Hi Jacques, thanks for working at this. However I think that there is a simpler/better way to disable the component by default; by using the following patch:
Index: framework/start/src/org/ofbiz/base/start/start.properties =================================================================== --- framework/start/src/org/ofbiz/base/start/start.properties (revision 1735404) +++ framework/start/src/org/ofbiz/base/start/start.properties (working copy) @@ -40,7 +40,7 @@ # --- StartupLoader implementations to load (in order) ofbiz.start.loader1=org.ofbiz.base.container.ContainerLoader -ofbiz.start.loader1.loaders=main,rmi +ofbiz.start.loader1.loaders=main # -- Enable the shutdown hook #ofbiz.enable.hook=true I didn't test it but it should work! Jacopo On Fri, Mar 18, 2016 at 11:38 AM, <jler...@apache.org> wrote: > Author: jleroux > Date: Fri Mar 18 10:38:04 2016 > New Revision: 1735569 > > URL: http://svn.apache.org/viewvc?rev=1735569&view=rev > Log: > Fixes "Comment out RMI related code because of the Java deserialization > issue" - https://issues.apache.org/jira/browse/OFBIZ-6942 > > I decided to comment out as less as possible because once the RMI loaders, > the RMI dispatcher and the related test services are off there is no RMI > related danger left (test services are not a danger but would fail during > tests run). It's then easier for users who need RMI in their projects to > have only to uncomment those and not digg everywhere. Because the naming > (JNDI) server relies on the rmi loader it will also be commented out. > > Modified: > ofbiz/trunk/framework/base/config/ofbiz-containers.xml > ofbiz/trunk/framework/base/ofbiz-component.xml > ofbiz/trunk/framework/common/servicedef/services_test.xml > ofbiz/trunk/framework/service/ofbiz-component.xml > ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties > > Modified: ofbiz/trunk/framework/base/config/ofbiz-containers.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/ofbiz-containers.xml?rev=1735569&r1=1735568&r2=1735569&view=diff > > ============================================================================== > --- ofbiz/trunk/framework/base/config/ofbiz-containers.xml (original) > +++ ofbiz/trunk/framework/base/config/ofbiz-containers.xml Fri Mar 18 > 10:38:04 2016 > @@ -21,8 +21,11 @@ under the License. > <ofbiz-containers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:noNamespaceSchemaLocation=" > http://ofbiz.apache.org/dtds/ofbiz-containers.xsd"> > > + <!-- Because of the danger of Java deserialization when using RMI, we > (PMC) have decided to comment out main RMI related code entries. > + If you need RMI you just need to uncomment those places - See > OFBIZ-6942 for details --> > <!-- load the ofbiz component container (always first) --> > - <container name="component-container" > loaders="main,rmi,pos,load-data" > class="org.ofbiz.base.container.ComponentContainer"/> > + <!-- <container name="component-container" > loaders="main,rmi,pos,load-data" > class="org.ofbiz.base.container.ComponentContainer"/> --> > + <container name="component-container" loaders="main,pos,load-data" > class="org.ofbiz.base.container.ComponentContainer"/> > > <container name="component-container-test" loaders="test" > class="org.ofbiz.base.container.ComponentContainer"> > <property name="ofbiz.instrumenterClassName" > value="org.ofbiz.base.config.CoberturaInstrumenter"/> > > Modified: ofbiz/trunk/framework/base/ofbiz-component.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff > > ============================================================================== > --- ofbiz/trunk/framework/base/ofbiz-component.xml (original) > +++ ofbiz/trunk/framework/base/ofbiz-component.xml Fri Mar 18 10:38:04 2016 > @@ -33,11 +33,13 @@ under the License. > > <test-suite loader="main" location="testdef/basetests.xml"/> > > + <!-- Because of the danger of Java deserialization when using RMI, we > (PMC) have decided to comment out main RMI related code entries. > + If you need RMI you just need to uncomment those places - See > OFBIZ-6942 for details --> > <!-- load the naming (JNDI) server --> > - <container name="naming-container" loaders="rmi" > class="org.ofbiz.base.container.NamingServiceContainer"> > + <!-- <container name="naming-container" loaders="rmi" > class="org.ofbiz.base.container.NamingServiceContainer"> > <property name="host" value="0.0.0.0"/> > <property name="port" value="1099"/> > - </container> > + </container> --> > > <!-- load BeanShell remote telnet server --> > <!-- Commented out by default for security reasons --> > > Modified: ofbiz/trunk/framework/common/servicedef/services_test.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services_test.xml?rev=1735569&r1=1735568&r2=1735569&view=diff > > ============================================================================== > --- ofbiz/trunk/framework/common/servicedef/services_test.xml (original) > +++ ofbiz/trunk/framework/common/servicedef/services_test.xml Fri Mar 18 > 10:38:04 2016 > @@ -47,15 +47,17 @@ under the License. > <service name="testError" engine="java" export="true" > validate="false" require-new-transaction="true" max-retry="1" > location="org.ofbiz.common.CommonServices" > invoke="returnErrorService"> > </service> > + <!-- Because of the danger of Java deserialization when using RMI, we > (PMC) have decided to comment out main RMI related code entries. > + If you need RMI you just need to uncomment those places - See > OFBIZ-6942 for details --> > <!-- see serviceengine.xml to configure the rmi location alias --> > - <service name="testRmi" engine="rmi" validate="false" > + <!-- <service name="testRmi" engine="rmi" validate="false" > location="main-rmi" invoke="testScv"> > <implements service="testScv"/> > </service> > <service name="testRmiFail" engine="rmi" validate="false" > location="main-rmi" invoke="testBsh"> > <implements service="testScv"/> > - </service> > + </service> --> > > <service name="testRollback" engine="java" export="true" > validate="false" > location="org.ofbiz.common.CommonServices" > invoke="testRollbackListener"> > > Modified: ofbiz/trunk/framework/service/ofbiz-component.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff > > ============================================================================== > --- ofbiz/trunk/framework/service/ofbiz-component.xml (original) > +++ ofbiz/trunk/framework/service/ofbiz-component.xml Fri Mar 18 10:38:04 > 2016 > @@ -44,12 +44,17 @@ under the License. > <keystore name="rmitrust" type="jks" password="changeit" > is-truststore="true" > is-certstore="false" loader="main" > location="config/rmitrust.jks"/> > > - <container name="service-container" > loaders="main,rmi,pos,load-data,test" > class="org.ofbiz.service.ServiceContainer"> > + <!-- Because of the danger of Java deserialization when using RMI, we > (PMC) have decided to comment out main RMI related code entries. > + If you need RMI you just need to uncomment those places - See > OFBIZ-6942 for details --> > + <!-- <container name="service-container" > loaders="main,rmi,pos,load-data,test" > class="org.ofbiz.service.ServiceContainer"> --> > + <container name="service-container" loaders="main,pos,load-data,test" > class="org.ofbiz.service.ServiceContainer"> > <property name="dispatcher-factory" > value="org.ofbiz.service.GenericDispatcherFactory"/> > </container> > > + <!-- Because of the danger of Java deserialization when using RMI, we > (PMC) have decided to comment out main RMI related code entries. > + If you need RMI you just need to uncomment those places - See > OFBIZ-6942 for details --> > <!-- RMI Service Dispatcher --> > - <container name="rmi-dispatcher" loaders="rmi" > class="org.ofbiz.service.rmi.RmiServiceContainer"> > + <!-- <container name="rmi-dispatcher" loaders="rmi" > class="org.ofbiz.service.rmi.RmiServiceContainer"> > <property name="bound-name" value="RMIDispatcher"/> > <property name="bound-host" value="127.0.0.1"/> > <property name="bound-port" value="1099"/> > @@ -61,7 +66,7 @@ under the License. > <property name="ssl-keystore-pass" value="changeit"/> > <property name="ssl-keystore-alias" value="rmissl"/> > <property name="ssl-client-auth" value="false"/> > - </container> > + </container> --> > > <!-- JavaMail Listener Container - Triggers MCA Rules --> > <!-- if delete-mail is set to true, will delete messages after > fetching them. otherwise, will try to mark them as seen > > Modified: > ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties?rev=1735569&r1=1735568&r2=1735569&view=diff > > ============================================================================== > --- ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties > (original) > +++ ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties > Fri Mar 18 10:38:04 2016 > @@ -35,7 +35,10 @@ ofbiz.start.loader1=org.ofbiz.base.splas > > # --- StartupLoader implementations to load (in order) > ofbiz.start.loader2=org.ofbiz.base.container.ContainerLoader > -ofbiz.start.loader2.loaders=main,pos,rmi > +# Because of the danger of Java deserialization when using RMI, we (PMC) > have decided to comment out main RMI related code entries. > +# If you need RMI you just need to uncomment those places - See > OFBIZ-6942 for details --> > +#ofbiz.start.loader2.loaders=main,pos,rmi > +ofbiz.start.loader2.loaders=main,pos > > # -- Splash Logo > ofbiz.start.splash.logo=framework/images/webapp/images/ofbiz_logo.gif > > >