thanks for this report. bugzilla will be back online soon and we will get
2.1 out the door
marc
|-----Original Message-----
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED]]On Behalf Of Alexander Klyubin
|Sent: Friday, January 19, 2001 10:25 AM
|To: Jboss-Dev
|Subject: [jBoss-Dev] Bugs in PRE-2.1
|
|
|Hi!
|
|As bug reporting system is not working right now, I wanted to tell about
|bugs I encountered with jBoss:
|* 2.0 supported CDATA sections in jaws.xml <query> 2.1 does not. It shows
|"... WHERE null ORDER BY ..." in server.log
|* Redeployment of deployed beans does not work at runtime. See listing one
|for begginning of long stack traces :) The same error happens when I just
|shutdown server. When undeploying my JAR the same exceptions pop up. Even
|when I haven't used the beans at all (start - stop situation).
|* Security does not work correctly (the same applies to 2.0)
| I have two roles, one is simple user (Employee) the other Administrator
|(who can execute anything).
|If I write tests like:
| Test #1.
| loginAsAdministrator(); // all privileges
| doSomeCallsOnEJBsAllowedForAdminOnly()...
| logout();
|
| loginAsEmployee(); // less privileges
| doSomeCallsOnEJBsAllowedForAdminOnly()...
| logout();
|
| Test #2.
| loginAsEmployee(); // less privileges
| doSomeCallsOnEJBsAllowedForAdminOnly()...
| logout();
|
| loginAsAdministrator(); // all privileges
| doSomeCallsOnEJBsAllowedForAdminOnly()...
| logout();
|
|Tests are run on the same machine sequentially starting JVM (java ...) for
|each test. I would expect test #1 to catch RemoteException (thrown beacuse
|of lacking privileges) for employee. The same applies to test #2.
|
|What happens is: test #2 succeeds, BUT test #1 fails -- employee is allowed
|accessing Administrator-only methods.
|I use my own server-side login module (slightly modified version of
|DatabaseServerLoginModule). For test #2 it shows that it first
|authenticated
|Employee, then Administrator. BUT, for test #1 it shows that it is only
|asked to authenticate Administrator. ClientLoginModule shows that its
|login() method is called in all situations as expected. As JAAS is
|used, can
|it be that this problem arises because ClientLoginModule depends on TLS or
|even static variables (JVM scope) for saving current Principal? In this
|case, the only illogical part is why does authentication take place second
|time in test #2? Is it because JAAS attempts (and succeeds) to gain more
|privileges for this client?
|
|*******************
|I am participating in a project where servlets are EJBs' clients. We had in
|mind incorporating security into EJBs. But with these problems even for
|single-threaded client's it seems almost impossible to write servlets
|securely? Am I right? Should servlet-level security be used instead of EJB
|security?
|
|Alexander Klyubin
|
|*******************
|Listing 1.
