midsuit
/
core-jgi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* [ adempiere-Bugs-1719617 ] Server bean allows remote unauthenticated queries 

- A more secure patch.
This commit is contained in:
Heng Sin Low 2007-05-21 05:37:15 +00:00
parent c26e51f18d
commit 031c500303
5 changed files with 42 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
base/src/org/compiere/Adempiere.java
View File

@ -541,25 +541,6 @@ public final class Adempiere
} // startupEnvironment } // startupEnvironment
/**
* @return SecurityToken
*/
public static SecurityToken getSecurityToken()
{
Certificate cert = null;
String host = null;
CodeSource cs
= Adempiere.class.getProtectionDomain().getCodeSource();
if (cs != null)
{
Certificate[] certs = cs.getCertificates();
if (certs != null && certs.length > 0)
cert = certs[0];
}
host = Adempiere.getCodeBaseHost();
return new SecurityToken(cert, host);
}
/** /**
* Main Method * Main Method
* *

2
base/src/org/compiere/model/PO_LOB.java
View File

@ -119,7 +119,7 @@ public class PO_LOB implements Serializable
{ {
if (server != null) if (server != null)
{ // See ServerBean { // See ServerBean
success = server.updateLOB (sql.toString(), m_displayType, m_value, Adempiere.getSecurityToken()); success = server.updateLOB (sql.toString(), m_displayType, m_value, SecurityToken.getInstance());
if (CLogMgt.isLevelFinest()) if (CLogMgt.isLevelFinest())
log.fine("server => " + success); log.fine("server => " + success);
if (success) if (success)

6
base/src/org/compiere/util/CPreparedStatement.java
View File

@ -124,7 +124,7 @@ public class CPreparedStatement extends CStatement implements PreparedStatement
Server server = CConnection.get().getServer(); Server server = CConnection.get().getServer();
if (server != null) if (server != null)
{ {
ResultSet rs = server.pstmt_getRowSet (p_vo, Adempiere.getSecurityToken()); ResultSet rs = server.pstmt_getRowSet (p_vo, SecurityToken.getInstance());
p_vo.clearParameters(); // re-use of result set p_vo.clearParameters(); // re-use of result set
if (rs == null) if (rs == null)
log.warning("ResultSet is null - " + p_vo); log.warning("ResultSet is null - " + p_vo);
@ -200,7 +200,7 @@ public class CPreparedStatement extends CStatement implements PreparedStatement
Server server = CConnection.get().getServer(); Server server = CConnection.get().getServer();
if (server != null) if (server != null)
{ {
int result = server.stmt_executeUpdate (p_vo, Adempiere.getSecurityToken()); int result = server.stmt_executeUpdate (p_vo, SecurityToken.getInstance());
p_vo.clearParameters(); // re-use of result set p_vo.clearParameters(); // re-use of result set
return result; return result;
} }
@ -888,7 +888,7 @@ public class CPreparedStatement extends CStatement implements PreparedStatement
Server server = CConnection.get().getServer(); Server server = CConnection.get().getServer();
if (server != null) if (server != null)
{ {
RowSet rs = server.pstmt_getRowSet (p_vo, Adempiere.getSecurityToken()); RowSet rs = server.pstmt_getRowSet (p_vo, SecurityToken.getInstance());
p_vo.clearParameters(); // re-use of result set p_vo.clearParameters(); // re-use of result set
if (rs == null) if (rs == null)
log.warning("RowSet is null - " + p_vo); log.warning("RowSet is null - " + p_vo);

6
base/src/org/compiere/util/CStatement.java
View File

@ -137,7 +137,7 @@ public class CStatement implements Statement
Server server = CConnection.get().getServer(); Server server = CConnection.get().getServer();
if (server != null) if (server != null)
{ {
ResultSet rs = server.stmt_getRowSet (p_vo, Adempiere.getSecurityToken()); ResultSet rs = server.stmt_getRowSet (p_vo, SecurityToken.getInstance());
if (rs == null) if (rs == null)
log.warning("ResultSet is null - " + p_vo); log.warning("ResultSet is null - " + p_vo);
else else
@ -199,7 +199,7 @@ public class CStatement implements Statement
Server server = CConnection.get().getServer(); Server server = CConnection.get().getServer();
if (server != null) if (server != null)
{ {
int result = server.stmt_executeUpdate(p_vo, Adempiere.getSecurityToken()); int result = server.stmt_executeUpdate(p_vo, SecurityToken.getInstance());
p_vo.clearParameters(); // re-use of result set p_vo.clearParameters(); // re-use of result set
return result; return result;
} }
@ -868,7 +868,7 @@ public class CStatement implements Statement
Server server = CConnection.get().getServer(); Server server = CConnection.get().getServer();
if (server != null) if (server != null)
{ {
RowSet rs = server.stmt_getRowSet (p_vo, Adempiere.getSecurityToken()); RowSet rs = server.stmt_getRowSet (p_vo, SecurityToken.getInstance());
p_vo.clearParameters(); // re-use of result set p_vo.clearParameters(); // re-use of result set
if (rs == null) if (rs == null)
log.warning("RowSet is null - " + p_vo); log.warning("RowSet is null - " + p_vo);

38
base/src/org/compiere/util/SecurityToken.java
View File

@ -1,8 +1,11 @@
package org.compiere.util; package org.compiere.util;
import java.io.Serializable; import java.io.Serializable;
import java.security.CodeSource;
import java.security.cert.Certificate; import java.security.cert.Certificate;
import org.compiere.Adempiere;
/** /**
* @author Low Heng Sin * @author Low Heng Sin
*/ */
@ -10,20 +13,49 @@ public class SecurityToken implements Serializable {
private Certificate codeCertificate; private Certificate codeCertificate;
private String codeBaseHost; private String codeBaseHost;
private final static SecurityToken TOKEN = SecurityToken.getSecurityToken();
public SecurityToken(Certificate cert, String host) private SecurityToken(Certificate cert, String host)
{ {
codeCertificate = cert; codeCertificate = cert;
codeBaseHost = host; codeBaseHost = host;
} }
public Certificate getCodeCertificate() public final Certificate getCodeCertificate()
{ {
return codeCertificate; return codeCertificate;
} }
public String getCodeBaseHost() public final String getCodeBaseHost()
{ {
return codeBaseHost; return codeBaseHost;
} }
/**
* @return SecurityToken
*/
private static SecurityToken getSecurityToken()
{
Certificate cert = null;
String host = null;
CodeSource cs
= SecurityToken.class.getProtectionDomain().getCodeSource();
if (cs != null)
{
Certificate[] certs = cs.getCertificates();
if (certs != null && certs.length > 0)
cert = certs[0];
}
host = Adempiere.getCodeBaseHost();
return new SecurityToken(cert, host);
}
/**
* Get the client security token for server validation
* @return SecurityToken
*/
public static SecurityToken getInstance()
{
return TOKEN;
}
} }