It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Guidelines | FAQ
Follow this question
Question details

×10,961
×4,316

question asked: May 11 '16, 5:24 p.m.
question was seen: 1,953 times
last updated: Jun 09 '16, 2:38 p.m.

Related questions

HTTP 403 from RQM REST query when not intially logged into RQM

0
Brett Bohnn (94111157) | asked May 11 '16, 5:24 p.m.
Hi,

This issue was initially found trying to open the QM schema from RPE Launcher, which fails with "form authentication error connection to https://myserver:9443/qm/service/com.ibm.rqm.integration.serviceIIntegrationService/schema/qm.xsd  response code: 403 response message: forbidden"

Accessing that URL from a browser when not already logged into RQM fails with "HTTP Status 403 - access to the requested resource has been denied" The same is true for any REST query, e.g. the RQM project alias feed. If the user first logs into RQM, e.g. qm/web the same REST queries succeed.

This occurs in RQM 6.0 iFix005 with Tomcat, the JTS and RQM on the same Tomcat server, it occurs in all browsers for all users. There does not appear to be any corresponding error in the qm.log or jts.log.

Has anyone seen this? Any suggestions?

Thanks,
Brett                          
Comments
Donald Nong commented May 11 '16, 10:38 p.m. | edited May 11 '16, 10:39 p.m.

It doesn't sound right, at least that's not what I observed. With CLM 5.0.2 on Tomcat, I would get an HTTP 302 (redirecting to the login page) when I tried to access the said URL. With jazz.net (CLM 6.0.2) I got HTTP 401 and it would prompt for a BASIC login - jazz.net is configured that way.

HTTP 403 seems to imply some kind of authentication has already been attempted, but the resulting session does not have permission, as the said URI is a protected resource.

Does this only happen to a particular server? I feel that it's a configuration/environment issue.

2 answers

Most liked answers ↑|Newest answers|Oldest answers

0
permanent link
Paul Slauenwhite (8.4k12) | answered May 24 '16, 10:53 a.m.
FORUM MODERATOR / JAZZ DEVELOPER
 Brett, two things to consider:

1. The user credentials are incorrect or the user does not have sufficient permissions.
2. The HTTP client is not handling basic/form authentication with RQM.

I would suggest #2 is the cause.  As such, open a PMR against the RPE team.

The browser/REST client behaviour is expected.
Comments
Brett Bohnn commented May 24 '16, 3:23 p.m. | edited May 24 '16, 3:24 p.m.

Hi Paul,

What is interesting is even a jazzadmin with a role that includes permissions for all QM operations sees the same when going to the project feed or any resource feed for that matter. An HTTP 403 is thrown in any browser but succeeds if accessed again in another tab or if logged into RQM initially. The RPE launcher just happens to use https://myserver:9443/qm/service/com.ibm.rqm.integration.serviceIIntegrationService/schema/qm.xsd  and throws the 403 as well. It also fails using the test plan feed...

Here is that error:


We will proceed through the PMR process.

Thanks,
Brett

0
permanent link
Brett Bohnn (94111157) | answered Jun 09 '16, 2:38 p.m.
Hi,

I finally was able to fix this. The 403 was actually thrown for any user trying to access /qm/admin unless they were already logged into RQM. It was not specific to REST URLs either.

The problem was missing role mapping in QM's web.xml (e.g. in  C:\JazzServers\CLM60_LDAP\server\tomcat\webapps\qm\WEB-INF). Below is a diff of QM's web.xml with JTS' web.xml. They should be identical. The highlighted section is missing from QM's web.xml


Shutting down Tomcat, moving a copy of the JTS's web.xml to QM at \server\tomcat\webapps\qm\WEB-IN (moving out the existing, incorrect web.xml first) and restarting Tomcat resolved the 403 condition accessing qm/admin, etc.

Thanks,
Brett

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.