|[Container factory] java.net.SocketException: Broken pipe: Broken pipe
|[Container factory] at java.net.SocketInputStream.socketRead(Native
|Method)
|[Container factory] at
|java.net.SocketInputStream.read(SocketInputStream.java:86)
|[Container factory] at
|java.io.BufferedInputStream.fill(BufferedInputStream.java:186)
|[Container factory] at
|java.io.BufferedInputStream.read(BufferedInputStream.java:204)
|[Container factory] at
|java.io.ObjectInputStream.peekCode(ObjectInputStream.java:1549)
|[Container factory] at
|java.io.ObjectInputStream.refill(ObjectInputStream.java:1683)
|[Container factory] at
|java.io.ObjectInputStream.read(ObjectInputStream.java:1659)
|[Container factory] at
|java.io.ObjectInputStream.readByte(ObjectInputStream.java:1905)
|[Container factory] at
|org.spydermq.distributed.server.DistributedJMSServerUILClient.waitA
|nswer(Dis
|tributedJMSServerUILClient.java:97)
|[Container factory] at
|org.spydermq.distributed.server.DistributedJMSServerUILClient.conne
|ctionClos
|ing(DistributedJMSServerUILClient.java:159)
|[Container factory] at
|org.spydermq.SpyConnection.close(SpyConnection.java:208)
|[Container factory] at
|org.jboss.ejb.plugins.AbstractInstanceCache.destroy(AbstractInstanc
|eCache.ja
|va:367)
|[Container factory] at
|org.jboss.ejb.EntityContainer.destroy(EntityContainer.java:293)
|[Container factory] at
|org.jboss.ejb.Application.destroy(Application.java:200)
|[Container factory] at
|org.jboss.ejb.ContainerFactory.undeploy(ContainerFactory.java:912)
|[Container factory] at
|org.jboss.ejb.ContainerFactory.undeploy(ContainerFactory.java:275)
|[Container factory] at java.lang.reflect.Method.invoke(Native Method)
|[Container factory] at
|com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
|[Container factory] at
|com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
|[Container factory] at
|org.jboss.deployment.J2eeDeployer.stopApplication(J2eeDeployer.java:475)
|[Container factory] at
|org.jboss.deployment.J2eeDeployer.undeploy(J2eeDeployer.java:230)
|[Container factory] at
|org.jboss.deployment.J2eeDeployer.deploy(J2eeDeployer.java:164)
|[Container factory] at java.lang.reflect.Method.invoke(Native Method)
|[Container factory] at
|com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
|[Container factory] at
|com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
|[Container factory] at
|org.jboss.ejb.AutoDeployer.deploy(AutoDeployer.java:358)
|[Container factory] at
|org.jboss.ejb.AutoDeployer.run(AutoDeployer.java:221)
|[Container factory] at java.lang.Thread.run(Thread.java:484)
|[Container factory] java.rmi.RemoteException: Cannot contact the remote
|object
|[Container factory] at
|org.spydermq.distributed.server.DistributedJMSServerUILClient.failu
|re(Distri
|butedJMSServerUILClient.java:117)
|[Container factory] at
|org.spydermq.distributed.server.DistributedJMSServerUILClient.waitA
|nswer(Dis
|tributedJMSServerUILClient.java:110)
|[Container factory] at
|org.spydermq.distributed.server.DistributedJMSServerUILClient.conne
|ctionClos
|ing(DistributedJMSServerUILClient.java:159)
|[Container factory] at
|org.spydermq.SpyConnection.close(SpyConnection.java:208)
|[Container factory] at
|org.jboss.ejb.plugins.AbstractInstanceCache.destroy(AbstractInstanc
|eCache.ja
|va:367)
|[Container factory] at
|org.jboss.ejb.EntityContainer.destroy(EntityContainer.java:293)
|[Container factory] at
|org.jboss.ejb.Application.destroy(Application.java:200)
|[Container factory] at
|org.jboss.ejb.ContainerFactory.undeploy(ContainerFactory.java:912)
|[Container factory] at
|org.jboss.ejb.ContainerFactory.undeploy(ContainerFactory.java:275)
|[Container factory] at java.lang.reflect.Method.invoke(Native Method)
|[Container factory] at
|com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
|[Container factory] at
|com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
|[Container factory] at
|org.jboss.deployment.J2eeDeployer.stopApplication(J2eeDeployer.java:475)
|[Container factory] at
|org.jboss.deployment.J2eeDeployer.undeploy(J2eeDeployer.java:230)
|[Container factory] at
|org.jboss.deployment.J2eeDeployer.deploy(J2eeDeployer.java:164)
|[Container factory] at java.lang.reflect.Method.invoke(Native Method)
|[Container factory] at
|com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
|[Container factory] at
|com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
|[Container factory] at
|org.jboss.ejb.AutoDeployer.deploy(AutoDeployer.java:358)
|[Container factory] at
|org.jboss.ejb.AutoDeployer.run(AutoDeployer.java:221)
|[Container factory] at java.lang.Thread.run(Thread.java:484)
|
|
