* [ adempiere-Bugs-1719617 ] Server bean allows remote unauthenticated queries

- Implemented jaas authentication for server bean

base/src/org/compiere/db/CConnection.java

@@ -27,6 +27,8 @@ import javax.swing.JOptionPane;
 import org.compiere.*;
 import org.compiere.interfaces.*;
 import org.compiere.util.*;
+import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SimplePrincipal;
 
 /**
  *  Adempiere Connection Descriptor
@@ -236,6 +238,11 @@ public class CConnection implements Serializable
 	/** Had application server been query **/
 	private boolean m_queryAppsServer = false;
 
+	/** application server authentication principal **/
+	private String m_principal = null;
+	/** application server authentication password **/
+	private String m_credential = null;
+	
 	
 	/*************************************************************************
 	 *  Get Name
@@ -1408,7 +1415,7 @@ public class CConnection implements Serializable
 
 		//	Set Environment
 		if (m_env == null || !useCache)
-			m_env = getInitialEnvironment(getAppsHost(), getAppsPort(), isRMIoverHTTP());
+			m_env = getInitialEnvironment(getAppsHost(), getAppsPort(), isRMIoverHTTP(), m_principal, m_credential);
 		String connect = (String)m_env.get(Context.PROVIDER_URL);
 		Env.setContext(Env.getCtx(), Context.PROVIDER_URL, connect);
 
@@ -1433,15 +1440,23 @@ public class CConnection implements Serializable
 		return m_iContext;
 	}	//	getInitialContext
 
+	public static Hashtable getInitialEnvironment (String AppsHost, int AppsPort,
+			boolean RMIoverHTTP)
+	{
+		return getInitialEnvironment(AppsHost, AppsPort, RMIoverHTTP, null, null);
+	}
+	
 	/**
 	 * 	Get Initial Environment
 	 * 	@param AppsHost host
 	 * 	@param AppsPort port
 	 * 	@param RMIoverHTTP true if tunnel through HTTP
+	 *  @param principal
+	 *  @param credential
 	 *	@return environment
 	 */
 	public static Hashtable getInitialEnvironment (String AppsHost, int AppsPort,
-		boolean RMIoverHTTP)
+		boolean RMIoverHTTP, String principal, String credential)
 	{
 		//	Set Environment
 		Hashtable<String,String> env = new Hashtable<String,String>();
@@ -1467,6 +1482,18 @@ public class CConnection implements Serializable
 		env.put (org.jnp.interfaces.TimedSocketFactory.JNP_SO_TIMEOUT, "5000");
 		//	JNP - default timeout 5 sec
 		env.put(org.jnp.interfaces.NamingContext.JNP_DISCOVERY_TIMEOUT, "5000");
+		
+		if (principal != null && credential != null)
+		{
+			SecurityAssociation.setPrincipal(new SimplePrincipal(principal));
+			SecurityAssociation.setCredential(credential);
+		}
+		else
+		{
+			SecurityAssociation.setPrincipal(null);
+			SecurityAssociation.setCredential(null);
+		}
+		
 		return env;
 	}	//	getInitialEnvironment
 
@@ -1643,6 +1670,14 @@ public class CConnection implements Serializable
 		return "<?" + transactionIsolation + "?>";
 	}	//	getTransactionIsolationInfo
 	
+	public void setAppServerCredential(String principal, String credential)
+	{
+		m_principal = principal;
+		m_credential = credential;
+		m_iContext = null;
+		m_env = null;
+		m_server = null;
+	}
 
 	/**************************************************************************
 	 *  Testing

base/src/org/compiere/interfaces/Server.java

@@ -193,4 +193,11 @@ public interface Server
    public java.util.ArrayList getFields( org.compiere.model.GridTabVO gridTabVO )
       throws java.rmi.RemoteException;
 
+   /**
+    * Get table id from ad_table by table name
+    * @param tableName
+    * @return tableName    */
+   public int getTableID( java.lang.String tableName )
+      throws java.rmi.RemoteException;
+
 }

base/src/org/compiere/interfaces/ServerLocal.java

@@ -172,4 +172,10 @@ public interface ServerLocal
     * @return ArrayList    */
    public java.util.ArrayList getFields( org.compiere.model.GridTabVO gridTabVO ) ;
 
+   /**
+    * Get table id from ad_table by table name
+    * @param tableName
+    * @return tableName    */
+   public int getTableID( java.lang.String tableName ) ;
+
 }

base/src/org/compiere/model/MTable.java

@@ -21,6 +21,9 @@ import java.lang.reflect.*;
 import java.sql.*;
 import java.util.*;
 import java.util.logging.*;
+
+import org.compiere.db.CConnection;
+import org.compiere.interfaces.Server;
 import org.compiere.util.*;
 
 /**
@@ -667,13 +670,21 @@ public class MTable extends X_AD_Table
 		String SQL = "SELECT AD_Table_ID FROM AD_Table WHERE tablename = ?";
 		try
 		{
-			PreparedStatement pstmt = DB.prepareStatement(SQL, null);
+			if (DB.isRemoteObjects()) 
-			pstmt.setString(1, tableName);
+			{
-			ResultSet rs = pstmt.executeQuery();
+				Server server = CConnection.get().getServer();
-			if (rs.next())
+				retValue = server.getTableID(tableName);
-				retValue = rs.getInt(1);
+			}
-			rs.close();
+			else
-			pstmt.close();
+			{
+				PreparedStatement pstmt = DB.prepareStatement(SQL, null);
+				pstmt.setString(1, tableName);
+				ResultSet rs = pstmt.executeQuery();
+				if (rs.next())
+					retValue = rs.getInt(1);
+				rs.close();
+				pstmt.close();
+			}
 		}
 		catch (Exception e)
 		{

base/src/org/compiere/util/Env.java

@@ -85,6 +85,8 @@ public final class Env
 		//
 		reset(true);	// final cache reset
 		//
+		
+		CConnection.get().setAppServerCredential(null, null);
 	}
 	
 	/**

base/src/org/compiere/util/Login.java

@@ -216,7 +216,9 @@ public class Login
 		}
 
 		//	Authentification
-		boolean authenticated = false;
+		boolean authenticated = false;
+		if (Ini.isClient())
+			CConnection.get().setAppServerCredential(app_user, app_pwd);
 		MSystem system = MSystem.get(m_ctx);
 		if (system == null)
 			throw new IllegalStateException("No System Info");
@@ -286,21 +288,24 @@ public class Login
 			Env.setContext(m_ctx, "#AD_User_Name", app_user);
 			Env.setContext(m_ctx, "#AD_User_ID", rs.getInt(1));
 			Env.setContext(m_ctx, "#SalesRep_ID", rs.getInt(1));
-			//
+			//
-			Ini.setProperty(Ini.P_UID, app_user);
+			if (Ini.isClient())
-			if (Ini.isPropertyBool(Ini.P_STORE_PWD))
-				Ini.setProperty(Ini.P_PWD, app_pwd);
-			
-			m_connectionProfile = rs.getString(4);		//	User Based
-			if (m_connectionProfile != null)
 			{
-				CConnection cc = CConnection.get();
+				Ini.setProperty(Ini.P_UID, app_user);
-				if (!cc.getConnectionProfile().equals(m_connectionProfile))
+				if (Ini.isPropertyBool(Ini.P_STORE_PWD))
+					Ini.setProperty(Ini.P_PWD, app_pwd);
+				
+				m_connectionProfile = rs.getString(4);		//	User Based
+				if (m_connectionProfile != null)
 				{
-					cc.setConnectionProfile(m_connectionProfile);
+					CConnection cc = CConnection.get();
-					Ini.setProperty(Ini.P_CONNECTION, cc.toStringLong());
+					if (!cc.getConnectionProfile().equals(m_connectionProfile))
-					Ini.saveProperties(false);
+					{
-				}
+						cc.setConnectionProfile(m_connectionProfile);
+						Ini.setProperty(Ini.P_CONNECTION, cc.toStringLong());
+						Ini.saveProperties(false);
+					}
+				}
 			}
 
 			do	//	read all roles