Please follow the format of creating a patch and assigning to a related
person. Also, it will help if you bug them to commit it ;)
On Thu, Dec 6, 2012 at 12:07 PM, Ishan Somasiri <ish...@wso2.com> wrote:
> Hi all,
>
> As per Senakas suggestion, I changed the code as follows and everything is
> working fine now.
>
>
> public void close() throws NamingException {
>> if
>> (isSubTenant(getCurrentCarbonContextHolder().getTenantId()) &&
>> !isBaseContextRequested()) {
>> * //throw new NamingException("Tenants cannot close the
>> context.");
>> CarbonUtils.checkSecurity();*
>>
>> }
>>
>> Context ctx = this.getInitialContext();
>> /* the below condition is there, because of a bug in Tomcat
>> JNDI context close method,
>> * see org.apache.naming.NamingContext#close() */
>> if
>> (!ctx.getClass().getName().equals("org.apache.naming.SelectorContext")) {
>> ctx.close();
>> }
>> }
>>
>
> Can somebody please commit this change since I don't have commit rights..?
> (patch file is attached with this).
>
> On Wed, Dec 5, 2012 at 2:33 PM, Senaka Fernando <sen...@wso2.com> wrote:
>
>> Hi all,
>>
>> public void close() throws NamingException {
>> if
>> (isSubTenant(getCurrentCarbonContextHolder().getTenantId()) &&
>> !isBaseContextRequested()) {
>> *throw new NamingException("Tenants cannot close the
>> context.");*
>> }
>>
>> Context ctx = this.getInitialContext();
>> /* the below condition is there, because of a bug in Tomcat
>> JNDI context close method,
>> * see org.apache.naming.NamingContext#close() */
>> if
>> (!ctx.getClass().getName().equals("org.apache.naming.SelectorContext")) {
>> ctx.close();
>> }
>> }
>>
>> AFAIU, the line in bold is wrong. What we should disallow is tenant code
>> closing this, but not our code running within a tenant scope closing this.
>> We should add the security checks here in place of this exception.
>>
>> WDYT?
>>
>> Thanks,
>> Senaka.
>>
>> On Wed, Dec 5, 2012 at 2:23 PM, Afkham Azeez <az...@wso2.com> wrote:
>>
>>> When it comes to external JMX calls, the JMXAuthenticator explicitly
>>> checks that only super tenant admin users can make JMX calls. Is this
>>> related?
>>>
>>> Azeez
>>>
>>>
>>> On Wed, Dec 5, 2012 at 11:09 AM, Tharindu Mathew <thari...@wso2.com>wrote:
>>>
>>>> Anyone knows who owned this area? We basically want a tenant to be able
>>>> to monitor a JMX enabled program, and Ishan is facing some blockers...
>>>>
>>>>
>>>> On Wed, Dec 5, 2012 at 10:59 AM, Ishan Somasiri <ish...@wso2.com>wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> As per the request of Senaka, I added
>>>>>
>>>>>
>>>>> <UrlContext>
>>>>>> <Scheme>rmi</Scheme>
>>>>>> </UrlContext>
>>>>>
>>>>>
>>>>> to the following lines in carbon.xml and retired again (without any
>>>>> source code modifications)
>>>>>
>>>>>
>>>>> <AllTenants>
>>>>>> <UrlContexts>
>>>>>> <UrlContext>
>>>>>> <Scheme>java</Scheme>
>>>>>> </UrlContext>
>>>>>> <!-- <UrlContext>
>>>>>> <Scheme>foo</Scheme>
>>>>>> </UrlContext> -->
>>>>>> </UrlContexts>
>>>>>> </AllTenants>
>>>>>>
>>>>>
>>>>> But got the same exception.
>>>>>
>>>>> Caused by: javax.naming.NamingException: Tenants cannot close the
>>>>>> context.
