Hi Ishara,
Thanks for the reply. But I think your suggestion won't work either. While
debugging in super-tenant mode, I found that we are not sending the tenant
id with role name. So it will will still go through the same path and
return false for already existing role which has a "@" character.
Thanks.
Regards,
Megala
On Mon, Oct 17, 2016 at 10:50 AM, Ishara Cooray <isha...@wso2.com> wrote:
> What if the create role context logic is changed as below.
>
> JDBCRoleContext searchCtx = new JDBCRoleContext();
> String[] roleNameParts = roleName.split(UserCoreConstants.
> TENANT_DOMAIN_COMBINER);
> if (roleNameParts.length > 1 && (roleNameParts[1] == null ||
> roleNameParts[1].equals("null"))) {
> roleNameParts = new String[]{roleNameParts[0]};
> }
>
> to
>
> JDBCRoleContext searchCtx = new JDBCRoleContext();
> String[] roleNameParts = roleName.split(UserCoreConstants.
> TENANT_DOMAIN_COMBINER);
> if (roleNameParts.length > 1 && (roleNameParts[1] == null ||
> roleNameParts[1].equals("null"))) {
> roleNameParts = new String[]{roleName.substring(0,
> roleName.lastIndexOf("@"))};
> }
>
> However there is no need to create a new string array here. Simply String
> should do(you can assign it to a String variable other that using existing
> string array). Please check that as well.
>
>
> Thanks & Regards,
> Ishara Cooray
> Senior Software Engineer
> Mobile : +9477 262 9512
> WSO2, Inc. | http://wso2.com/
> Lean . Enterprise . Middleware
>
> On Mon, Oct 17, 2016 at 9:55 AM, Megala Uthayakumar <meg...@wso2.com>
> wrote:
>
>> Hi All,
>>
>> I am working on a jira issue which is related with problem in updating
>> the permissions for the role names with special characters[1]. When I was
>> analyzing this issue I found that
>> when we have an existing role with a "@" character, the system returns
>> false, even that particular role exists in the primary user store. This is
>> because, in the JDBCUserStoreManager, before checking whether the
>> particular role exists, it creates a role context [2], in which it splits
>> the role using "@" character and takes the 1st part of the role as the role
>> name and if the split has more than a single part [3], it considers second
>> part as the tenant id.
>>
>> For example if we have a role with a name 'test@', it will consider
>> 'test' as a role name, because of that isExisting check, returns false.
>>
>> This behavior affects the role addition in management console too. After
>> creating a role with a name "test@" , if we try to create another role
>> name with the same name, it throws, following exception.
>> *Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key
>> violation: "CONSTRAINT_INDEX_19 ON PUBLIC.UM_ROLE(UM_ROLE_NAME,
>> UM_TENANT_ID) VALUES ( /* key:6 */ null, 'adadad@', -1234, null)"; SQL
>> statement:*
>> *INSERT INTO UM_ROLE (UM_ROLE_NAME, UM_TENANT_ID) VALUES (?, ?)
>> [23505-175]*
>> * at org.h2.message.DbException.getJdbcSQLException(DbException.java:332)*
>> * at org.h2.message.DbException.get(DbException.java:172)*
>> * at org.h2.message.DbException.get(DbException.java:149)*
>> * at org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:101)*
>> * at org.h2.index.PageBtree.find(PageBtree.java:121)*
>> * at org.h2.index.PageBtreeLeaf.addRow(PageBtreeLeaf.java:148)*
>> * at org.h2.index.PageBtreeLeaf.addRowTry(PageBtreeLeaf.java:101)*
>> * at org.h2.index.PageBtreeIndex.ad
>> <http://org.h2.index.PageBtreeIndex.ad>dRow(PageBtreeIndex.java:96)*
>> * at org.h2.index.PageBtreeIndex.ad
>> <http://org.h2.index.PageBtreeIndex.ad>d(PageBtreeIndex.java:87)*
>> * at org.h2.table.RegularTable.addRow(RegularTable.java:119)*
>> * at org.h2.command.dml.Insert.insertRows(Insert.java:157)*
>> * at org.h2.command.dml.Insert.update(Insert.java:115)*
>> * at org.h2.command.CommandContainer.update(CommandContainer.java:79)*
>> * at org.h2.command.Command.executeUpdate(Command.java:253)*
>> * at
>> org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:154)*
>> * at
>> org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:140)*
>> * at
>> org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager.updateStringValuesToDatabase(JDBCUserStoreManager.java:2352)*
>> * ... 78 more*
>> *[2016-10-17 09:33:50,836] ERROR
>> {org.wso2.carbon.user.mgt.ui.UserAdminClient} - Error occurred while
>> getting database type from DB connection*
>> *org.apache.axis2.AxisFault: Error occurred while getting database type
>> from DB connection*
>> * at org.apache.axis2.util.Utils.ge
>> <http://org.apache.axis2.util.Utils.ge>tInboundFaultFromMessageContext(Utils.java:531)*
>> * at
>> org.apache.axis2.description.RobustOutOnlyAxisOperation$RobustOutOnlyOperationClient.handleResponse(RobustOutOnlyAxisOperation.java:91)*
>> * at
>> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:445)*
>> * at
>> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)*
>> * at
>> org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)*
>> * at
>> org.wso2.carbon.user.mgt.stub.UserAdminStub.addRole(UserAdminStub.java:5002)*
>> * at org.wso2.carbon.user.mgt.ui.Us
>> <http://org.wso2.carbon.user.mgt.ui.Us>erAdminClient.addRole(UserAdminClient.java:76)*
>> * at
>> org.apache.jsp.role.add_002dfinish_002dajaxprocessor_jsp._jspService(add_002dfinish_002dajaxprocessor_jsp.java:159)*
>> * at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)*
>> * at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)*
>> * at
>> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)*
>> * at
>> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)*
>> * at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)*
>> * at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)*
>> * at org.wso2.carbon.ui.JspServlet.service(JspServlet.java:155)*
>> * at org.wso2.carbon.ui.TilesJspServlet.service(TilesJspServlet.java:80)*
>> * at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)*
>> * at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.se
>> <http://r.ContextPathServletAdaptor.se>rvice(ContextPathServletAdaptor.java:37)*
>> * at
>> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)*
>> * at
>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)*
>> * at
>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)*
>> * at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)*
>> * at
>> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)*
>> * at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)*
>> * at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)*
>> * at org.apache.tomcat.websocket.se
>> <http://org.apache.tomcat.websocket.se>rver.WsFilter.doFilter(WsFilter.java:52)*
>> * at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)*
>> * at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)*
>> * at
>> org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)*
>> * at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)*
>> * at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)*
>> * at
>> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)*
>> * at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)*
>> * at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)*
>> * at org.apache.catalina.filters.Ht
>> <http://org.apache.catalina.filters.Ht>tpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:120)*
>> * at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)*
>> * at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)*
>> * at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)*
>> * at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)*
>> * at
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)*
>> * at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)*
>> * at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)*
>> * at
>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)*
>> * at
>> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)*
>> * at
>> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)*
>> * at
>> org.wso2.carbon.webapp.authenticator.framework.WebappAuthenticationValve.invoke(WebappAuthenticationValve.java:45)*
>> * at
>> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)*
>> * at
>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)*
>> * at
>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)*
>> * at
>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)*
>> * at
>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)*
>> * at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)*
>> * at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)*
>> * at
>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1082)*
>> * at
>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:623)*
>> * at org.apache.tomcat.util.net
>> <http://org.apache.tomcat.util.net>.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1756)*
>> * at org.apache.tomcat.util.net
>> <http://org.apache.tomcat.util.net>.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1715)*
>> * at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)*
>> * at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)*
>> * at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)*
>> * at java.lang.Thread.run(Thread.java:745)*
>>
>> So in that case, in order to avoid this faulty behavior shouldn`t we
>> restrict the user from using "@" when creating role names?
>>
>> Any suggestions or comments on this regard is highly appreciated.
>>
>> [1] https://wso2.org/jira/browse/EMM-1755
>> [2] https://github.com/wso2/carbon-kernel/blob/v4.4.9/core/
>> org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/
>> user/core/jdbc/JDBCUserStoreManager.java#L717
>> [3] https://github.com/wso2/carbon-kernel/blob/v4.4.9/core/
>> org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/
>> user/core/jdbc/JDBCUserStoreManager.java#L3092
>>
>>
>> Thanks.
>>
>> Regards,
>> Megala
>> --
>> Megala Uthayakumar
>>
>> Software Engineer
>> Mobile : 0779967122
>>
>> _______________________________________________
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
--
Megala Uthayakumar
Software Engineer
Mobile : 0779967122
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
