Hi all, As per Senakas suggestion, I changed the code as follows and everything is working fine now.
public void close() throws NamingException {
> if (isSubTenant(getCurrentCarbonContextHolder().getTenantId())
> &&
> !isBaseContextRequested()) {
> * //throw new NamingException("Tenants cannot close the
> context.");
> CarbonUtils.checkSecurity();*
> }
>
> Context ctx = this.getInitialContext();
> /* the below condition is there, because of a bug in Tomcat
> JNDI context close method,
> * see org.apache.naming.NamingContext#close() */
> if
> (!ctx.getClass().getName().equals("org.apache.naming.SelectorContext")) {
> ctx.close();
> }
> }
>
Can somebody please commit this change since I don't have commit rights..?
(patch file is attached with this).
On Wed, Dec 5, 2012 at 2:33 PM, Senaka Fernando <sen...@wso2.com> wrote:
> Hi all,
>
> public void close() throws NamingException {
> if (isSubTenant(getCurrentCarbonContextHolder().getTenantId())
> &&
> !isBaseContextRequested()) {
> *throw new NamingException("Tenants cannot close the
> context.");*
> }
>
> Context ctx = this.getInitialContext();
> /* the below condition is there, because of a bug in Tomcat
> JNDI context close method,
> * see org.apache.naming.NamingContext#close() */
> if
> (!ctx.getClass().getName().equals("org.apache.naming.SelectorContext")) {
> ctx.close();
> }
> }
>
> AFAIU, the line in bold is wrong. What we should disallow is tenant code
> closing this, but not our code running within a tenant scope closing this.
> We should add the security checks here in place of this exception.
>
> WDYT?
>
> Thanks,
> Senaka.
>
> On Wed, Dec 5, 2012 at 2:23 PM, Afkham Azeez <az...@wso2.com> wrote:
>
>> When it comes to external JMX calls, the JMXAuthenticator explicitly
>> checks that only super tenant admin users can make JMX calls. Is this
>> related?
>>
>> Azeez
>>
>>
>> On Wed, Dec 5, 2012 at 11:09 AM, Tharindu Mathew <thari...@wso2.com>wrote:
>>
>>> Anyone knows who owned this area? We basically want a tenant to be able
>>> to monitor a JMX enabled program, and Ishan is facing some blockers...
>>>
>>>
>>> On Wed, Dec 5, 2012 at 10:59 AM, Ishan Somasiri <ish...@wso2.com> wrote:
>>>
>>>> Hi all,
>>>>
>>>> As per the request of Senaka, I added
>>>>
>>>>
>>>> <UrlContext>
>>>>> <Scheme>rmi</Scheme>
>>>>> </UrlContext>
>>>>
>>>>
>>>> to the following lines in carbon.xml and retired again (without any
>>>> source code modifications)
>>>>
>>>>
>>>> <AllTenants>
>>>>> <UrlContexts>
>>>>> <UrlContext>
>>>>> <Scheme>java</Scheme>
>>>>> </UrlContext>
>>>>> <!-- <UrlContext>
>>>>> <Scheme>foo</Scheme>
>>>>> </UrlContext> -->
>>>>> </UrlContexts>
>>>>> </AllTenants>
>>>>>
>>>>
>>>> But got the same exception.
>>>>
>>>> Caused by: javax.naming.NamingException: Tenants cannot close the
>>>>> context.
>>>>> at
>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContext.close(CarbonContextDataHolder.java:1143)
>>>>>
>>>>> at javax.naming.InitialContext.close(InitialContext.java:531)
>>>>> at
>>>>> javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1887)
>>>>> at
>>>>> javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1856)
>>>>> at
>>>>> javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:255)
>>>>> ... 73 more
>>>>>
>>>>>
>>>>
>>>> On Tue, Dec 4, 2012 at 8:55 PM, Ishan Somasiri <ish...@wso2.com> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I tried the fix that was suggested and now the following exception
>>>>> gets thrown.
>>>>>
>>>>>
>>>>> java.io.IOException: Failed to retrieve RMIServer stub:
>>>>>> javax.naming.NamingException: Tenants cannot close the context.
>>>>>> at
>>>>>> javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:338)
>>>>>>
>>>>>> at
>>>>>> javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:248)
>>>>>> at
>>>>>> org.wso2.carbon.bam.jmx.agent.JmxAgentWebInterface.getMBeans(JmxAgentWebInterface.java:253)
>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>>> at
>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>>>> at
>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>>>>> ..............................
>>>>>>
>>>>> ..............................
>>>>>>
>>>>> ..............................
>>>>>
>>>>> ..............................
>>>>>>
>>>>> Caused by: javax.naming.NamingException: Tenants cannot close the
>>>>>> context.
>>>>>> at
>>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContext.close(CarbonContextDataHolder.java:1147)
>>>>>> at javax.naming.InitialContext.close(InitialContext.java:531)
>>>>>> at
>>>>>> javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1887)
>>>>>>
>>>>>> at
>>>>>> javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1856)
>>>>>> at
>>>>>> javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:255)
>>>>>> ... 73 more
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Dec 3, 2012 at 12:07 PM, Ishan Somasiri <ish...@wso2.com>wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I logged in as a tenant to BAM and tried to access the MBeans list of
>>>>>> BAM using a deployed carbon component (More specifically, using the JMX
>>>>>> agent).
>>>>>>
>>>>>> But when the method
>>>>>> javax.management.remote.JMXConnectorFactory.connect() is called an
>>>>>> exception gets thrown.
