* [ adempiere-Bugs-1719617 ] Server bean allows remote unauthenticated queries
- Added security token validation for wan profile. This is on by default, if you need to test the wan profile from your IDE ( Eclipse , Netbean, etc ), you need to manually edit the Adempiere.properties file on the application server, and change ServerValidateSecurityToken=xyzY to ServerValidateSecurityToken=xyzN - Next step is to add JAAS authentication, later ...
This commit is contained in:
Heng Sin Low
parent
30f7ea07a6
commit
3d4f4cee2e
|
|
@ -19,6 +19,8 @@ package org.compiere;
|
|||
import java.awt.*;
|
||||
import java.io.*;
|
||||
import java.net.*;
|
||||
import java.security.CodeSource;
|
||||
import java.security.cert.Certificate;
|
||||
import java.util.logging.*;
|
||||
import javax.jnlp.*;
|
||||
import javax.swing.*;
|
||||
|
|
@ -539,6 +541,25 @@ public final class Adempiere
|
|||
} // startupEnvironment
|
||||
|
||||
|
||||
/**
|
||||
* @return SecurityToken
|
||||
*/
|
||||
public static SecurityToken getSecurityToken()
|
||||
{
|
||||
Certificate cert = null;
|
||||
String host = null;
|
||||
CodeSource cs
|
||||
= Adempiere.class.getProtectionDomain().getCodeSource();
|
||||
if (cs != null)
|
||||
{
|
||||
Certificate[] certs = cs.getCertificates();
|
||||
if (certs != null && certs.length > 0)
|
||||
cert = certs[0];
|
||||
}
|
||||
host = Adempiere.getCodeBaseHost();
|
||||
return new SecurityToken(cert, host);
|
||||
}
|
||||
|
||||
/**
|
||||
* Main Method
|
||||
*
|
||||
|
|
|
|||
|
|
@ -36,21 +36,21 @@ public interface Server
|
|||
* @param info Result info
|
||||
* @return RowSet
|
||||
* @throws NotSerializableException */
|
||||
public javax.sql.RowSet pstmt_getRowSet( org.compiere.util.CStatementVO info )
|
||||
public javax.sql.RowSet pstmt_getRowSet( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token )
|
||||
throws java.io.NotSerializableException, java.rmi.RemoteException;
|
||||
|
||||
/**
|
||||
* Get Statement ResultSet
|
||||
* @param info Result info
|
||||
* @return RowSet */
|
||||
public javax.sql.RowSet stmt_getRowSet( org.compiere.util.CStatementVO info )
|
||||
public javax.sql.RowSet stmt_getRowSet( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token )
|
||||
throws java.rmi.RemoteException;
|
||||
|
||||
/**
|
||||
* Execute Update
|
||||
* @param info Result info
|
||||
* @return row count */
|
||||
public int stmt_executeUpdate( org.compiere.util.CStatementVO info )
|
||||
public int stmt_executeUpdate( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token )
|
||||
throws java.rmi.RemoteException;
|
||||
|
||||
/**
|
||||
|
|
@ -150,7 +150,7 @@ public interface Server
|
|||
* @param displayType display type (i.e. BLOB/CLOB)
|
||||
* @param value the data
|
||||
* @return true if updated */
|
||||
public boolean updateLOB( java.lang.String sql,int displayType,java.lang.Object value )
|
||||
public boolean updateLOB( java.lang.String sql,int displayType,java.lang.Object value,org.compiere.util.SecurityToken token )
|
||||
throws java.rmi.RemoteException;
|
||||
|
||||
/**
|
||||
|
|
@ -179,7 +179,7 @@ public interface Server
|
|||
* @param procedureName
|
||||
* @param trxName
|
||||
* @return ProcessInfo */
|
||||
public org.compiere.process.ProcessInfo dbProcess( org.compiere.process.ProcessInfo processInfo,java.lang.String procedureName,java.lang.String trxName )
|
||||
public org.compiere.process.ProcessInfo dbProcess( org.compiere.process.ProcessInfo processInfo,java.lang.String procedureName,java.lang.String trxName,org.compiere.util.SecurityToken token )
|
||||
throws java.rmi.RemoteException;
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -34,19 +34,19 @@ public interface ServerLocal
|
|||
* @param info Result info
|
||||
* @return RowSet
|
||||
* @throws NotSerializableException */
|
||||
public javax.sql.RowSet pstmt_getRowSet( org.compiere.util.CStatementVO info ) throws java.io.NotSerializableException;
|
||||
public javax.sql.RowSet pstmt_getRowSet( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token ) throws java.io.NotSerializableException;
|
||||
|
||||
/**
|
||||
* Get Statement ResultSet
|
||||
* @param info Result info
|
||||
* @return RowSet */
|
||||
public javax.sql.RowSet stmt_getRowSet( org.compiere.util.CStatementVO info ) ;
|
||||
public javax.sql.RowSet stmt_getRowSet( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token ) ;
|
||||
|
||||
/**
|
||||
* Execute Update
|
||||
* @param info Result info
|
||||
* @return row count */
|
||||
public int stmt_executeUpdate( org.compiere.util.CStatementVO info ) ;
|
||||
public int stmt_executeUpdate( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token ) ;
|
||||
|
||||
/**
|
||||
* Get next number for Key column = 0 is Error.
|
||||
|
|
@ -135,7 +135,7 @@ public interface ServerLocal
|
|||
* @param displayType display type (i.e. BLOB/CLOB)
|
||||
* @param value the data
|
||||
* @return true if updated */
|
||||
public boolean updateLOB( java.lang.String sql,int displayType,java.lang.Object value ) ;
|
||||
public boolean updateLOB( java.lang.String sql,int displayType,java.lang.Object value,org.compiere.util.SecurityToken token ) ;
|
||||
|
||||
/**
|
||||
* Describes the instance and its content for debugging purpose
|
||||
|
|
@ -160,7 +160,7 @@ public interface ServerLocal
|
|||
* @param procedureName
|
||||
* @param trxName
|
||||
* @return ProcessInfo */
|
||||
public org.compiere.process.ProcessInfo dbProcess( org.compiere.process.ProcessInfo processInfo,java.lang.String procedureName,java.lang.String trxName ) ;
|
||||
public org.compiere.process.ProcessInfo dbProcess( org.compiere.process.ProcessInfo processInfo,java.lang.String procedureName,java.lang.String trxName,org.compiere.util.SecurityToken token ) ;
|
||||
|
||||
/**
|
||||
* Load fields meta data from database
|
||||
|
|
|
|||
|
|
@ -675,7 +675,7 @@ public class MTable extends X_AD_Table
|
|||
rs.close();
|
||||
pstmt.close();
|
||||
}
|
||||
catch (SQLException e)
|
||||
catch (Exception e)
|
||||
{
|
||||
retValue = -1;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,6 +20,8 @@ import java.io.*;
|
|||
import java.rmi.*;
|
||||
import java.sql.*;
|
||||
import java.util.logging.*;
|
||||
|
||||
import org.compiere.Adempiere;
|
||||
import org.compiere.db.*;
|
||||
import org.compiere.interfaces.*;
|
||||
import org.compiere.util.*;
|
||||
|
|
@ -117,7 +119,7 @@ public class PO_LOB implements Serializable
|
|||
{
|
||||
if (server != null)
|
||||
{ // See ServerBean
|
||||
success = server.updateLOB (sql.toString(), m_displayType, m_value);
|
||||
success = server.updateLOB (sql.toString(), m_displayType, m_value, Adempiere.getSecurityToken());
|
||||
if (CLogMgt.isLevelFinest())
|
||||
log.fine("server => " + success);
|
||||
if (success)
|
||||
|
|
|
|||
|
|
@ -197,8 +197,16 @@ public class CLogErrorBuffer extends Handler
|
|||
)
|
||||
{
|
||||
m_issueError = false;
|
||||
MIssue.create(record);
|
||||
m_issueError = true;
|
||||
try
|
||||
{
|
||||
MIssue.create(record);
|
||||
m_issueError = true;
|
||||
} catch (Throwable e)
|
||||
{
|
||||
//failed to save exception to db, print to console
|
||||
System.err.println(getFormatter().format(record));
|
||||
m_issueError = false;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
|
|
|
|||
|
|
@ -221,6 +221,21 @@ public class CLogger extends Logger implements Serializable
|
|||
s_lastInfo = null;
|
||||
} // resetLast
|
||||
|
||||
/**
|
||||
* Get root cause
|
||||
* @param t
|
||||
* @return Throwable
|
||||
*/
|
||||
public static Throwable getRootCause(Throwable t)
|
||||
{
|
||||
Throwable cause = t;
|
||||
while (cause.getCause() != null)
|
||||
{
|
||||
cause = cause.getCause();
|
||||
}
|
||||
return cause;
|
||||
}
|
||||
|
||||
/**
|
||||
* String Representation
|
||||
* @return info
|
||||
|
|
|
|||
|
|
@ -23,6 +23,8 @@ import java.sql.*;
|
|||
import java.util.*;
|
||||
import java.util.logging.*;
|
||||
import javax.sql.*;
|
||||
|
||||
import org.compiere.Adempiere;
|
||||
import org.compiere.db.*;
|
||||
import org.compiere.interfaces.*;
|
||||
|
||||
|
|
@ -122,7 +124,7 @@ public class CPreparedStatement extends CStatement implements PreparedStatement
|
|||
Server server = CConnection.get().getServer();
|
||||
if (server != null)
|
||||
{
|
||||
ResultSet rs = server.pstmt_getRowSet (p_vo);
|
||||
ResultSet rs = server.pstmt_getRowSet (p_vo, Adempiere.getSecurityToken());
|
||||
p_vo.clearParameters(); // re-use of result set
|
||||
if (rs == null)
|
||||
log.warning("ResultSet is null - " + p_vo);
|
||||
|
|
@ -198,7 +200,7 @@ public class CPreparedStatement extends CStatement implements PreparedStatement
|
|||
Server server = CConnection.get().getServer();
|
||||
if (server != null)
|
||||
{
|
||||
int result = server.stmt_executeUpdate (p_vo);
|
||||
int result = server.stmt_executeUpdate (p_vo, Adempiere.getSecurityToken());
|
||||
p_vo.clearParameters(); // re-use of result set
|
||||
return result;
|
||||
}
|
||||
|
|
@ -886,7 +888,7 @@ public class CPreparedStatement extends CStatement implements PreparedStatement
|
|||
Server server = CConnection.get().getServer();
|
||||
if (server != null)
|
||||
{
|
||||
RowSet rs = server.pstmt_getRowSet (p_vo);
|
||||
RowSet rs = server.pstmt_getRowSet (p_vo, Adempiere.getSecurityToken());
|
||||
p_vo.clearParameters(); // re-use of result set
|
||||
if (rs == null)
|
||||
log.warning("RowSet is null - " + p_vo);
|
||||
|
|
|
|||
|
|
@ -21,6 +21,7 @@ import java.util.logging.*;
|
|||
|
||||
import javax.sql.*;
|
||||
|
||||
import org.compiere.Adempiere;
|
||||
import org.compiere.db.*;
|
||||
import org.compiere.interfaces.*;
|
||||
|
||||
|
|
@ -136,7 +137,7 @@ public class CStatement implements Statement
|
|||
Server server = CConnection.get().getServer();
|
||||
if (server != null)
|
||||
{
|
||||
ResultSet rs = server.stmt_getRowSet (p_vo);
|
||||
ResultSet rs = server.stmt_getRowSet (p_vo, Adempiere.getSecurityToken());
|
||||
if (rs == null)
|
||||
log.warning("ResultSet is null - " + p_vo);
|
||||
else
|
||||
|
|
@ -198,7 +199,7 @@ public class CStatement implements Statement
|
|||
Server server = CConnection.get().getServer();
|
||||
if (server != null)
|
||||
{
|
||||
int result = server.stmt_executeUpdate(p_vo);
|
||||
int result = server.stmt_executeUpdate(p_vo, Adempiere.getSecurityToken());
|
||||
p_vo.clearParameters(); // re-use of result set
|
||||
return result;
|
||||
}
|
||||
|
|
@ -867,7 +868,7 @@ public class CStatement implements Statement
|
|||
Server server = CConnection.get().getServer();
|
||||
if (server != null)
|
||||
{
|
||||
RowSet rs = server.stmt_getRowSet (p_vo);
|
||||
RowSet rs = server.stmt_getRowSet (p_vo, Adempiere.getSecurityToken());
|
||||
p_vo.clearParameters(); // re-use of result set
|
||||
if (rs == null)
|
||||
log.warning("RowSet is null - " + p_vo);
|
||||
|
|
|
|||
|
|
@ -17,8 +17,13 @@
|
|||
package org.compiere.util;
|
||||
|
||||
import java.io.*;
|
||||
import java.security.CodeSource;
|
||||
import java.security.ProtectionDomain;
|
||||
import java.security.cert.Certificate;
|
||||
import java.util.*;
|
||||
|
||||
import org.compiere.Adempiere;
|
||||
|
||||
/**
|
||||
* Adempiere Statement Value Object
|
||||
*
|
||||
|
|
|
|||
|
|
@ -322,7 +322,7 @@ public class Login
|
|||
list.toArray(retValue);
|
||||
log.fine("User=" + app_user + " - roles #" + retValue.length);
|
||||
}
|
||||
catch (SQLException ex)
|
||||
catch (Exception ex)
|
||||
{
|
||||
log.log(Level.SEVERE, sql.toString(), ex);
|
||||
log.saveError("DBLogin", ex);
|
||||
|
|
|
|||
|
|
@ -0,0 +1,29 @@
|
|||
package org.compiere.util;
|
||||
|
||||
import java.io.Serializable;
|
||||
import java.security.cert.Certificate;
|
||||
|
||||
/**
|
||||
* @author Low Heng Sin
|
||||
*/
|
||||
public class SecurityToken implements Serializable {
|
||||
|
||||
private Certificate codeCertificate;
|
||||
private String codeBaseHost;
|
||||
|
||||
public SecurityToken(Certificate cert, String host)
|
||||
{
|
||||
codeCertificate = cert;
|
||||
codeBaseHost = host;
|
||||
}
|
||||
|
||||
public Certificate getCodeCertificate()
|
||||
{
|
||||
return codeCertificate;
|
||||
}
|
||||
|
||||
public String getCodeBaseHost()
|
||||
{
|
||||
return codeBaseHost;
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue