* [ adempiere-Bugs-1719617 ] Server bean allows remote unauthenticated queries

- Added security token validation for wan profile. This is on by default, if you need to test the wan profile from your IDE ( Eclipse , Netbean, etc ), you need to manually edit the Adempiere.properties file on the application server, and change ServerValidateSecurityToken=xyzY to ServerValidateSecurityToken=xyzN - Next step is to add JAAS authentication, later ...
2007-05-21 05:01:59 +00:00 · 2007-05-21 05:01:59 +00:00 · 9d23f98c76
parent 3d4f4cee2e
commit 9d23f98c76
2 changed files with 19 additions and 6 deletions
--- a/client/src/org/compiere/apps/ALogin.java
+++ b/client/src/org/compiere/apps/ALogin.java
@ -603,15 +603,26 @@ public final class ALogin extends CDialog

 		//  Get Roles
 		m_login = new Login(m_ctx);
-		KeyNamePair[] roles = m_login.getRoles(m_user, m_pwd);
-		if (roles == null || roles.length == 0)
+		KeyNamePair[] roles = null;
+		try 
 		{
-			statusBar.setStatusLine(txt_UserPwdError, true);
-			userTextField.setBackground(AdempierePLAF.getFieldBackground_Error());
-			passwordField.setBackground(AdempierePLAF.getFieldBackground_Error());
+			roles = m_login.getRoles(m_user, m_pwd);
+			if (roles == null || roles.length == 0)
+			{
+				statusBar.setStatusLine(txt_UserPwdError, true);
+				userTextField.setBackground(AdempierePLAF.getFieldBackground_Error());
+				passwordField.setBackground(AdempierePLAF.getFieldBackground_Error());
+				return false;
+			}
+		}
+		catch (Throwable e)
+		{
+			log.severe(CLogger.getRootCause(e).getLocalizedMessage());
+			statusBar.setStatusLine(CLogger.getRootCause(e).getLocalizedMessage(), true);
 			return false;
 		}
 		
+		
 		//	Delete existing role items
 		m_comboActive = true;
 		if (roleCombo.getItemCount() > 0)
--- a/client/src/org/compiere/apps/ProcessCtl.java
+++ b/client/src/org/compiere/apps/ProcessCtl.java
@ -23,6 +23,8 @@ import java.rmi.*;
 import java.sql.*;
 import java.util.logging.*;
 import javax.swing.*;
+
+import org.compiere.Adempiere;
 import org.compiere.db.*;
 import org.compiere.interfaces.*;
 import org.compiere.model.*;
@ -593,7 +595,7 @@ public class ProcessCtl extends Thread
 			{
 				if (server != null)
 				{	//	See ServerBean
-					m_pi = server.dbProcess(m_pi, ProcedureName, trxName);
+					m_pi = server.dbProcess(m_pi, ProcedureName, trxName, Adempiere.getSecurityToken());
 					log.finest("server => " + m_pi);
 					started = true;		
 				}