy DEBUG messages showing forwarding of an access control request

In the example, the "Owner" security domain is declared to be "examples" (which means that these DEBUG messages are from another security domain's trace log). The "... Forwarding ..." message will indicate the security domain to which the access control check is being delegated.

How can I see the contents of an access control response?

To see the contents of an access control response as returned by a security domain's access control policy, you'll need to:

  • Enable DEBUG-level messages for the security domain's trace logger
  • Enable DEBUG-level messages for the security domain's access control policy component

Example 4 shows part of what you'll see for each access control response in the trace log once debugging enabled:

DEBUG - ------------------ Start Access Control Check -------------------------
DEBUG - AccessRequest
DEBUG - {
...
DEBUG - }
DEBUG -
DEBUG - Permission
...
DEBUG - }
DEBUG -
DEBUG - ACR evaluated to "true": ACCESS GRANTED
DEBUG - AccessResponse
DEBUG - {
DEBUG - status=GRANTED
DEBUG - reason=0
DEBUG - message=null
DEBUG - LoginParameters
DEBUG - {
DEBUG - }
DEBUG - }

DEBUG - ------------------ End Access Control Check -------------------------
Example 4 - access control response DEBUG-level messages

A sample access control response is shown in red.

How can I see how an access control rule evaluates an access control request?

To see how the access control rule referenced by a security domain's permission is evaluated by an access control policy:

  • Enable DEBUG-level messages for the security domain's trace logger
  • Enable DEBUG-level messages for the security domain's access control policy component

Example 5 shows part of what you'll see for each access control response in the trace log once debugging enabled:

DEBUG - ------------------ Start Access Control Check -------------------------
DEBUG - AccessRequest
DEBUG - {
...
DEBUG - }
DEBUG -
DEBUG - Permission
...
DEBUG - }
DEBUG -
DEBUG - ACR evaluated to "true": ACCESS GRANTED
DEBUG - AccessResponse
DEBUG - {
DEBUG - status=GRANTED
DEBUG - reason=0
DEBUG - message=null
DEBUG - LoginParameters
DEBUG - {
DEBUG - }
DEBUG - }
DEBUG - ------------------ End Access Control Check -------------------------
Example 5 - Sample DEBUG-level message showing the result of evaluating an access control rule

The access control rule evaluation result is shown above in red. If the invoked access control rule is a compound rule like access control rule expression (XML "acr" tag), you may enable DEBUG-level messages for each nested access control rule to see more details on how each ACR evaluates the access control request.

Back | Next | Contents