Please follow the format of creating a patch and assigning to a related person. Also, it will help if you bug them to commit it ;)
On Thu, Dec 6, 2012 at 12:07 PM, Ishan Somasiri <ish...@wso2.com> wrote: > Hi all, > > As per Senakas suggestion, I changed the code as follows and everything is > working fine now. > > > public void close() throws NamingException { >> if >> (isSubTenant(getCurrentCarbonContextHolder().getTenantId()) && >> !isBaseContextRequested()) { >> * //throw new NamingException("Tenants cannot close the >> context."); >> CarbonUtils.checkSecurity();* >> >> } >> >> Context ctx = this.getInitialContext(); >> /* the below condition is there, because of a bug in Tomcat >> JNDI context close method, >> * see org.apache.naming.NamingContext#close() */ >> if >> (!ctx.getClass().getName().equals("org.apache.naming.SelectorContext")) { >> ctx.close(); >> } >> } >> > > Can somebody please commit this change since I don't have commit rights..? > (patch file is attached with this). > > On Wed, Dec 5, 2012 at 2:33 PM, Senaka Fernando <sen...@wso2.com> wrote: > >> Hi all, >> >> public void close() throws NamingException { >> if >> (isSubTenant(getCurrentCarbonContextHolder().getTenantId()) && >> !isBaseContextRequested()) { >> *throw new NamingException("Tenants cannot close the >> context.");* >> } >> >> Context ctx = this.getInitialContext(); >> /* the below condition is there, because of a bug in Tomcat >> JNDI context close method, >> * see org.apache.naming.NamingContext#close() */ >> if >> (!ctx.getClass().getName().equals("org.apache.naming.SelectorContext")) { >> ctx.close(); >> } >> } >> >> AFAIU, the line in bold is wrong. What we should disallow is tenant code >> closing this, but not our code running within a tenant scope closing this. >> We should add the security checks here in place of this exception. >> >> WDYT? >> >> Thanks, >> Senaka. >> >> On Wed, Dec 5, 2012 at 2:23 PM, Afkham Azeez <az...@wso2.com> wrote: >> >>> When it comes to external JMX calls, the JMXAuthenticator explicitly >>> checks that only super tenant admin users can make JMX calls. Is this >>> related? >>> >>> Azeez >>> >>> >>> On Wed, Dec 5, 2012 at 11:09 AM, Tharindu Mathew <thari...@wso2.com>wrote: >>> >>>> Anyone knows who owned this area? We basically want a tenant to be able >>>> to monitor a JMX enabled program, and Ishan is facing some blockers... >>>> >>>> >>>> On Wed, Dec 5, 2012 at 10:59 AM, Ishan Somasiri <ish...@wso2.com>wrote: >>>> >>>>> Hi all, >>>>> >>>>> As per the request of Senaka, I added >>>>> >>>>> >>>>> <UrlContext> >>>>>> <Scheme>rmi</Scheme> >>>>>> </UrlContext> >>>>> >>>>> >>>>> to the following lines in carbon.xml and retired again (without any >>>>> source code modifications) >>>>> >>>>> >>>>> <AllTenants> >>>>>> <UrlContexts> >>>>>> <UrlContext> >>>>>> <Scheme>java</Scheme> >>>>>> </UrlContext> >>>>>> <!-- <UrlContext> >>>>>> <Scheme>foo</Scheme> >>>>>> </UrlContext> --> >>>>>> </UrlContexts> >>>>>> </AllTenants> >>>>>> >>>>> >>>>> But got the same exception. >>>>> >>>>> Caused by: javax.naming.NamingException: Tenants cannot close the >>>>>> context. >>>>>> at >>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContext.close(CarbonContextDataHolder.java:1143) >>>>>> >>>>>> at javax.naming.InitialContext.close(InitialContext.java:531) >>>>>> at >>>>>> javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1887) >>>>>> at >>>>>> javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1856) >>>>>> at >>>>>> javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:255) >>>>>> ... 73 more >>>>>> >>>>>> >>>>> >>>>> On Tue, Dec 4, 2012 at 8:55 PM, Ishan Somasiri <ish...@wso2.com>wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> I tried the fix that was suggested and now the following exception >>>>>> gets thrown. >>>>>> >>>>>> >>>>>> java.io.IOException: Failed to retrieve RMIServer stub: >>>>>>> javax.naming.NamingException: Tenants cannot close the context. >>>>>>> at >>>>>>> javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:338) >>>>>>> >>>>>>> at >>>>>>> javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:248) >>>>>>> at >>>>>>> org.wso2.carbon.bam.jmx.agent.JmxAgentWebInterface.getMBeans(JmxAgentWebInterface.java:253) >>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>> at >>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>>>>>> at >>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>>>>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>>>>> .............................. >>>>>>> >>>>>> .............................. >>>>>>> >>>>>> .............................. >>>>>> >>>>>> .............................. >>>>>>> >>>>>> Caused by: javax.naming.NamingException: Tenants cannot close the >>>>>>> context. >>>>>>> at >>>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContext.close(CarbonContextDataHolder.java:1147) >>>>>>> at javax.naming.InitialContext.close(InitialContext.java:531) >>>>>>> at >>>>>>> javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1887) >>>>>>> >>>>>>> at >>>>>>> javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1856) >>>>>>> at >>>>>>> javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:255) >>>>>>> ... 73 more >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Dec 3, 2012 at 12:07 PM, Ishan Somasiri <ish...@wso2.com>wrote: >>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> I logged in as a tenant to BAM and tried to access the MBeans list >>>>>>> of BAM using a deployed carbon component (More specifically, using the >>>>>>> JMX >>>>>>> agent). >>>>>>> >>>>>>> But when the method >>>>>>> javax.management.remote.JMXConnectorFactory.connect() is called an >>>>>>> exception gets thrown. >>>>>>> >>>>>>> >>>>>>> Caused by: java.lang.IllegalArgumentException: rmiURLContext: name >>>>>>>> is not an RMI URL: 1 >>>>>>>> at >>>>>>>> com.sun.jndi.url.rmi.rmiURLContext.getRootURLContext(rmiURLContext.java:47) >>>>>>>> at >>>>>>>> com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:182) >>>>>>>> at >>>>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContext.getInitialContext(CarbonContextDataHolder.java:965) >>>>>>>> at >>>>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContext.lookup(CarbonContextDataHolder.java:1030) >>>>>>>> at javax.naming.InitialContext.lookup(InitialContext.java:392) >>>>>>>> at >>>>>>>> javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1886) >>>>>>>> at >>>>>>>> javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1856) >>>>>>>> at >>>>>>>> javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:255) >>>>>>>> at >>>>>>>> javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:248) >>>>>>>> at >>>>>>>> org.wso2.carbon.bam.jmx.agent.JmxAgentWebInterface.getMBeans(JmxAgentWebInterface.java:253) >>>>>>>> ... 71 more >>>>>>>> >>>>>>>> >>>>>>> So I debugged the >>>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder.getInitialContext() >>>>>>> method. Whether the user is a tenant or the admin (this works fine for >>>>>>> admin), the parameter (*name*) passed to the *getInitialContext *method >>>>>>> is *rmi://localhost:9999/jmxrmi*. >>>>>>> >>>>>>> If the user is *admin*, base(initialContext) is returned because of >>>>>>> the following line segment. >>>>>>> >>>>>>> if (!isSubTenant(tenantId)) { >>>>>>>> return base; >>>>>>>> } >>>>>>>> >>>>>>> >>>>>>> But if the user is a tenant, all the following if conditions becomes >>>>>>> false. >>>>>>> >>>>>>> if (!isSubTenant(tenantId)) { >>>>>>>> return base; >>>>>>>> } else if (scheme != null) { >>>>>>>> if (allTenantUrlContextSchemes.contains(scheme)) { >>>>>>>> return base; >>>>>>>> } else if >>>>>>>> (superTenantOnlyUrlContextSchemes.contains(scheme)) { >>>>>>>> throw new SecurityException("Tenants are not >>>>>>>> allowed to use JNDI contexts " + >>>>>>>> "with scheme: " + >>>>>>>> scheme); >>>>>>>> } >>>>>>>> } >>>>>>> >>>>>>> >>>>>>> So the tenant ID is passed to the *base.lookup* method thus causing >>>>>>> the above exception. >>>>>>> >>>>>>> >>>>>>> Will it cause problems if I add the following line to the above code >>>>>>> so that *base *is returned if the scheme is rmi? >>>>>>> >>>>>>> if (!isSubTenant(tenantId)) { >>>>>>>> return base; >>>>>>>> } else if (scheme != null) { >>>>>>>> if (allTenantUrlContextSchemes.contains(scheme)) { >>>>>>>> return base; >>>>>>>> } else if >>>>>>>> (superTenantOnlyUrlContextSchemes.contains(scheme)) { >>>>>>>> throw new SecurityException("Tenants are not >>>>>>>> allowed to use JNDI contexts " + >>>>>>>> "with scheme: " + >>>>>>>> scheme); >>>>>>>> } >>>>>>>> >>>>>>> * } else if ("rmi".equalsIgnoreCase(scheme)) { >>>>>>>> * >>>>>>> >>>>>>> * return base; >>>>>>>> } * >>>>>>>> >>>>>>> } >>>>>>> >>>>>>> >>>>>>> >>>>>>> Or is there any proper way to fix this...? >>>>>>> -- >>>>>>> Thanks! >>>>>>> -- >>>>>>> Ishan Thilina Somasiri >>>>>>> www.blog.ishans.info >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks! >>>>>> -- >>>>>> Ishan Thilina Somasiri >>>>>> www.blog.ishans.info >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks! >>>>> -- >>>>> Ishan Thilina Somasiri >>>>> www.blog.ishans.info >>>>> >>>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> Tharindu >>>> >>>> blog: http://mackiemathew.com/ >>>> M: +94777759908 >>>> >>>> >>> >>> >>> -- >>> *Afkham Azeez* >>> Director of Architecture; WSO2, Inc.; http://wso2.com >>> Member; Apache Software Foundation; http://www.apache.org/ >>> * <http://www.apache.org/>** >>> email: **az...@wso2.com* <az...@wso2.com>* cell: +94 77 3320919 >>> blog: **http://blog.afkham.org* <http://blog.afkham.org>* >>> twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> >>> * >>> linked-in: **http://lk.linkedin.com/in/afkhamazeez* >>> * >>> * >>> *Lean . Enterprise . Middleware* >>> >>> >> >> >> -- >> * <http://wso2con.com/> >> * >> * >> >> Senaka Fernando* >> Member - Integration Technologies Management Committee; >> Technical Lead; WSO2 Inc.; http://wso2.com* >> Member; Apache Software Foundation; http://apache.org >> >> E-mail: senaka AT wso2.com >> **P: +1 408 754 7388; ext: 51736*; *M: +94 77 322 1818 >> Linked-In: http://linkedin.com/in/senakafernando >> >> * >> Lean . Enterprise . Middleware >> >> > > > -- > Thanks! > -- > Ishan Thilina Somasiri > www.blog.ishans.info > > -- Regards, Tharindu blog: http://mackiemathew.com/ M: +94777759908
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev