Hi Jacopo,
No it's not enough. Without the RmiDispatcher deactivated you can still run RMI
services like testRMI.
You get in log:
[java] 2016-03-18 18:39:22,787 |main |ContainerLoader |I| [Startup] Loading containers from
c:/projectsASF/ofbiz/framework/base/config/ofbiz-containers.xml for loaders [main, rmi]
[java] 2016-03-18 18:39:24,754 |main |ContainerLoader |I| Loading
component's container: rmi-dispatcher
[java] 2016-03-18 18:39:24,755 |main |ContainerLoader |I| Loaded
component's container: rmi-dispatcher
[java] 2016-03-18 18:39:27,966 |main |ContainerLoader |I|
Starting container rmi-dispatcher
[java] 2016-03-18 18:39:29,346 |main |ServiceDispatcher |I|
Registering dispatcher: RMIDispatcher
[java] 2016-03-18 18:39:29,346 |main |ServiceContainer |I| Created
new dispatcher: RMIDispatcher
[java] 2016-03-18 18:39:29,745 |main |ContainerLoader |I| Started
container rmi-dispatcher
And if you use ant-secure target you see this in is-deserialized.txt
org.ofbiz.service.rmi.RemoteDispatcherImpl_Stub
java.rmi.server.RemoteStub
java.rmi.server.RemoteObject
org.ofbiz.service.rmi.socket.ssl.SSLClientSocketFactory
[Ljava.rmi.server.ObjID;
java.rmi.server.ObjID
java.rmi.server.UID
java.rmi.dgc.Lease
java.rmi.dgc.VMID
Those are not issues but shows that RMI is still active.
Actually I missed your change in start.properties but did the same in
both.properties.
Initially I wondered if the only thing needed was not to comment out the
RmiDispatcher in service/ofbiz-component.xml
Because once you have done that no RMI services can be used.
I finally decided to do more because the Distributed Clear Cache relies on JNDI, JMS and RMI. So I also deactivated the JNDI server and then got
further with all changes below.
Thinking about it now, since the the Rmi Service Dispatcher and the JNDI server are at the root of all, it's maybe the only things which need to be
deactivated (trying to minimise the changes) with of course the RMI test services which would fail else.
What do you think?
Jacques
Le 18/03/2016 17:28, Jacopo Cappellato a écrit :
Hi Jacques,
thanks for working at this.
However I think that there is a simpler/better way to disable the component
by default; by using the following patch:
Index: framework/start/src/org/ofbiz/base/start/start.properties
===================================================================
--- framework/start/src/org/ofbiz/base/start/start.properties (revision
1735404)
+++ framework/start/src/org/ofbiz/base/start/start.properties (working copy)
@@ -40,7 +40,7 @@
# --- StartupLoader implementations to load (in order)
ofbiz.start.loader1=org.ofbiz.base.container.ContainerLoader
-ofbiz.start.loader1.loaders=main,rmi
+ofbiz.start.loader1.loaders=main
# -- Enable the shutdown hook
#ofbiz.enable.hook=true
I didn't test it but it should work!
Jacopo
On Fri, Mar 18, 2016 at 11:38 AM, <[email protected]> wrote:
Author: jleroux
Date: Fri Mar 18 10:38:04 2016
New Revision: 1735569
URL: http://svn.apache.org/viewvc?rev=1735569&view=rev
Log:
Fixes "Comment out RMI related code because of the Java deserialization
issue" - https://issues.apache.org/jira/browse/OFBIZ-6942
I decided to comment out as less as possible because once the RMI loaders,
the RMI dispatcher and the related test services are off there is no RMI
related danger left (test services are not a danger but would fail during
tests run). It's then easier for users who need RMI in their projects to
have only to uncomment those and not digg everywhere. Because the naming
(JNDI) server relies on the rmi loader it will also be commented out.
Modified:
ofbiz/trunk/framework/base/config/ofbiz-containers.xml
ofbiz/trunk/framework/base/ofbiz-component.xml
ofbiz/trunk/framework/common/servicedef/services_test.xml
ofbiz/trunk/framework/service/ofbiz-component.xml
ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties
Modified: ofbiz/trunk/framework/base/config/ofbiz-containers.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/ofbiz-containers.xml?rev=1735569&r1=1735568&r2=1735569&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/config/ofbiz-containers.xml (original)
+++ ofbiz/trunk/framework/base/config/ofbiz-containers.xml Fri Mar 18
10:38:04 2016
@@ -21,8 +21,11 @@ under the License.
<ofbiz-containers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:noNamespaceSchemaLocation="
http://ofbiz.apache.org/dtds/ofbiz-containers.xsd";>
+ <!-- Because of the danger of Java deserialization when using RMI, we
(PMC) have decided to comment out main RMI related code entries.
+ If you need RMI you just need to uncomment those places - See
OFBIZ-6942 for details -->
<!-- load the ofbiz component container (always first) -->
- <container name="component-container"
loaders="main,rmi,pos,load-data"
class="org.ofbiz.base.container.ComponentContainer"/>
+ <!-- <container name="component-container"
loaders="main,rmi,pos,load-data"
class="org.ofbiz.base.container.ComponentContainer"/> -->
+ <container name="component-container" loaders="main,pos,load-data"
class="org.ofbiz.base.container.ComponentContainer"/>
<container name="component-container-test" loaders="test"
class="org.ofbiz.base.container.ComponentContainer">
<property name="ofbiz.instrumenterClassName"
value="org.ofbiz.base.config.CoberturaInstrumenter"/>
Modified: ofbiz/trunk/framework/base/ofbiz-component.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/ofbiz-component.xml (original)
+++ ofbiz/trunk/framework/base/ofbiz-component.xml Fri Mar 18 10:38:04 2016
@@ -33,11 +33,13 @@ under the License.
