Hi Azeez,
On Sun, Jun 6, 2010 at 6:21 PM, Afkham Azeez <[email protected]> wrote:
> This is the relevant code segment:
>
> public static KeyStoreManager getInstance(UserRegistry userRegistry){
> CarbonUtils.checkSecurity();
> String tenantId = "0";
> if (userRegistry != null) {
> tenantId = new Integer(userRegistry.getTenantId()).toString();
> }
> if (!mtKeyStoreManagers.containsKey(tenantId)) {
> mtKeyStoreManagers.put(tenantId, new
> KeyStoreManager(userRegistry));
> }
> return mtKeyStoreManagers.get(tenantId);
> }
>
> So, let's say a tenant requires to access its keystore. The above method
> will throw a Sec exception since the tenant code is not signed. So, may be
> we should not allow null userRegistry or change the code to do the security
> check only if it is null;
>
Are we going to allow non super tenants to access their keystores
programmatically? If we are going to do so, then it is required to do the
security check in every place where they can grab hold of the primary
keystore.
Thanks,
Thilina
>
> if (userRegistry == null) {
> CarbonUtils.checkSecurity();
> }
>
> Azeez
>
> On Sun, Jun 6, 2010 at 5:46 PM, Thilina Mahesh Buddhika <[email protected]
> > wrote:
>
>>
>>
>> On Sun, Jun 6, 2010 at 5:28 PM, Afkham Azeez <[email protected]> wrote:
>>
>>> Since you pass in the proper registry, I guess it is already secured.
>>
>>
>> This method is already secured. :-)
>>
>> There was a security risk, as we are allowing 'null' for registry value
>> which will use the gov. registry of Tenant 0.
>>
>> Thanks,
>> Thilina
>>
>>
>>>
>>> Azeez
>>>
>>>
>>> On Sun, Jun 6, 2010 at 5:28 PM, Afkham Azeez <[email protected]> wrote:
>>>
>>>> BTW, don't forget to secure that method.
>>>>
>>>> Azeez
>>>>
>>>>
>>>> On Sun, Jun 6, 2010 at 4:25 PM, Thilina Mahesh Buddhika <
>>>> [email protected]> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> It is required to pass a governance system registry instance to get a
>>>>> KeyStoreManager instance. If you pass a 'null', then it will pick the
>>>>> tenant
>>>>> 0 governance system registry instance. If it is not the requirement, then
>>>>> you will have to pass the governance system registry instance of that
>>>>> particular tenant.
>>>>>
>>>>> I will fix the java doc. of KeyStoreManager class.
>>>>>
>>>>> Thanks,
>>>>> Thilina
>>>>>
>>>>>
>>>>> On Sun, Jun 6, 2010 at 12:24 PM, Afkham Azeez <[email protected]> wrote:
>>>>>
>>>>>> Doesn't the Java doc of KeyStoreManager.getInstance mention this? If
>>>>>> not, that needs to be fixed first.
>>>>>>
>>>>>> Azeez
>>>>>>
>>>>>>
>>>>>> On Sun, Jun 6, 2010 at 8:38 AM, Srinath Perera <[email protected]>wrote:
>>>>>>
>>>>>>> Which registry to pass in to KeyStoreManager.getInstance(..)? Is it
>>>>>>> system registry or user registry? Is following look ok
>>>>>>>
>>>>>>>
>>>>>>> KeyStoreManager.getInstance(SolrServiceComponet.getRegService().getConfigUserRegistry());
>>>>>>>
>>>>>>> Thanks
>>>>>>> Srinath
>>>>>>> --
>>>>>>> ============================
>>>>>>> Srinath Perera, Ph.D.
>>>>>>> WSO2 Inc. http://wso2.com
>>>>>>> Blog: http://srinathsview.blogspot.com/
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Carbon-dev mailing list
>>>>>>> [email protected]
>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Afkham Azeez
>>>>>> Senior Software Architect & Product Manager, WSO2 WSAS; WSO2, Inc.;
>>>>>> http://wso2.com, Lean . Enterprise . Middleware
>>>>>> Member; Apache Software Foundation; http://www.apache.org/
>>>>>> email: [email protected] cell: +94 77 3320919
>>>>>> blog: http://blog.afkham.org
>>>>>> twitter: http://twitter.com/afkham_azeez
>>>>>> linked-in: http://lk.linkedin.com/in/afkhamazeez
>>>>>>
>>>>>> _______________________________________________
>>>>>> Carbon-dev mailing list
>>>>>> [email protected]
>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thilina Mahesh Buddhika
>>>>> Senior Software Engineer
>>>>>
>>>>> WSO2 Inc. ; http://wso2.com
>>>>> lean . enterprise . middleware
>>>>>
>>>>> phone : +94 77 44 88 727
>>>>> blog : http://blog.thilinamb.com
>>>>>
>>>>> _______________________________________________
>>>>> Carbon-dev mailing list
>>>>> [email protected]
>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Afkham Azeez
>>>> Senior Software Architect & Product Manager, WSO2 WSAS; WSO2, Inc.;
>>>> http://wso2.com, Lean . Enterprise . Middleware
>>>> Member; Apache Software Foundation; http://www.apache.org/
>>>> email: [email protected] cell: +94 77 3320919
>>>> blog: http://blog.afkham.org
>>>> twitter: http://twitter.com/afkham_azeez
>>>> linked-in: http://lk.linkedin.com/in/afkhamazeez
>>>>
>>>
>>>
>>>
>>> --
>>> Afkham Azeez
>>> Senior Software Architect & Product Manager, WSO2 WSAS; WSO2, Inc.;
>>> http://wso2.com, Lean . Enterprise . Middleware
>>> Member; Apache Software Foundation; http://www.apache.org/
>>> email: [email protected] cell: +94 77 3320919
>>> blog: http://blog.afkham.org
>>> twitter: http://twitter.com/afkham_azeez
>>> linked-in: http://lk.linkedin.com/in/afkhamazeez
>>>
>>> _______________________________________________
>>> Carbon-dev mailing list
>>> [email protected]
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>>>
>>>
>>
>>
>> --
>> Thilina Mahesh Buddhika
>> Senior Software Engineer
>> WSO2 Inc. ; http://wso2.com
>> lean . enterprise . middleware
>>
>> phone : +94 77 44 88 727
>> blog : http://blog.thilinamb.com
>>
>> _______________________________________________
>> Carbon-dev mailing list
>> [email protected]
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>>
>>
>
>
> --
> Afkham Azeez
> Senior Software Architect & Product Manager, WSO2 WSAS; WSO2, Inc.;
> http://wso2.com, Lean . Enterprise . Middleware
> Member; Apache Software Foundation; http://www.apache.org/
> email: [email protected] cell: +94 77 3320919
> blog: http://blog.afkham.org
> twitter: http://twitter.com/afkham_azeez
> linked-in: http://lk.linkedin.com/in/afkhamazeez
>
> _______________________________________________
> Carbon-dev mailing list
> [email protected]
> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>
>
--
Thilina Mahesh Buddhika
Senior Software Engineer
WSO2 Inc. ; http://wso2.com
lean . enterprise . middleware
phone : +94 77 44 88 727
blog : http://blog.thilinamb.com
_______________________________________________
Carbon-dev mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