>>>>>>
>>>>>>
>>>>>> Caused by: java.lang.IllegalArgumentException: rmiURLContext: name is
>>>>>>> not an RMI URL: 1
>>>>>>> at
>>>>>>> com.sun.jndi.url.rmi.rmiURLContext.getRootURLContext(rmiURLContext.java:47)
>>>>>>> at
>>>>>>> com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:182)
>>>>>>> at
>>>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContext.getInitialContext(CarbonContextDataHolder.java:965)
>>>>>>> at
>>>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContext.lookup(CarbonContextDataHolder.java:1030)
>>>>>>> at javax.naming.InitialContext.lookup(InitialContext.java:392)
>>>>>>> at
>>>>>>> javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1886)
>>>>>>> at
>>>>>>> javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1856)
>>>>>>> at
>>>>>>> javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:255)
>>>>>>> at
>>>>>>> javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:248)
>>>>>>> at
>>>>>>> org.wso2.carbon.bam.jmx.agent.JmxAgentWebInterface.getMBeans(JmxAgentWebInterface.java:253)
>>>>>>> ... 71 more
>>>>>>>
>>>>>>>
>>>>>> So I debugged the
>>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder.getInitialContext()
>>>>>> method. Whether the user is a tenant or the admin (this works fine for
>>>>>> admin), the parameter (*name*) passed to the *getInitialContext *method
>>>>>> is *rmi://localhost:9999/jmxrmi*.
>>>>>>
>>>>>> If the user is *admin*, base(initialContext) is returned because of
>>>>>> the following line segment.
>>>>>>
>>>>>> if (!isSubTenant(tenantId)) {
>>>>>>> return base;
>>>>>>> }
>>>>>>>
>>>>>>
>>>>>> But if the user is a tenant, all the following if conditions becomes
>>>>>> false.
>>>>>>
>>>>>> if (!isSubTenant(tenantId)) {
>>>>>>> return base;
>>>>>>> } else if (scheme != null) {
>>>>>>> if (allTenantUrlContextSchemes.contains(scheme)) {
>>>>>>> return base;
>>>>>>> } else if
>>>>>>> (superTenantOnlyUrlContextSchemes.contains(scheme)) {
>>>>>>> throw new SecurityException("Tenants are not
>>>>>>> allowed to use JNDI contexts " +
>>>>>>> "with scheme: " +
>>>>>>> scheme);
>>>>>>> }
>>>>>>> }
>>>>>>
>>>>>>
>>>>>> So the tenant ID is passed to the *base.lookup* method thus causing
>>>>>> the above exception.
>>>>>>
>>>>>>
>>>>>> Will it cause problems if I add the following line to the above code
>>>>>> so that *base *is returned if the scheme is rmi?
>>>>>>
>>>>>> if (!isSubTenant(tenantId)) {
>>>>>>> return base;
>>>>>>> } else if (scheme != null) {
>>>>>>> if (allTenantUrlContextSchemes.contains(scheme)) {
>>>>>>> return base;
>>>>>>> } else if
>>>>>>> (superTenantOnlyUrlContextSchemes.contains(scheme)) {
>>>>>>> throw new SecurityException("Tenants are not
>>>>>>> allowed to use JNDI contexts " +
>>>>>>> "with scheme: " +
>>>>>>> scheme);
>>>>>>> }
>>>>>>>
>>>>>> * } else if ("rmi".equalsIgnoreCase(scheme)) {
>>>>>>> *
>>>>>>
>>>>>> * return base;
>>>>>>> } *
>>>>>>>
>>>>>> }
>>>>>>
>>>>>>
>>>>>>
>>>>>> Or is there any proper way to fix this...?
>>>>>> --
>>>>>> Thanks!
>>>>>> --
>>>>>> Ishan Thilina Somasiri
>>>>>> www.blog.ishans.info
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thanks!
>>>>> --
>>>>> Ishan Thilina Somasiri
>>>>> www.blog.ishans.info
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Thanks!
>>>> --
>>>> Ishan Thilina Somasiri
>>>> www.blog.ishans.info
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>>
>>> Tharindu
>>>
>>> blog: http://mackiemathew.com/
>>> M: +94777759908
>>>
>>>
>>
>>
>> --
>> *Afkham Azeez*
>> Director of Architecture; WSO2, Inc.; http://wso2.com
>> Member; Apache Software Foundation; http://www.apache.org/
>> * <http://www.apache.org/>**
>> email: **az...@wso2.com* <az...@wso2.com>* cell: +94 77 3320919
>> blog: **http://blog.afkham.org* <http://blog.afkham.org>*
>> twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez>
>> *
>> linked-in: **http://lk.linkedin.com/in/afkhamazeez*
>> *
>> *
>> *Lean . Enterprise . Middleware*
>>
>>
>
>
> --
> * <http://wso2con.com/>
> *
> *
>
> Senaka Fernando*
> Member - Integration Technologies Management Committee;
> Technical Lead; WSO2 Inc.; http://wso2.com*
> Member; Apache Software Foundation; http://apache.org
>
> E-mail: senaka AT wso2.com
> **P: +1 408 754 7388; ext: 51736*; *M: +94 77 322 1818
> Linked-In: http://linkedin.com/in/senakafernando
>
> *
> Lean . Enterprise . Middleware
>
>
--
Thanks!
--
Ishan Thilina Somasiri
www.blog.ishans.info
TenantSecCheck.patch
Description: Binary data
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
