* [ adempiere-Bugs-1719617 ] Server bean allows remote unauthenticated queries

- Implemented jaas authentication for server bean
This commit is contained in:
Heng Sin Low 2007-05-25 06:47:28 +00:00
parent e92cd37435
commit 899c9e0042
6 changed files with 122 additions and 5 deletions

View File

@ -7,5 +7,6 @@
<classpathentry kind="src" path="/tools"/>
<classpathentry kind="src" path="/base"/>
<classpathentry combineaccessrules="false" kind="src" path="/looks"/>
<classpathentry kind="lib" path="/lib/jboss.jar"/>
<classpathentry kind="output" path="build/classes"/>
</classpath>

View File

@ -54,6 +54,8 @@
<pathelement location="${xdoclet.home}/lib/xdoclet-ejb-module-1.2.3.jar" />
<pathelement location="${xdoclet.home}/lib/xjavadoc-1.1.jar" />
<pathelement location="${xdoclet.home}/lib/xdoclet-xdoclet-module-1.2.3.jar" />
<pathelement location="${xdoclet.home}/lib/xdoclet-jboss-module-1.2.3.jar" />
<pathelement location="${xdoclet.home}/lib/xdoclet-jmx-module-1.2.3.jar" />
<pathelement location="${xdoclet.home}/lib/commons-collections-3.1.jar" />
</path>
@ -100,6 +102,9 @@
<localinterface/>
<localhomeinterface/>
<remoteinterface/>
<jboss
securityDomain="java:/jaas/adempiere"
destdir="${build.dir}/META-INF"/>
<deploymentdescriptor destdir="${build.dir}/META-INF"/>
</ejbdoclet>
</target>

View File

@ -0,0 +1,95 @@
package org.compiere.session;
import java.io.IOException;
import java.security.Identity;
import java.security.Principal;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.compiere.util.Env;
import org.compiere.util.KeyNamePair;
import org.compiere.util.Login;
import org.jboss.security.SimpleGroup;
import org.jboss.security.SimplePrincipal;
public class AdempiereLoginModule implements LoginModule {
private String unauthenticatedIdentity;
private CallbackHandler handler;
private Subject subject;
private KeyNamePair[] roles;
private String name;
public boolean abort() throws LoginException {
roles = null;
name = null;
return false;
}
public boolean commit() throws LoginException {
if (roles == null || roles.length == 0)
{
subject.getPrincipals().add(new SimplePrincipal(unauthenticatedIdentity));
SimpleGroup roleGroup = new SimpleGroup("Roles");
subject.getPrincipals().add(roleGroup);
}
else
{
subject.getPrincipals().add(new SimplePrincipal(name));
SimpleGroup roleGroup = new SimpleGroup("Roles");
roleGroup.addMember(new SimplePrincipal("adempiereUsers"));
for(int i = 0; i < roles.length; i++)
{
roleGroup.addMember(new SimplePrincipal(roles[i].getName()));
}
subject.getPrincipals().add(roleGroup);
}
return true;
}
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map<String, ?> sharedState, Map<String, ?> options) {
unauthenticatedIdentity = (String)options.get("unauthenticatedIdentity");
handler = callbackHandler;
this.subject = subject;
}
public boolean login() throws LoginException {
Callback callbacks[] = new Callback[]{new NameCallback("Login:"), new PasswordCallback("Password:", false)};
try {
handler.handle(callbacks);
} catch (IOException e) {
} catch (UnsupportedCallbackException e) {
}
name = ((NameCallback)callbacks[0]).getName();
char[] pass = ((PasswordCallback)callbacks[1]).getPassword();
String passwd = pass != null ? new String(pass) : null;
if (name != null && passwd != null)
{
Login login = new Login(Env.getCtx());
roles = login.getRoles(name, passwd);
}
else
{
roles = null;
}
return true;
}
public boolean logout() throws LoginException {
roles = null;
name = null;
return true;
}
}

View File

@ -52,6 +52,8 @@ import org.compiere.wf.*;
* view-type="local"
* ref-name="adempiere/ServerLocal"
*
* @ejb.permission role-name="adempiereUsers"
*
* @author Jorg Janke
* @version $Id: ServerBean.java,v 1.3 2006/07/30 00:53:33 jjanke Exp $
* @author Low Heng Sin
@ -134,6 +136,7 @@ public class ServerBean implements SessionBean
{
validateSecurityToken(token);
//log.finer(m_Context.getCallerPrincipal().getName() + " - " + info.getSql());
log.finer("[" + m_no + "]");
m_stmt_rowSetCount++;
@ -153,6 +156,7 @@ public class ServerBean implements SessionBean
{
validateSecurityToken(token);
//log.finer(m_Context.getCallerPrincipal().getName() + " - " + info.getSql());
log.finer("[" + m_no + "]");
m_stmt_rowSetCount++;
CStatement stmt = new CStatement(info);
@ -171,6 +175,7 @@ public class ServerBean implements SessionBean
{
validateSecurityToken(token);
//log.finer(m_Context.getCallerPrincipal().getName() + " - " + info.getSql());
log.finer("[" + m_no + "]");
m_stmt_updateCount++;
if (info.getParameterCount() == 0)
@ -527,6 +532,7 @@ public class ServerBean implements SessionBean
/**************************************************************************
* Describes the instance and its content for debugging purpose
* @ejb.interface-method view-type="both"
* @ejb.permission unchecked="true"
* @return Debugging information about the instance and its content
*/
public String getStatus()
@ -658,6 +664,18 @@ public class ServerBean implements SessionBean
return gridTabVO.getFields();
}
/**
* Get table id from ad_table by table name
* @ejb.interface-method view-type="both"
* @ejb.permission unchecked="true"
* @param tableName
* @return tableName
*/
public int getTableID(String tableName)
{
return MTable.getTable_ID(tableName);
}
/**
* String Representation
* @return info
@ -673,6 +691,7 @@ public class ServerBean implements SessionBean
* @throws EJBException
* @throws CreateException
* @ejb.create-method view-type="both"
* @ejb.permission unchecked="true"
*/
public void ejbCreate() throws EJBException, CreateException
{
@ -680,7 +699,7 @@ public class ServerBean implements SessionBean
try
{
if (!Adempiere.startup(false))
throw new CreateException("Compiere could not start");
throw new CreateException("Adempiere could not start");
}
catch (Exception ex)
{

View File

@ -41,6 +41,7 @@ import org.compiere.util.*;
* @ejb.ejb-ref ejb-name="adempiere/Status"
* view-type="local"
* ref-name="adempiere/StatusLocal"
* @ejb.permission unchecked="true"
*
* @author Jorg Janke
* @version $Id: StatusBean.java,v 1.3 2006/07/30 00:53:33 jjanke Exp $

View File

@ -14,20 +14,16 @@
<pathelement location="C:/Adempiere/adempiere-all2/tools/lib/activation.jar"/>
<pathelement location="C:/Adempiere/adempiere-all2/tools/lib/standard.jar"/>
<pathelement location="C:/Adempiere/adempiere-all2/tools/lib/ocrs12.jar"/>
<pathelement location="C:/Adempiere/adempiere-all2/dbPort/lib"/>
<pathelement location="C:/Adempiere/adempiere-all2/jboss/client/jbossall-client.jar"/>
<pathelement location="C:/Adempiere/adempiere-all2/jboss/server/adempiere/lib/javax.servlet.jar"/>
<pathelement location="C:/Adempiere/adempiere-all2/jboss/lib/jboss-jmx.jar"/>
<pathelement location="C:/Adempiere/adempiere-all2/jboss/lib/jboss-system.jar"/>
<pathelement location="C:/Adempiere/adempiere-all2/lib/oracle.jar"/>
<pathelement location="C:/eclipse/plugins/org.junit_3.8.1/junit.jar"/>
<pathelement location="C:/Adempiere/adempiere-all2/interfaces/Interfaces.jar"/>
<pathelement location="C:/Adempiere/adempiere-all2/lib/postgresql.jar"/>
<pathelement location="C:/Adempiere/adempiere-all2/server/lib"/>
<pathelement location="C:/Adempiere/adempiere-all2/base/lib"/>
<pathelement location="C:/Adempiere/adempiere-all2/print/lib"/>
<pathelement location="C:/Adempiere/adempiere-all2/lib/jPDFPrinterDemo.jar"/>
<pathelement location="C:/Adempiere/adempiere-all2/interfaces/classes"/>
<fileset dir="C:/eclipse/plugins/org.jboss.ide.eclipse.xdoclet.core_1.2.130/">
<include name="*.jar"/>