Re: [Dev] Java Security Manager needs read permission to h2 db in AS 5.3.0 SNAPSHOT

Supun Malinga Thu, 27 Aug 2015 11:46:52 -0700

Hi,

Found that the issue happens at the following,


        at
org.wso2.carbon.user.core.common.AbstractUserStoreManager.listUsers(AbstractUserStoreManager.java:2034)
        at
org.apache.jsp.carbon.usermgt.index_jsp._jspService(index_jsp.java:167)

I did the following fix in CarbonContext (where the user realm is retrieved
initially), and the issue disappeared. Is this a good enough solution ? Or
do we have to explicitly do permission checks in AbstractUserStoreManager
?. So far there is none in that.. Let me know.

+++
b/core/org.wso2.carbon.utils/src/main/java/org/wso2/carbon/context/CarbonContext.java
@@ -233,6 +233,8 @@ public class CarbonContext {
      * @return the user realm instance.
      */
     public UserRealm getUserRealm() {
+        CarbonUtils.checkSecurity();
         return getCarbonContextDataHolder().getUserRealm();
     }

thanks,


On Tue, Aug 25, 2015 at 12:17 PM, Supun Malinga <sup...@wso2.com> wrote:

> thanks Isuru. Let me see what I can find.
>
> thanks
>
> On Tue, Aug 25, 2015 at 12:12 PM, Isuru Perera <isu...@wso2.com> wrote:
>
>> Hi Supun,
>>
>> I'm sorry I missed this mail. We need to identify which method is
>> accessing the local database. We should never give explicit read
>> permissions for the H2 database.
>>
>> We need to use Java Privileged Block API in Carbon Context APIs. If you
>> cannot figure out the protection domain for the access failure, please
>> check Java Security Debug logs. See Troubleshooting section in my Java
>> Security Manager related blog post [1].
>>
>> With Privileged Block API, we can let Carbon Context APIs to use same
>> permissions we give to Carbon code.
>>
>> Thanks!
>>
>> Best Regards,
>>
>> [1]
>> http://isuru-perera.blogspot.com/2014/12/enabling-java-security-manager-for-wso2.html
>>
>>
>> On Thu, Aug 13, 2015 at 3:37 PM, Supun Malinga <sup...@wso2.com> wrote:
>>
>>> Hi,
>>>
>>> For accessing usermgt via CarbonContext had to provide following
>>> permission for webapp.
>>>
>>>     permission java.io.FilePermission
>>> "/home/supun/smoke/java_sec/530_custom/wso2as-5.3.0-SNAPSHOT/repository/database/WSO2CARBON_DB.data.db",
>>> "read";
>>>
>>> I tested with AS 5.2.1 and we don't need this in 5.2.1.
>>>
>>> Can anyone tell why this is needed and if its an issue ?.
>>>
>>> thanks,
>>> --
>>> Supun Malinga,
>>>
>>> Senior Software Engineer,
>>> WSO2 Inc.
>>> http://wso2.com
>>> email: sup...@wso2.com <sup...@wso2.com>
>>> mobile: +94 (0)71 56 91 321
>>>
>>
>>
>>
>> --
>> Isuru Perera
>> Associate Technical Lead | WSO2, Inc. | http://wso2.com/
>> Lean . Enterprise . Middleware
>>
>> about.me/chrishantha
>> Contact: +IsuruPereraWSO2 <https://www.google.com/+IsuruPereraWSO2/about>
>>
>
>
>
> --
> Supun Malinga,
>
> Senior Software Engineer,
> WSO2 Inc.
> http://wso2.com
> email: sup...@wso2.com <sup...@wso2.com>
> mobile: +94 (0)71 56 91 321
>



-- 
Supun Malinga,

Senior Software Engineer,
WSO2 Inc.
http://wso2.com
email: sup...@wso2.com <sup...@wso2.com>
mobile: +94 (0)71 56 91 321

_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Java Security Manager needs read permission to h2 db in AS 5.3.0 SNAPSHOT

Reply via email to