From 3d4f4cee2ece24079878ac914622852c4c4f99ec Mon Sep 17 00:00:00 2001 From: Heng Sin Low Date: Mon, 21 May 2007 04:59:54 +0000 Subject: [PATCH] * [ adempiere-Bugs-1719617 ] Server bean allows remote unauthenticated queries - Added security token validation for wan profile. This is on by default, if you need to test the wan profile from your IDE ( Eclipse , Netbean, etc ), you need to manually edit the Adempiere.properties file on the application server, and change ServerValidateSecurityToken=xyzY to ServerValidateSecurityToken=xyzN - Next step is to add JAAS authentication, later ... --- base/src/org/compiere/Adempiere.java | 21 ++++++++++++++ base/src/org/compiere/interfaces/Server.java | 10 +++---- .../org/compiere/interfaces/ServerLocal.java | 10 +++---- base/src/org/compiere/model/MTable.java | 2 +- base/src/org/compiere/model/PO_LOB.java | 4 ++- .../org/compiere/util/CLogErrorBuffer.java | 12 ++++++-- base/src/org/compiere/util/CLogger.java | 15 ++++++++++ .../org/compiere/util/CPreparedStatement.java | 8 +++-- base/src/org/compiere/util/CStatement.java | 7 +++-- base/src/org/compiere/util/CStatementVO.java | 5 ++++ base/src/org/compiere/util/Login.java | 2 +- base/src/org/compiere/util/SecurityToken.java | 29 +++++++++++++++++++ 12 files changed, 104 insertions(+), 21 deletions(-) create mode 100644 base/src/org/compiere/util/SecurityToken.java diff --git a/base/src/org/compiere/Adempiere.java b/base/src/org/compiere/Adempiere.java index bff151ca44..65fe96abfc 100644 --- a/base/src/org/compiere/Adempiere.java +++ b/base/src/org/compiere/Adempiere.java @@ -19,6 +19,8 @@ package org.compiere; import java.awt.*; import java.io.*; import java.net.*; +import java.security.CodeSource; +import java.security.cert.Certificate; import java.util.logging.*; import javax.jnlp.*; import javax.swing.*; @@ -539,6 +541,25 @@ public final class Adempiere } // startupEnvironment + /** + * @return SecurityToken + */ + public static SecurityToken getSecurityToken() + { + Certificate cert = null; + String host = null; + CodeSource cs + = Adempiere.class.getProtectionDomain().getCodeSource(); + if (cs != null) + { + Certificate[] certs = cs.getCertificates(); + if (certs != null && certs.length > 0) + cert = certs[0]; + } + host = Adempiere.getCodeBaseHost(); + return new SecurityToken(cert, host); + } + /** * Main Method * diff --git a/base/src/org/compiere/interfaces/Server.java b/base/src/org/compiere/interfaces/Server.java index d694f37bd0..23b8cf03d1 100644 --- a/base/src/org/compiere/interfaces/Server.java +++ b/base/src/org/compiere/interfaces/Server.java @@ -36,21 +36,21 @@ public interface Server * @param info Result info * @return RowSet * @throws NotSerializableException */ - public javax.sql.RowSet pstmt_getRowSet( org.compiere.util.CStatementVO info ) + public javax.sql.RowSet pstmt_getRowSet( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token ) throws java.io.NotSerializableException, java.rmi.RemoteException; /** * Get Statement ResultSet * @param info Result info * @return RowSet */ - public javax.sql.RowSet stmt_getRowSet( org.compiere.util.CStatementVO info ) + public javax.sql.RowSet stmt_getRowSet( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token ) throws java.rmi.RemoteException; /** * Execute Update * @param info Result info * @return row count */ - public int stmt_executeUpdate( org.compiere.util.CStatementVO info ) + public int stmt_executeUpdate( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token ) throws java.rmi.RemoteException; /** @@ -150,7 +150,7 @@ public interface Server * @param displayType display type (i.e. BLOB/CLOB) * @param value the data * @return true if updated */ - public boolean updateLOB( java.lang.String sql,int displayType,java.lang.Object value ) + public boolean updateLOB( java.lang.String sql,int displayType,java.lang.Object value,org.compiere.util.SecurityToken token ) throws java.rmi.RemoteException; /** @@ -179,7 +179,7 @@ public interface Server * @param procedureName * @param trxName * @return ProcessInfo */ - public org.compiere.process.ProcessInfo dbProcess( org.compiere.process.ProcessInfo processInfo,java.lang.String procedureName,java.lang.String trxName ) + public org.compiere.process.ProcessInfo dbProcess( org.compiere.process.ProcessInfo processInfo,java.lang.String procedureName,java.lang.String trxName,org.compiere.util.SecurityToken token ) throws java.rmi.RemoteException; /** diff --git a/base/src/org/compiere/interfaces/ServerLocal.java b/base/src/org/compiere/interfaces/ServerLocal.java index 36ae556801..d1129f6748 100644 --- a/base/src/org/compiere/interfaces/ServerLocal.java +++ b/base/src/org/compiere/interfaces/ServerLocal.java @@ -34,19 +34,19 @@ public interface ServerLocal * @param info Result info * @return RowSet * @throws NotSerializableException */ - public javax.sql.RowSet pstmt_getRowSet( org.compiere.util.CStatementVO info ) throws java.io.NotSerializableException; + public javax.sql.RowSet pstmt_getRowSet( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token ) throws java.io.NotSerializableException; /** * Get Statement ResultSet * @param info Result info * @return RowSet */ - public javax.sql.RowSet stmt_getRowSet( org.compiere.util.CStatementVO info ) ; + public javax.sql.RowSet stmt_getRowSet( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token ) ; /** * Execute Update * @param info Result info * @return row count */ - public int stmt_executeUpdate( org.compiere.util.CStatementVO info ) ; + public int stmt_executeUpdate( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token ) ; /** * Get next number for Key column = 0 is Error. @@ -135,7 +135,7 @@ public interface ServerLocal * @param displayType display type (i.e. BLOB/CLOB) * @param value the data * @return true if updated */ - public boolean updateLOB( java.lang.String sql,int displayType,java.lang.Object value ) ; + public boolean updateLOB( java.lang.String sql,int displayType,java.lang.Object value,org.compiere.util.SecurityToken token ) ; /** * Describes the instance and its content for debugging purpose @@ -160,7 +160,7 @@ public interface ServerLocal * @param procedureName * @param trxName * @return ProcessInfo */ - public org.compiere.process.ProcessInfo dbProcess( org.compiere.process.ProcessInfo processInfo,java.lang.String procedureName,java.lang.String trxName ) ; + public org.compiere.process.ProcessInfo dbProcess( org.compiere.process.ProcessInfo processInfo,java.lang.String procedureName,java.lang.String trxName,org.compiere.util.SecurityToken token ) ; /** * Load fields meta data from database diff --git a/base/src/org/compiere/model/MTable.java b/base/src/org/compiere/model/MTable.java index c0a264d862..9099317402 100644 --- a/base/src/org/compiere/model/MTable.java +++ b/base/src/org/compiere/model/MTable.java @@ -675,7 +675,7 @@ public class MTable extends X_AD_Table rs.close(); pstmt.close(); } - catch (SQLException e) + catch (Exception e) { retValue = -1; } diff --git a/base/src/org/compiere/model/PO_LOB.java b/base/src/org/compiere/model/PO_LOB.java index 0bfec127d6..4c7700c1c2 100644 --- a/base/src/org/compiere/model/PO_LOB.java +++ b/base/src/org/compiere/model/PO_LOB.java @@ -20,6 +20,8 @@ import java.io.*; import java.rmi.*; import java.sql.*; import java.util.logging.*; + +import org.compiere.Adempiere; import org.compiere.db.*; import org.compiere.interfaces.*; import org.compiere.util.*; @@ -117,7 +119,7 @@ public class PO_LOB implements Serializable { if (server != null) { // See ServerBean - success = server.updateLOB (sql.toString(), m_displayType, m_value); + success = server.updateLOB (sql.toString(), m_displayType, m_value, Adempiere.getSecurityToken()); if (CLogMgt.isLevelFinest()) log.fine("server => " + success); if (success) diff --git a/base/src/org/compiere/util/CLogErrorBuffer.java b/base/src/org/compiere/util/CLogErrorBuffer.java index 04af09be66..f01652fe4d 100644 --- a/base/src/org/compiere/util/CLogErrorBuffer.java +++ b/base/src/org/compiere/util/CLogErrorBuffer.java @@ -197,8 +197,16 @@ public class CLogErrorBuffer extends Handler ) { m_issueError = false; - MIssue.create(record); - m_issueError = true; + try + { + MIssue.create(record); + m_issueError = true; + } catch (Throwable e) + { + //failed to save exception to db, print to console + System.err.println(getFormatter().format(record)); + m_issueError = false; + } } else { diff --git a/base/src/org/compiere/util/CLogger.java b/base/src/org/compiere/util/CLogger.java index 35fe52dee7..5e27fef50f 100644 --- a/base/src/org/compiere/util/CLogger.java +++ b/base/src/org/compiere/util/CLogger.java @@ -221,6 +221,21 @@ public class CLogger extends Logger implements Serializable s_lastInfo = null; } // resetLast + /** + * Get root cause + * @param t + * @return Throwable + */ + public static Throwable getRootCause(Throwable t) + { + Throwable cause = t; + while (cause.getCause() != null) + { + cause = cause.getCause(); + } + return cause; + } + /** * String Representation * @return info diff --git a/base/src/org/compiere/util/CPreparedStatement.java b/base/src/org/compiere/util/CPreparedStatement.java index 8a3aefa72e..e85fdd3374 100644 --- a/base/src/org/compiere/util/CPreparedStatement.java +++ b/base/src/org/compiere/util/CPreparedStatement.java @@ -23,6 +23,8 @@ import java.sql.*; import java.util.*; import java.util.logging.*; import javax.sql.*; + +import org.compiere.Adempiere; import org.compiere.db.*; import org.compiere.interfaces.*; @@ -122,7 +124,7 @@ public class CPreparedStatement extends CStatement implements PreparedStatement Server server = CConnection.get().getServer(); if (server != null) { - ResultSet rs = server.pstmt_getRowSet (p_vo); + ResultSet rs = server.pstmt_getRowSet (p_vo, Adempiere.getSecurityToken()); p_vo.clearParameters(); // re-use of result set if (rs == null) log.warning("ResultSet is null - " + p_vo); @@ -198,7 +200,7 @@ public class CPreparedStatement extends CStatement implements PreparedStatement Server server = CConnection.get().getServer(); if (server != null) { - int result = server.stmt_executeUpdate (p_vo); + int result = server.stmt_executeUpdate (p_vo, Adempiere.getSecurityToken()); p_vo.clearParameters(); // re-use of result set return result; } @@ -886,7 +888,7 @@ public class CPreparedStatement extends CStatement implements PreparedStatement Server server = CConnection.get().getServer(); if (server != null) { - RowSet rs = server.pstmt_getRowSet (p_vo); + RowSet rs = server.pstmt_getRowSet (p_vo, Adempiere.getSecurityToken()); p_vo.clearParameters(); // re-use of result set if (rs == null) log.warning("RowSet is null - " + p_vo); diff --git a/base/src/org/compiere/util/CStatement.java b/base/src/org/compiere/util/CStatement.java index 1294bd2a8d..750439123b 100644 --- a/base/src/org/compiere/util/CStatement.java +++ b/base/src/org/compiere/util/CStatement.java @@ -21,6 +21,7 @@ import java.util.logging.*; import javax.sql.*; +import org.compiere.Adempiere; import org.compiere.db.*; import org.compiere.interfaces.*; @@ -136,7 +137,7 @@ public class CStatement implements Statement Server server = CConnection.get().getServer(); if (server != null) { - ResultSet rs = server.stmt_getRowSet (p_vo); + ResultSet rs = server.stmt_getRowSet (p_vo, Adempiere.getSecurityToken()); if (rs == null) log.warning("ResultSet is null - " + p_vo); else @@ -198,7 +199,7 @@ public class CStatement implements Statement Server server = CConnection.get().getServer(); if (server != null) { - int result = server.stmt_executeUpdate(p_vo); + int result = server.stmt_executeUpdate(p_vo, Adempiere.getSecurityToken()); p_vo.clearParameters(); // re-use of result set return result; } @@ -867,7 +868,7 @@ public class CStatement implements Statement Server server = CConnection.get().getServer(); if (server != null) { - RowSet rs = server.stmt_getRowSet (p_vo); + RowSet rs = server.stmt_getRowSet (p_vo, Adempiere.getSecurityToken()); p_vo.clearParameters(); // re-use of result set if (rs == null) log.warning("RowSet is null - " + p_vo); diff --git a/base/src/org/compiere/util/CStatementVO.java b/base/src/org/compiere/util/CStatementVO.java index f3bcd851e3..33dbfccbe5 100644 --- a/base/src/org/compiere/util/CStatementVO.java +++ b/base/src/org/compiere/util/CStatementVO.java @@ -17,8 +17,13 @@ package org.compiere.util; import java.io.*; +import java.security.CodeSource; +import java.security.ProtectionDomain; +import java.security.cert.Certificate; import java.util.*; +import org.compiere.Adempiere; + /** * Adempiere Statement Value Object * diff --git a/base/src/org/compiere/util/Login.java b/base/src/org/compiere/util/Login.java index 76f591c815..2f58b3f7a3 100644 --- a/base/src/org/compiere/util/Login.java +++ b/base/src/org/compiere/util/Login.java @@ -322,7 +322,7 @@ public class Login list.toArray(retValue); log.fine("User=" + app_user + " - roles #" + retValue.length); } - catch (SQLException ex) + catch (Exception ex) { log.log(Level.SEVERE, sql.toString(), ex); log.saveError("DBLogin", ex); diff --git a/base/src/org/compiere/util/SecurityToken.java b/base/src/org/compiere/util/SecurityToken.java new file mode 100644 index 0000000000..1fac730b4c --- /dev/null +++ b/base/src/org/compiere/util/SecurityToken.java @@ -0,0 +1,29 @@ +package org.compiere.util; + +import java.io.Serializable; +import java.security.cert.Certificate; + +/** + * @author Low Heng Sin + */ +public class SecurityToken implements Serializable { + + private Certificate codeCertificate; + private String codeBaseHost; + + public SecurityToken(Certificate cert, String host) + { + codeCertificate = cert; + codeBaseHost = host; + } + + public Certificate getCodeCertificate() + { + return codeCertificate; + } + + public String getCodeBaseHost() + { + return codeBaseHost; + } +}