Hi all, As per Senakas suggestion, I changed the code as follows and everything is working fine now.
public void close() throws NamingException { > if (isSubTenant(getCurrentCarbonContextHolder().getTenantId()) > && > !isBaseContextRequested()) { > * //throw new NamingException("Tenants cannot close the > context."); > CarbonUtils.checkSecurity();* > } > > Context ctx = this.getInitialContext(); > /* the below condition is there, because of a bug in Tomcat > JNDI context close method, > * see org.apache.naming.NamingContext#close() */ > if > (!ctx.getClass().getName().equals("org.apache.naming.SelectorContext")) { > ctx.close(); > } > } > Can somebody please commit this change since I don't have commit rights..? (patch file is attached with this). On Wed, Dec 5, 2012 at 2:33 PM, Senaka Fernando <sen...@wso2.com> wrote: > Hi all, > > public void close() throws NamingException { > if (isSubTenant(getCurrentCarbonContextHolder().getTenantId()) > && > !isBaseContextRequested()) { > *throw new NamingException("Tenants cannot close the > context.");* > } > > Context ctx = this.getInitialContext(); > /* the below condition is there, because of a bug in Tomcat > JNDI context close method, > * see org.apache.naming.NamingContext#close() */ > if > (!ctx.getClass().getName().equals("org.apache.naming.SelectorContext")) { > ctx.close(); > } > } > > AFAIU, the line in bold is wrong. What we should disallow is tenant code > closing this, but not our code running within a tenant scope closing this. > We should add the security checks here in place of this exception. > > WDYT? > > Thanks, > Senaka. > > On Wed, Dec 5, 2012 at 2:23 PM, Afkham Azeez <az...@wso2.com> wrote: > >> When it comes to external JMX calls, the JMXAuthenticator explicitly >> checks that only super tenant admin users can make JMX calls. Is this >> related? >> >> Azeez >> >> >> On Wed, Dec 5, 2012 at 11:09 AM, Tharindu Mathew <thari...@wso2.com>wrote: >> >>> Anyone knows who owned this area? We basically want a tenant to be able >>> to monitor a JMX enabled program, and Ishan is facing some blockers... >>> >>> >>> On Wed, Dec 5, 2012 at 10:59 AM, Ishan Somasiri <ish...@wso2.com> wrote: >>> >>>> Hi all, >>>> >>>> As per the request of Senaka, I added >>>> >>>> >>>> <UrlContext> >>>>> <Scheme>rmi</Scheme> >>>>> </UrlContext> >>>> >>>> >>>> to the following lines in carbon.xml and retired again (without any >>>> source code modifications) >>>> >>>> >>>> <AllTenants> >>>>> <UrlContexts> >>>>> <UrlContext> >>>>> <Scheme>java</Scheme> >>>>> </UrlContext> >>>>> <!-- <UrlContext> >>>>> <Scheme>foo</Scheme> >>>>> </UrlContext> --> >>>>> </UrlContexts> >>>>> </AllTenants> >>>>> >>>> >>>> But got the same exception. >>>> >>>> Caused by: javax.naming.NamingException: Tenants cannot close the >>>>> context. >>>>> at >>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContext.close(CarbonContextDataHolder.java:1143) >>>>> >>>>> at javax.naming.InitialContext.close(InitialContext.java:531) >>>>> at >>>>> javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1887) >>>>> at >>>>> javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1856) >>>>> at >>>>> javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:255) >>>>> ... 73 more >>>>> >>>>> >>>> >>>> On Tue, Dec 4, 2012 at 8:55 PM, Ishan Somasiri <ish...@wso2.com> wrote: >>>> >>>>> Hi all, >>>>> >>>>> I tried the fix that was suggested and now the following exception >>>>> gets thrown. >>>>> >>>>> >>>>> java.io.IOException: Failed to retrieve RMIServer stub: >>>>>> javax.naming.NamingException: Tenants cannot close the context. >>>>>> at >>>>>> javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:338) >>>>>> >>>>>> at >>>>>> javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:248) >>>>>> at >>>>>> org.wso2.carbon.bam.jmx.agent.JmxAgentWebInterface.getMBeans(JmxAgentWebInterface.java:253) >>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>> at >>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>>>>> at >>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>>>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>>>> .............................. >>>>>> >>>>> .............................. >>>>>> >>>>> .............................. >>>>> >>>>> .............................. >>>>>> >>>>> Caused by: javax.naming.NamingException: Tenants cannot close the >>>>>> context. >>>>>> at >>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContext.close(CarbonContextDataHolder.java:1147) >>>>>> at javax.naming.InitialContext.close(InitialContext.java:531) >>>>>> at >>>>>> javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1887) >>>>>> >>>>>> at >>>>>> javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1856) >>>>>> at >>>>>> javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:255) >>>>>> ... 73 more >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> On Mon, Dec 3, 2012 at 12:07 PM, Ishan Somasiri <ish...@wso2.com>wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> I logged in as a tenant to BAM and tried to access the MBeans list of >>>>>> BAM using a deployed carbon component (More specifically, using the JMX >>>>>> agent). >>>>>> >>>>>> But when the method >>>>>> javax.management.remote.JMXConnectorFactory.connect() is called an >>>>>> exception gets thrown. >>>>>> >>>>>> >>>>>> Caused by: java.lang.IllegalArgumentException: rmiURLContext: name is >>>>>>> not an RMI URL: 1 >>>>>>> at >>>>>>> com.sun.jndi.url.rmi.rmiURLContext.getRootURLContext(rmiURLContext.java:47) >>>>>>> at >>>>>>> com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:182) >>>>>>> at >>>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContext.getInitialContext(CarbonContextDataHolder.java:965) >>>>>>> at >>>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContext.lookup(CarbonContextDataHolder.java:1030) >>>>>>> at javax.naming.InitialContext.lookup(InitialContext.java:392) >>>>>>> at >>>>>>> javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1886) >>>>>>> at >>>>>>> javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1856) >>>>>>> at >>>>>>> javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:255) >>>>>>> at >>>>>>> javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:248) >>>>>>> at >>>>>>> org.wso2.carbon.bam.jmx.agent.JmxAgentWebInterface.getMBeans(JmxAgentWebInterface.java:253) >>>>>>> ... 71 more >>>>>>> >>>>>>> >>>>>> So I debugged the >>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder.getInitialContext() >>>>>> method. Whether the user is a tenant or the admin (this works fine for >>>>>> admin), the parameter (*name*) passed to the *getInitialContext *method >>>>>> is *rmi://localhost:9999/jmxrmi*. >>>>>> >>>>>> If the user is *admin*, base(initialContext) is returned because of >>>>>> the following line segment. >>>>>> >>>>>> if (!isSubTenant(tenantId)) { >>>>>>> return base; >>>>>>> } >>>>>>> >>>>>> >>>>>> But if the user is a tenant, all the following if conditions becomes >>>>>> false. >>>>>> >>>>>> if (!isSubTenant(tenantId)) { >>>>>>> return base; >>>>>>> } else if (scheme != null) { >>>>>>> if (allTenantUrlContextSchemes.contains(scheme)) { >>>>>>> return base; >>>>>>> } else if >>>>>>> (superTenantOnlyUrlContextSchemes.contains(scheme)) { >>>>>>> throw new SecurityException("Tenants are not >>>>>>> allowed to use JNDI contexts " + >>>>>>> "with scheme: " + >>>>>>> scheme); >>>>>>> } >>>>>>> } >>>>>> >>>>>> >>>>>> So the tenant ID is passed to the *base.lookup* method thus causing >>>>>> the above exception. >>>>>> >>>>>> >>>>>> Will it cause problems if I add the following line to the above code >>>>>> so that *base *is returned if the scheme is rmi? >>>>>> >>>>>> if (!isSubTenant(tenantId)) { >>>>>>> return base; >>>>>>> } else if (scheme != null) { >>>>>>> if (allTenantUrlContextSchemes.contains(scheme)) { >>>>>>> return base; >>>>>>> } else if >>>>>>> (superTenantOnlyUrlContextSchemes.contains(scheme)) { >>>>>>> throw new SecurityException("Tenants are not >>>>>>> allowed to use JNDI contexts " + >>>>>>> "with scheme: " + >>>>>>> scheme); >>>>>>> } >>>>>>> >>>>>> * } else if ("rmi".equalsIgnoreCase(scheme)) { >>>>>>> * >>>>>> >>>>>> * return base; >>>>>>> } * >>>>>>> >>>>>> } >>>>>> >>>>>> >>>>>> >>>>>> Or is there any proper way to fix this...? >>>>>> -- >>>>>> Thanks! >>>>>> -- >>>>>> Ishan Thilina Somasiri >>>>>> www.blog.ishans.info >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks! >>>>> -- >>>>> Ishan Thilina Somasiri >>>>> www.blog.ishans.info >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks! >>>> -- >>>> Ishan Thilina Somasiri >>>> www.blog.ishans.info >>>> >>>> >>> >>> >>> -- >>> Regards, >>> >>> Tharindu >>> >>> blog: http://mackiemathew.com/ >>> M: +94777759908 >>> >>> >> >> >> -- >> *Afkham Azeez* >> Director of Architecture; WSO2, Inc.; http://wso2.com >> Member; Apache Software Foundation; http://www.apache.org/ >> * <http://www.apache.org/>** >> email: **az...@wso2.com* <az...@wso2.com>* cell: +94 77 3320919 >> blog: **http://blog.afkham.org* <http://blog.afkham.org>* >> twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> >> * >> linked-in: **http://lk.linkedin.com/in/afkhamazeez* >> * >> * >> *Lean . Enterprise . Middleware* >> >> > > > -- > * <http://wso2con.com/> > * > * > > Senaka Fernando* > Member - Integration Technologies Management Committee; > Technical Lead; WSO2 Inc.; http://wso2.com* > Member; Apache Software Foundation; http://apache.org > > E-mail: senaka AT wso2.com > **P: +1 408 754 7388; ext: 51736*; *M: +94 77 322 1818 > Linked-In: http://linkedin.com/in/senakafernando > > * > Lean . Enterprise . Middleware > > -- Thanks! -- Ishan Thilina Somasiri www.blog.ishans.info
TenantSecCheck.patch
Description: Binary data
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev