* [ adempiere-Bugs-1719617 ] Server bean allows remote unauthenticated queries

- Added security token validation for wan profile. This is on by default, if you need to test the wan profile from your IDE ( Eclipse , Netbean, etc ), you need to manually edit the Adempiere.properties file on the application server, and change ServerValidateSecurityToken=xyzY to ServerValidateSecurityToken=xyzN
- Next step is to add JAAS authentication, later ...

base/src/org/compiere/Adempiere.java

@@ -19,6 +19,8 @@ package org.compiere;
 import java.awt.*;
 import java.io.*;
 import java.net.*;
+import java.security.CodeSource;
+import java.security.cert.Certificate;
 import java.util.logging.*;
 import javax.jnlp.*;
 import javax.swing.*;
@@ -539,6 +541,25 @@ public final class Adempiere
 	}	//	startupEnvironment
 
 
+	/**
+	 * @return SecurityToken
+	 */
+	public static SecurityToken getSecurityToken()
+	{
+		Certificate cert = null;
+		String host = null;
+		CodeSource cs 
+			= Adempiere.class.getProtectionDomain().getCodeSource();
+		if (cs != null)
+		{
+			Certificate[] certs = cs.getCertificates();
+			if (certs != null && certs.length > 0)
+				cert = certs[0];
+		}
+		host = Adempiere.getCodeBaseHost();
+		return new SecurityToken(cert, host);
+	}
+	
 	/**
 	 *  Main Method
 	 *

base/src/org/compiere/interfaces/Server.java

@@ -36,21 +36,21 @@ public interface Server
     * @param info Result info
     * @return RowSet
     * @throws NotSerializableException    */
-   public javax.sql.RowSet pstmt_getRowSet( org.compiere.util.CStatementVO info )
+   public javax.sql.RowSet pstmt_getRowSet( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token )
       throws java.io.NotSerializableException, java.rmi.RemoteException;
 
    /**
     * Get Statement ResultSet
     * @param info Result info
     * @return RowSet    */
-   public javax.sql.RowSet stmt_getRowSet( org.compiere.util.CStatementVO info )
+   public javax.sql.RowSet stmt_getRowSet( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token )
       throws java.rmi.RemoteException;
 
    /**
     * Execute Update
     * @param info Result info
     * @return row count    */
-   public int stmt_executeUpdate( org.compiere.util.CStatementVO info )
+   public int stmt_executeUpdate( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token )
       throws java.rmi.RemoteException;
 
    /**
@@ -150,7 +150,7 @@ public interface Server
     * @param displayType display type (i.e. BLOB/CLOB)
     * @param value the data
     * @return true if updated    */
-   public boolean updateLOB( java.lang.String sql,int displayType,java.lang.Object value )
+   public boolean updateLOB( java.lang.String sql,int displayType,java.lang.Object value,org.compiere.util.SecurityToken token )
       throws java.rmi.RemoteException;
 
    /**
@@ -179,7 +179,7 @@ public interface Server
     * @param procedureName
     * @param trxName
     * @return ProcessInfo    */
-   public org.compiere.process.ProcessInfo dbProcess( org.compiere.process.ProcessInfo processInfo,java.lang.String procedureName,java.lang.String trxName )
+   public org.compiere.process.ProcessInfo dbProcess( org.compiere.process.ProcessInfo processInfo,java.lang.String procedureName,java.lang.String trxName,org.compiere.util.SecurityToken token )
       throws java.rmi.RemoteException;
 
    /**

base/src/org/compiere/interfaces/ServerLocal.java

@@ -34,19 +34,19 @@ public interface ServerLocal
     * @param info Result info
     * @return RowSet
     * @throws NotSerializableException    */
-   public javax.sql.RowSet pstmt_getRowSet( org.compiere.util.CStatementVO info ) throws java.io.NotSerializableException;
+   public javax.sql.RowSet pstmt_getRowSet( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token ) throws java.io.NotSerializableException;
 
    /**
     * Get Statement ResultSet
     * @param info Result info
     * @return RowSet    */
-   public javax.sql.RowSet stmt_getRowSet( org.compiere.util.CStatementVO info ) ;
+   public javax.sql.RowSet stmt_getRowSet( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token ) ;
 
    /**
     * Execute Update
     * @param info Result info
     * @return row count    */
-   public int stmt_executeUpdate( org.compiere.util.CStatementVO info ) ;
+   public int stmt_executeUpdate( org.compiere.util.CStatementVO info,org.compiere.util.SecurityToken token ) ;
 
    /**
     * Get next number for Key column = 0 is Error.
@@ -135,7 +135,7 @@ public interface ServerLocal
     * @param displayType display type (i.e. BLOB/CLOB)
     * @param value the data
     * @return true if updated    */
-   public boolean updateLOB( java.lang.String sql,int displayType,java.lang.Object value ) ;
+   public boolean updateLOB( java.lang.String sql,int displayType,java.lang.Object value,org.compiere.util.SecurityToken token ) ;
 
    /**
     * Describes the instance and its content for debugging purpose
@@ -160,7 +160,7 @@ public interface ServerLocal
     * @param procedureName
     * @param trxName
     * @return ProcessInfo    */
-   public org.compiere.process.ProcessInfo dbProcess( org.compiere.process.ProcessInfo processInfo,java.lang.String procedureName,java.lang.String trxName ) ;
+   public org.compiere.process.ProcessInfo dbProcess( org.compiere.process.ProcessInfo processInfo,java.lang.String procedureName,java.lang.String trxName,org.compiere.util.SecurityToken token ) ;
 
    /**
     * Load fields meta data from database

base/src/org/compiere/model/MTable.java

@@ -675,7 +675,7 @@ public class MTable extends X_AD_Table
 			rs.close();
 			pstmt.close();
 		}
-		catch (SQLException e)
+		catch (Exception e)
 		{
 			retValue = -1;
 		}

base/src/org/compiere/model/PO_LOB.java

@@ -20,6 +20,8 @@ import java.io.*;
 import java.rmi.*;
 import java.sql.*;
 import java.util.logging.*;
+
+import org.compiere.Adempiere;
 import org.compiere.db.*;
 import org.compiere.interfaces.*;
 import org.compiere.util.*;
@@ -117,7 +119,7 @@ public class PO_LOB implements Serializable
 			{
 				if (server != null)
 				{	//	See ServerBean
-					success = server.updateLOB (sql.toString(), m_displayType, m_value); 
+					success = server.updateLOB (sql.toString(), m_displayType, m_value, Adempiere.getSecurityToken()); 
 					if (CLogMgt.isLevelFinest())
 						log.fine("server => " + success);
 					if (success)

base/src/org/compiere/util/CLogErrorBuffer.java

@@ -197,8 +197,16 @@ public class CLogErrorBuffer extends Handler
 					)
 				{
 					m_issueError = false;
-					MIssue.create(record);
+					try 
-					m_issueError = true;
+					{
+						MIssue.create(record);
+						m_issueError = true;
+					} catch (Throwable e)
+					{
+						//failed to save exception to db, print to console
+						System.err.println(getFormatter().format(record));
+						m_issueError = false;
+					}
 				}
 				else
 				{

base/src/org/compiere/util/CLogger.java

@@ -221,6 +221,21 @@ public class CLogger extends Logger implements Serializable
 		s_lastInfo = null;
 	}	//	resetLast
 	
+	/**
+	 * Get root cause
+	 * @param t
+	 * @return Throwable
+	 */
+	public static Throwable getRootCause(Throwable t)
+	{
+		Throwable cause = t;
+		while (cause.getCause() != null)
+		{
+			cause = cause.getCause();
+		} 
+		return cause;
+	}
+	
 	/**
 	 * 	String Representation
 	 *	@return info

base/src/org/compiere/util/CPreparedStatement.java

@@ -23,6 +23,8 @@ import java.sql.*;
 import java.util.*;
 import java.util.logging.*;
 import javax.sql.*;
+
+import org.compiere.Adempiere;
 import org.compiere.db.*;
 import org.compiere.interfaces.*;
 
@@ -122,7 +124,7 @@ public class CPreparedStatement extends CStatement implements PreparedStatement
 				Server server = CConnection.get().getServer();
 				if (server != null)
 				{
-					ResultSet rs = server.pstmt_getRowSet (p_vo);
+					ResultSet rs = server.pstmt_getRowSet (p_vo, Adempiere.getSecurityToken());
 					p_vo.clearParameters();		//	re-use of result set
 					if (rs == null)
 						log.warning("ResultSet is null - " + p_vo);
@@ -198,7 +200,7 @@ public class CPreparedStatement extends CStatement implements PreparedStatement
 				Server server = CConnection.get().getServer();
 				if (server != null)
 				{
-					int result = server.stmt_executeUpdate (p_vo);
+					int result = server.stmt_executeUpdate (p_vo, Adempiere.getSecurityToken());
 					p_vo.clearParameters();		//	re-use of result set
 					return result;
 				}
@@ -886,7 +888,7 @@ public class CPreparedStatement extends CStatement implements PreparedStatement
 				Server server = CConnection.get().getServer();
 				if (server != null)
 				{
-					RowSet rs = server.pstmt_getRowSet (p_vo);
+					RowSet rs = server.pstmt_getRowSet (p_vo, Adempiere.getSecurityToken());
 					p_vo.clearParameters();		//	re-use of result set
 					if (rs == null)
 						log.warning("RowSet is null - " + p_vo);

base/src/org/compiere/util/CStatement.java

@@ -21,6 +21,7 @@ import java.util.logging.*;
 
 import javax.sql.*;
 
+import org.compiere.Adempiere;
 import org.compiere.db.*;
 import org.compiere.interfaces.*;
 
@@ -136,7 +137,7 @@ public class CStatement implements Statement
 				Server server = CConnection.get().getServer();
 				if (server != null)
 				{
-					ResultSet rs = server.stmt_getRowSet (p_vo);
+					ResultSet rs = server.stmt_getRowSet (p_vo, Adempiere.getSecurityToken());
 					if (rs == null)
 						log.warning("ResultSet is null - " + p_vo);
 					else
@@ -198,7 +199,7 @@ public class CStatement implements Statement
 				Server server = CConnection.get().getServer();
 				if (server != null)
 				{
-					int result = server.stmt_executeUpdate(p_vo);
+					int result = server.stmt_executeUpdate(p_vo, Adempiere.getSecurityToken());
 					p_vo.clearParameters();		//	re-use of result set
 					return result;
 				}
@@ -867,7 +868,7 @@ public class CStatement implements Statement
 				Server server = CConnection.get().getServer();
 				if (server != null)
 				{
-					RowSet rs = server.stmt_getRowSet (p_vo);
+					RowSet rs = server.stmt_getRowSet (p_vo, Adempiere.getSecurityToken());
 					p_vo.clearParameters();		//	re-use of result set
 					if (rs == null)
 						log.warning("RowSet is null - " + p_vo);

base/src/org/compiere/util/CStatementVO.java

@@ -17,8 +17,13 @@
 package org.compiere.util;
 
 import java.io.*;
+import java.security.CodeSource;
+import java.security.ProtectionDomain;
+import java.security.cert.Certificate;
 import java.util.*;
 
+import org.compiere.Adempiere;
+
 /**
  *	Adempiere Statement Value Object
  *	

base/src/org/compiere/util/Login.java

@@ -322,7 +322,7 @@ public class Login
 			list.toArray(retValue);
 			log.fine("User=" + app_user + " - roles #" + retValue.length);
 		}
-		catch (SQLException ex)
+		catch (Exception ex)
 		{
 			log.log(Level.SEVERE, sql.toString(), ex);
 			log.saveError("DBLogin", ex);

base/src/org/compiere/util/SecurityToken.java

@@ -0,0 +1,29 @@
+package org.compiere.util;
+
+import java.io.Serializable;
+import java.security.cert.Certificate;
+
+/**
+ * @author Low Heng Sin
+ */
+public class SecurityToken implements Serializable {
+
+	private Certificate codeCertificate;
+	private String codeBaseHost;
+	
+	public SecurityToken(Certificate cert, String host)
+	{
+		codeCertificate = cert;
+		codeBaseHost = host;
+	}
+	
+	public Certificate getCodeCertificate()
+	{
+		return codeCertificate;
+	}
+	
+	public String getCodeBaseHost()
+	{
+		return codeBaseHost;
+	}
+}