* [ adempiere-Bugs-1719617 ] Server bean allows remote unauthenticated queries
- A more secure patch.
This commit is contained in:
Heng Sin Low
parent
c26e51f18d
commit
031c500303
|
|
@ -541,25 +541,6 @@ public final class Adempiere
|
|||
} // startupEnvironment
|
||||
|
||||
|
||||
/**
|
||||
* @return SecurityToken
|
||||
*/
|
||||
public static SecurityToken getSecurityToken()
|
||||
{
|
||||
Certificate cert = null;
|
||||
String host = null;
|
||||
CodeSource cs
|
||||
= Adempiere.class.getProtectionDomain().getCodeSource();
|
||||
if (cs != null)
|
||||
{
|
||||
Certificate[] certs = cs.getCertificates();
|
||||
if (certs != null && certs.length > 0)
|
||||
cert = certs[0];
|
||||
}
|
||||
host = Adempiere.getCodeBaseHost();
|
||||
return new SecurityToken(cert, host);
|
||||
}
|
||||
|
||||
/**
|
||||
* Main Method
|
||||
*
|
||||
|
|
|
|||
|
|
@ -119,7 +119,7 @@ public class PO_LOB implements Serializable
|
|||
{
|
||||
if (server != null)
|
||||
{ // See ServerBean
|
||||
success = server.updateLOB (sql.toString(), m_displayType, m_value, Adempiere.getSecurityToken());
|
||||
success = server.updateLOB (sql.toString(), m_displayType, m_value, SecurityToken.getInstance());
|
||||
if (CLogMgt.isLevelFinest())
|
||||
log.fine("server => " + success);
|
||||
if (success)
|
||||
|
|
|
|||
|
|
@ -124,7 +124,7 @@ public class CPreparedStatement extends CStatement implements PreparedStatement
|
|||
Server server = CConnection.get().getServer();
|
||||
if (server != null)
|
||||
{
|
||||
ResultSet rs = server.pstmt_getRowSet (p_vo, Adempiere.getSecurityToken());
|
||||
ResultSet rs = server.pstmt_getRowSet (p_vo, SecurityToken.getInstance());
|
||||
p_vo.clearParameters(); // re-use of result set
|
||||
if (rs == null)
|
||||
log.warning("ResultSet is null - " + p_vo);
|
||||
|
|
@ -200,7 +200,7 @@ public class CPreparedStatement extends CStatement implements PreparedStatement
|
|||
Server server = CConnection.get().getServer();
|
||||
if (server != null)
|
||||
{
|
||||
int result = server.stmt_executeUpdate (p_vo, Adempiere.getSecurityToken());
|
||||
int result = server.stmt_executeUpdate (p_vo, SecurityToken.getInstance());
|
||||
p_vo.clearParameters(); // re-use of result set
|
||||
return result;
|
||||
}
|
||||
|
|
@ -888,7 +888,7 @@ public class CPreparedStatement extends CStatement implements PreparedStatement
|
|||
Server server = CConnection.get().getServer();
|
||||
if (server != null)
|
||||
{
|
||||
RowSet rs = server.pstmt_getRowSet (p_vo, Adempiere.getSecurityToken());
|
||||
RowSet rs = server.pstmt_getRowSet (p_vo, SecurityToken.getInstance());
|
||||
p_vo.clearParameters(); // re-use of result set
|
||||
if (rs == null)
|
||||
log.warning("RowSet is null - " + p_vo);
|
||||
|
|
|
|||
|
|
@ -137,7 +137,7 @@ public class CStatement implements Statement
|
|||
Server server = CConnection.get().getServer();
|
||||
if (server != null)
|
||||
{
|
||||
ResultSet rs = server.stmt_getRowSet (p_vo, Adempiere.getSecurityToken());
|
||||
ResultSet rs = server.stmt_getRowSet (p_vo, SecurityToken.getInstance());
|
||||
if (rs == null)
|
||||
log.warning("ResultSet is null - " + p_vo);
|
||||
else
|
||||
|
|
@ -199,7 +199,7 @@ public class CStatement implements Statement
|
|||
Server server = CConnection.get().getServer();
|
||||
if (server != null)
|
||||
{
|
||||
int result = server.stmt_executeUpdate(p_vo, Adempiere.getSecurityToken());
|
||||
int result = server.stmt_executeUpdate(p_vo, SecurityToken.getInstance());
|
||||
p_vo.clearParameters(); // re-use of result set
|
||||
return result;
|
||||
}
|
||||
|
|
@ -868,7 +868,7 @@ public class CStatement implements Statement
|
|||
Server server = CConnection.get().getServer();
|
||||
if (server != null)
|
||||
{
|
||||
RowSet rs = server.stmt_getRowSet (p_vo, Adempiere.getSecurityToken());
|
||||
RowSet rs = server.stmt_getRowSet (p_vo, SecurityToken.getInstance());
|
||||
p_vo.clearParameters(); // re-use of result set
|
||||
if (rs == null)
|
||||
log.warning("RowSet is null - " + p_vo);
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
package org.compiere.util;
|
||||
|
||||
import java.io.Serializable;
|
||||
import java.security.CodeSource;
|
||||
import java.security.cert.Certificate;
|
||||
|
||||
import org.compiere.Adempiere;
|
||||
|
||||
/**
|
||||
* @author Low Heng Sin
|
||||
*/
|
||||
|
|
@ -10,20 +13,49 @@ public class SecurityToken implements Serializable {
|
|||
|
||||
private Certificate codeCertificate;
|
||||
private String codeBaseHost;
|
||||
private final static SecurityToken TOKEN = SecurityToken.getSecurityToken();
|
||||
|
||||
public SecurityToken(Certificate cert, String host)
|
||||
private SecurityToken(Certificate cert, String host)
|
||||
{
|
||||
codeCertificate = cert;
|
||||
codeBaseHost = host;
|
||||
}
|
||||
|
||||
public Certificate getCodeCertificate()
|
||||
public final Certificate getCodeCertificate()
|
||||
{
|
||||
return codeCertificate;
|
||||
}
|
||||
|
||||
public String getCodeBaseHost()
|
||||
public final String getCodeBaseHost()
|
||||
{
|
||||
return codeBaseHost;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return SecurityToken
|
||||
*/
|
||||
private static SecurityToken getSecurityToken()
|
||||
{
|
||||
Certificate cert = null;
|
||||
String host = null;
|
||||
CodeSource cs
|
||||
= SecurityToken.class.getProtectionDomain().getCodeSource();
|
||||
if (cs != null)
|
||||
{
|
||||
Certificate[] certs = cs.getCertificates();
|
||||
if (certs != null && certs.length > 0)
|
||||
cert = certs[0];
|
||||
}
|
||||
host = Adempiere.getCodeBaseHost();
|
||||
return new SecurityToken(cert, host);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the client security token for server validation
|
||||
* @return SecurityToken
|
||||
*/
|
||||
public static SecurityToken getInstance()
|
||||
{
|
||||
return TOKEN;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue