Access is forbidden. Sorry

RalfBarkow · January 7, 2020, 11:10am

Would like somebody to have a look at the config.properties file here. I am not able to get the latest DMX Debian package to work on my FreedomBox. (Raspbian GNU/Linux behind a FRITZ!Box, ports 8080, 8081, 8443 are passed through, firewall on FreedomBox deactivated during tests)

With the configuration mentioned above, I get 403 Forbidden errors for favicon.ico and /systems.dmx.webclient/

The 403 (Forbidden) status code indicates that the server understood
the request but refuses to authorize it.
(https://tools.ietf.org/html/rfc7231#section-6.5.3)

I could not enter the initial admin password (felix/jetty), because no login dialog appears.

BTW: I know that I have to specify the domain or IP address of the server, e.g. ws://www.myserver.com:8081, but also in this case I get the 403 error messages.

jri · January 7, 2020, 1:01pm

I guess your requests are rejected by the DMX request filter, in particular the subnet filter.

In a server scenario – that is when the DMX server and the browser run on different machines – you have to configure dmx.security.subnet_filter.

By default DMX allows requests only from localhost.

From DMX config.properties:

# Requests are allowed from this subnet only.
# An address range denoted by network number and netmask.
# To allow local access only set "127.0.0.1/32". This is the default.
# To allow global access set "0.0.0.0/0".
dmx.security.subnet_filter = 127.0.0.1/32

jri · January 7, 2020, 1:10pm

For further diagnosis you could activate DMX access control fine logging. Add this line to DMX logging.properties (resp. uncomment it) and restart the DMX server:

systems.dmx.accesscontrol.AccessControlPlugin.level=FINE

For every request extensive diagnosis messages appear in the server log then.

In your case look in particular for messages related to dmx.security.subnet_filter. (In case your problem is IPv6 related you’ll recognize it then.)

Once diagnosis is done you should comment that line again and restart the DMX server another time.

RalfBarkow · January 7, 2020, 6:52pm

@jri Thanks Jörg, config.properties: Allow global access . This did the trick.

Now the login dialog appears and afterwards I can use the DMX webclient. Very good. Only when I click “logout” the system behaves strange. Instead of logging me out, the login dialog appears. I have to reload the page and then I can login again.

jri · January 12, 2020, 5:50pm

Oh, possibly you’ve detected a problem which we had already solved in DM4, but now it seems to be back in DMX.

It happens only when you set dmx.security.anonymous_read_allowed to NONE. In this case the browser’s own login dialog is utilized, not DMX’s one.

See:
https://trac.deepamehta.de/ticket/423
https://trac.deepamehta.de/ticket/471

I need to do further investigation on this.

Thank you for reporting!

jri · January 22, 2020, 2:31pm

I’ve filed an issue now: