[jBoss-Dev] Bugs in PRE-2.1

Alexander Klyubin Fri, 19 Jan 2001 10:18:45 -0800
Hi!

As bug reporting system is not working right now, I wanted to tell about
bugs I encountered with jBoss:
* 2.0 supported CDATA sections in jaws.xml <query> 2.1 does not. It shows
"... WHERE null ORDER BY ..." in server.log
* Redeployment of deployed beans does not work at runtime. See listing one
for begginning of long stack traces :) The same error happens when I just
shutdown server. When undeploying my JAR the same exceptions pop up. Even
when I haven't used the beans at all (start - stop situation).
* Security does not work correctly (the same applies to 2.0)
  I have two roles, one is simple user (Employee) the other Administrator
(who can execute anything).
If I write tests like:
        Test #1.
        loginAsAdministrator(); // all privileges
        doSomeCallsOnEJBsAllowedForAdminOnly()...
        logout();

        loginAsEmployee(); // less privileges
        doSomeCallsOnEJBsAllowedForAdminOnly()...
        logout();

        Test #2.
        loginAsEmployee(); // less privileges
        doSomeCallsOnEJBsAllowedForAdminOnly()...
        logout();

        loginAsAdministrator(); // all privileges
        doSomeCallsOnEJBsAllowedForAdminOnly()...
        logout();

Tests are run on the same machine sequentially starting JVM (java ...) for
each test. I would expect test #1 to catch RemoteException (thrown beacuse
of lacking privileges) for employee. The same applies to test #2.

What happens is: test #2 succeeds, BUT test #1 fails -- employee is allowed
accessing Administrator-only methods.
I use my own server-side login module (slightly modified version of
DatabaseServerLoginModule). For test #2 it shows that it first authenticated
Employee, then Administrator. BUT, for test #1 it shows that it is only
asked to authenticate Administrator. ClientLoginModule shows that its
login() method is called in all situations as expected. As JAAS is used, can
it be that this problem arises because ClientLoginModule depends on TLS or
even static variables (JVM scope) for saving current Principal? In this
case, the only illogical part is why does authentication take place second
time in test #2? Is it because JAAS attempts (and succeeds) to gain more
privileges for this client?

*******************
I am participating in a project where servlets are EJBs' clients. We had in
mind incorporating security into EJBs. But with these problems even for
single-threaded client's it seems almost impossible to write servlets
securely? Am I right? Should servlet-level security be used instead of EJB
security?

Alexander Klyubin

*******************
Listing 1.
[Container factory] java.net.SocketException: Broken pipe: Broken pipe
[Container factory]     at java.net.SocketInputStream.socketRead(Native
Method)
[Container factory]     at
java.net.SocketInputStream.read(SocketInputStream.java:86)
[Container factory]     at
java.io.BufferedInputStream.fill(BufferedInputStream.java:186)
[Container factory]     at
java.io.BufferedInputStream.read(BufferedInputStream.java:204)
[Container factory]     at
java.io.ObjectInputStream.peekCode(ObjectInputStream.java:1549)
[Container factory]     at
java.io.ObjectInputStream.refill(ObjectInputStream.java:1683)
[Container factory]     at
java.io.ObjectInputStream.read(ObjectInputStream.java:1659)
[Container factory]     at
java.io.ObjectInputStream.readByte(ObjectInputStream.java:1905)
[Container factory]     at
org.spydermq.distributed.server.DistributedJMSServerUILClient.waitAnswer(Dis
tributedJMSServerUILClient.java:97)
[Container factory]     at
org.spydermq.distributed.server.DistributedJMSServerUILClient.connectionClos
ing(DistributedJMSServerUILClient.java:159)
[Container factory]     at
org.spydermq.SpyConnection.close(SpyConnection.java:208)
[Container factory]     at
org.jboss.ejb.plugins.AbstractInstanceCache.destroy(AbstractInstanceCache.ja
va:367)
[Container factory]     at
org.jboss.ejb.EntityContainer.destroy(EntityContainer.java:293)
[Container factory]     at
org.jboss.ejb.Application.destroy(Application.java:200)
[Container factory]     at
org.jboss.ejb.ContainerFactory.undeploy(ContainerFactory.java:912)
[Container factory]     at
org.jboss.ejb.ContainerFactory.undeploy(ContainerFactory.java:275)
[Container factory]     at java.lang.reflect.Method.invoke(Native Method)
[Container factory]     at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
[Container factory]     at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
[Container factory]     at
org.jboss.deployment.J2eeDeployer.stopApplication(J2eeDeployer.java:475)
[Container factory]     at
org.jboss.deployment.J2eeDeployer.undeploy(J2eeDeployer.java:230)
[Container factory]     at
org.jboss.deployment.J2eeDeployer.deploy(J2eeDeployer.java:164)
[Container factory]     at java.lang.reflect.Method.invoke(Native Method)
[Container factory]     at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
[Container factory]     at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
[Container factory]     at
org.jboss.ejb.AutoDeployer.deploy(AutoDeployer.java:358)
[Container factory]     at
org.jboss.ejb.AutoDeployer.run(AutoDeployer.java:221)
[Container factory]     at java.lang.Thread.run(Thread.java:484)
[Container factory] java.rmi.RemoteException: Cannot contact the remote
object
[Container factory]     at
org.spydermq.distributed.server.DistributedJMSServerUILClient.failure(Distri
butedJMSServerUILClient.java:117)
[Container factory]     at
org.spydermq.distributed.server.DistributedJMSServerUILClient.waitAnswer(Dis
tributedJMSServerUILClient.java:110)
[Container factory]     at
org.spydermq.distributed.server.DistributedJMSServerUILClient.connectionClos
ing(DistributedJMSServerUILClient.java:159)
[Container factory]     at
org.spydermq.SpyConnection.close(SpyConnection.java:208)
[Container factory]     at
org.jboss.ejb.plugins.AbstractInstanceCache.destroy(AbstractInstanceCache.ja
va:367)
[Container factory]     at
org.jboss.ejb.EntityContainer.destroy(EntityContainer.java:293)
[Container factory]     at
org.jboss.ejb.Application.destroy(Application.java:200)
[Container factory]     at
org.jboss.ejb.ContainerFactory.undeploy(ContainerFactory.java:912)
[Container factory]     at
org.jboss.ejb.ContainerFactory.undeploy(ContainerFactory.java:275)
[Container factory]     at java.lang.reflect.Method.invoke(Native Method)
[Container factory]     at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
[Container factory]     at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
[Container factory]     at
org.jboss.deployment.J2eeDeployer.stopApplication(J2eeDeployer.java:475)
[Container factory]     at
org.jboss.deployment.J2eeDeployer.undeploy(J2eeDeployer.java:230)
[Container factory]     at
org.jboss.deployment.J2eeDeployer.deploy(J2eeDeployer.java:164)
[Container factory]     at java.lang.reflect.Method.invoke(Native Method)
[Container factory]     at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
[Container factory]     at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
[Container factory]     at
org.jboss.ejb.AutoDeployer.deploy(AutoDeployer.java:358)
[Container factory]     at
org.jboss.ejb.AutoDeployer.run(AutoDeployer.java:221)
[Container factory]     at java.lang.Thread.run(Thread.java:484)
[jBoss-Dev] Bugs in PRE-2.1

Reply via email to