>>>>>> at
>>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContext.close(CarbonContextDataHolder.java:1143)
>>>>>>
>>>>>> at javax.naming.InitialContext.close(InitialContext.java:531)
>>>>>> at
>>>>>> javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1887)
>>>>>> at
>>>>>> javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1856)
>>>>>> at
>>>>>> javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:255)
>>>>>> ... 73 more
>>>>>>
>>>>>>
>>>>>
>>>>> On Tue, Dec 4, 2012 at 8:55 PM, Ishan Somasiri <ish...@wso2.com>wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I tried the fix that was suggested and now the following exception
>>>>>> gets thrown.
>>>>>>
>>>>>>
>>>>>> java.io.IOException: Failed to retrieve RMIServer stub:
>>>>>>> javax.naming.NamingException: Tenants cannot close the context.
>>>>>>> at
>>>>>>> javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:338)
>>>>>>>
>>>>>>> at
>>>>>>> javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:248)
>>>>>>> at
>>>>>>> org.wso2.carbon.bam.jmx.agent.JmxAgentWebInterface.getMBeans(JmxAgentWebInterface.java:253)
>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>>>> at
>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>>>>> at
>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>>>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>>>>>> ..............................
>>>>>>>
>>>>>> ..............................
>>>>>>>
>>>>>> ..............................
>>>>>>
>>>>>> ..............................
>>>>>>>
>>>>>> Caused by: javax.naming.NamingException: Tenants cannot close the
>>>>>>> context.
>>>>>>> at
>>>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContext.close(CarbonContextDataHolder.java:1147)
>>>>>>> at javax.naming.InitialContext.close(InitialContext.java:531)
>>>>>>> at
>>>>>>> javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1887)
>>>>>>>
>>>>>>> at
>>>>>>> javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1856)
>>>>>>> at
>>>>>>> javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:255)
>>>>>>> ... 73 more
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Dec 3, 2012 at 12:07 PM, Ishan Somasiri <ish...@wso2.com>wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I logged in as a tenant to BAM and tried to access the MBeans list
>>>>>>> of BAM using a deployed carbon component (More specifically, using the
>>>>>>> JMX
>>>>>>> agent).
>>>>>>>
>>>>>>> But when the method
>>>>>>> javax.management.remote.JMXConnectorFactory.connect() is called an
>>>>>>> exception gets thrown.
>>>>>>>
>>>>>>>
>>>>>>> Caused by: java.lang.IllegalArgumentException: rmiURLContext: name
>>>>>>>> is not an RMI URL: 1
>>>>>>>> at
>>>>>>>> com.sun.jndi.url.rmi.rmiURLContext.getRootURLContext(rmiURLContext.java:47)
>>>>>>>> at
>>>>>>>> com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:182)
>>>>>>>> at
>>>>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContext.getInitialContext(CarbonContextDataHolder.java:965)
>>>>>>>> at
>>>>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder$CarbonInitialJNDIContext.lookup(CarbonContextDataHolder.java:1030)
>>>>>>>> at javax.naming.InitialContext.lookup(InitialContext.java:392)
>>>>>>>> at
>>>>>>>> javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1886)
>>>>>>>> at
>>>>>>>> javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1856)
>>>>>>>> at
>>>>>>>> javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:255)
>>>>>>>> at
>>>>>>>> javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:248)
>>>>>>>> at
>>>>>>>> org.wso2.carbon.bam.jmx.agent.JmxAgentWebInterface.getMBeans(JmxAgentWebInterface.java:253)
>>>>>>>> ... 71 more
>>>>>>>>
>>>>>>>>
>>>>>>> So I debugged the
>>>>>>> org.wso2.carbon.context.internal.CarbonContextDataHolder.getInitialContext()
>>>>>>> method. Whether the user is a tenant or the admin (this works fine for
>>>>>>> admin), the parameter (*name*) passed to the *getInitialContext *method
>>>>>>> is *rmi://localhost:9999/jmxrmi*.
>>>>>>>
>>>>>>> If the user is *admin*, base(initialContext) is returned because of
>>>>>>> the following line segment.
>>>>>>>
>>>>>>> if (!isSubTenant(tenantId)) {
>>>>>>>> return base;
>>>>>>>> }
>>>>>>>>
>>>>>>>
>>>>>>> But if the user is a tenant, all the following if conditions becomes
>>>>>>> false.
>>>>>>>
>>>>>>> if (!isSubTenant(tenantId)) {
>>>>>>>> return base;
>>>>>>>> } else if (scheme != null) {
>>>>>>>> if (allTenantUrlContextSchemes.contains(scheme)) {
>>>>>>>> return base;
>>>>>>>> } else if
>>>>>>>> (superTenantOnlyUrlContextSchemes.contains(scheme)) {
>>>>>>>> throw new SecurityException("Tenants are not
>>>>>>>> allowed to use JNDI contexts " +
>>>>>>>> "with scheme: " +
>>>>>>>> scheme);
>>>>>>>> }
>>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> So the tenant ID is passed to the *base.lookup* method thus causing
>>>>>>> the above exception.
>>>>>>>
>>>>>>>
>>>>>>> Will it cause problems if I add the following line to the above code
>>>>>>> so that *base *is returned if the scheme is rmi?
>>>>>>>
>>>>>>> if (!isSubTenant(tenantId)) {
>>>>>>>> return base;
>>>>>>>> } else if (scheme != null) {
>>>>>>>> if (allTenantUrlContextSchemes.contains(scheme)) {
>>>>>>>> return base;
>>>>>>>> } else if
>>>>>>>> (superTenantOnlyUrlContextSchemes.contains(scheme)) {
>>>>>>>> throw new SecurityException("Tenants are not
>>>>>>>> allowed to use JNDI contexts " +
>>>>>>>> "with scheme: " +
>>>>>>>> scheme);
>>>>>>>> }
>>>>>>>>
>>>>>>> * } else if ("rmi".equalsIgnoreCase(scheme)) {
>>>>>>>> *
>>>>>>>
>>>>>>> * return base;
>>>>>>>> } *
>>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Or is there any proper way to fix this...?
>>>>>>> --
>>>>>>> Thanks!
>>>>>>> --
>>>>>>> Ishan Thilina Somasiri
>>>>>>> www.blog.ishans.info
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Thanks!
>>>>>> --
>>>>>> Ishan Thilina Somasiri
>>>>>> www.blog.ishans.info
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thanks!
>>>>> --
>>>>> Ishan Thilina Somasiri
>>>>> www.blog.ishans.info
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>>
>>>> Tharindu
>>>>
>>>> blog: http://mackiemathew.com/
>>>> M: +94777759908
>>>>
>>>>
>>>
>>>
>>> --
>>> *Afkham Azeez*
>>> Director of Architecture; WSO2, Inc.; http://wso2.com
>>> Member; Apache Software Foundation; http://www.apache.org/
>>> * <http://www.apache.org/>**
>>> email: **az...@wso2.com* <az...@wso2.com>* cell: +94 77 3320919
>>> blog: **http://blog.afkham.org* <http://blog.afkham.org>*
>>> twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez>
>>> *
>>> linked-in: **http://lk.linkedin.com/in/afkhamazeez*
>>> *
>>> *
>>> *Lean . Enterprise . Middleware*
>>>
>>>
>>
>>
>> --
>> * <http://wso2con.com/>
>> *
>> *
>>
>> Senaka Fernando*
>> Member - Integration Technologies Management Committee;
>> Technical Lead; WSO2 Inc.; http://wso2.com*
>> Member; Apache Software Foundation; http://apache.org
>>
>> E-mail: senaka AT wso2.com
>> **P: +1 408 754 7388; ext: 51736*; *M: +94 77 322 1818
>> Linked-In: http://linkedin.com/in/senakafernando
>>
>> *
>> Lean . Enterprise . Middleware
>>
>>
>
>
> --
> Thanks!
> --
> Ishan Thilina Somasiri
> www.blog.ishans.info
>
>
--
Regards,
Tharindu
blog: http://mackiemathew.com/
M: +94777759908
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