<test-suite loader="main" location="testdef/basetests.xml"/>
+ <!-- Because of the danger of Java deserialization when using RMI, we
(PMC) have decided to comment out main RMI related code entries.
+ If you need RMI you just need to uncomment those places - See
OFBIZ-6942 for details -->
<!-- load the naming (JNDI) server -->
- <container name="naming-container" loaders="rmi"
class="org.ofbiz.base.container.NamingServiceContainer">
+ <!-- <container name="naming-container" loaders="rmi"
class="org.ofbiz.base.container.NamingServiceContainer">
<property name="host" value="0.0.0.0"/>
<property name="port" value="1099"/>
- </container>
+ </container> -->
<!-- load BeanShell remote telnet server -->
<!-- Commented out by default for security reasons -->
Modified: ofbiz/trunk/framework/common/servicedef/services_test.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services_test.xml?rev=1735569&r1=1735568&r2=1735569&view=diff
==============================================================================
--- ofbiz/trunk/framework/common/servicedef/services_test.xml (original)
+++ ofbiz/trunk/framework/common/servicedef/services_test.xml Fri Mar 18
10:38:04 2016
@@ -47,15 +47,17 @@ under the License.
<service name="testError" engine="java" export="true"
validate="false" require-new-transaction="true" max-retry="1"
location="org.ofbiz.common.CommonServices"
invoke="returnErrorService">
</service>
+ <!-- Because of the danger of Java deserialization when using RMI, we
(PMC) have decided to comment out main RMI related code entries.
+ If you need RMI you just need to uncomment those places - See
OFBIZ-6942 for details -->
<!-- see serviceengine.xml to configure the rmi location alias -->
- <service name="testRmi" engine="rmi" validate="false"
+ <!-- <service name="testRmi" engine="rmi" validate="false"
location="main-rmi" invoke="testScv">
<implements service="testScv"/>
</service>
<service name="testRmiFail" engine="rmi" validate="false"
location="main-rmi" invoke="testBsh">
<implements service="testScv"/>
- </service>
+ </service> -->
<service name="testRollback" engine="java" export="true"
validate="false"
location="org.ofbiz.common.CommonServices"
invoke="testRollbackListener">
Modified: ofbiz/trunk/framework/service/ofbiz-component.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff
==============================================================================
--- ofbiz/trunk/framework/service/ofbiz-component.xml (original)
+++ ofbiz/trunk/framework/service/ofbiz-component.xml Fri Mar 18 10:38:04
2016
@@ -44,12 +44,17 @@ under the License.
<keystore name="rmitrust" type="jks" password="changeit"
is-truststore="true"
is-certstore="false" loader="main"
location="config/rmitrust.jks"/>
- <container name="service-container"
loaders="main,rmi,pos,load-data,test"
class="org.ofbiz.service.ServiceContainer">
+ <!-- Because of the danger of Java deserialization when using RMI, we
(PMC) have decided to comment out main RMI related code entries.
+ If you need RMI you just need to uncomment those places - See
OFBIZ-6942 for details -->
+ <!-- <container name="service-container"
loaders="main,rmi,pos,load-data,test"
class="org.ofbiz.service.ServiceContainer"> -->
+ <container name="service-container" loaders="main,pos,load-data,test"
class="org.ofbiz.service.ServiceContainer">
<property name="dispatcher-factory"
value="org.ofbiz.service.GenericDispatcherFactory"/>
</container>
+ <!-- Because of the danger of Java deserialization when using RMI, we
(PMC) have decided to comment out main RMI related code entries.
+ If you need RMI you just need to uncomment those places - See
OFBIZ-6942 for details -->
<!-- RMI Service Dispatcher -->
- <container name="rmi-dispatcher" loaders="rmi"
class="org.ofbiz.service.rmi.RmiServiceContainer">
+ <!-- <container name="rmi-dispatcher" loaders="rmi"
class="org.ofbiz.service.rmi.RmiServiceContainer">
<property name="bound-name" value="RMIDispatcher"/>
<property name="bound-host" value="127.0.0.1"/>
<property name="bound-port" value="1099"/>
@@ -61,7 +66,7 @@ under the License.
<property name="ssl-keystore-pass" value="changeit"/>
<property name="ssl-keystore-alias" value="rmissl"/>
<property name="ssl-client-auth" value="false"/>
- </container>
+ </container> -->
<!-- JavaMail Listener Container - Triggers MCA Rules -->
<!-- if delete-mail is set to true, will delete messages after
fetching them. otherwise, will try to mark them as seen
Modified:
ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties?rev=1735569&r1=1735568&r2=1735569&view=diff
==============================================================================
--- ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties
(original)
+++ ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties
Fri Mar 18 10:38:04 2016
@@ -35,7 +35,10 @@ ofbiz.start.loader1=org.ofbiz.base.splas
# --- StartupLoader implementations to load (in order)
ofbiz.start.loader2=org.ofbiz.base.container.ContainerLoader
-ofbiz.start.loader2.loaders=main,pos,rmi
+# Because of the danger of Java deserialization when using RMI, we (PMC)
have decided to comment out main RMI related code entries.
+# If you need RMI you just need to uncomment those places - See
OFBIZ-6942 for details -->
+#ofbiz.start.loader2.loaders=main,pos,rmi
+ofbiz.start.loader2.loaders=main,pos
# -- Splash Logo
ofbiz.start.splash.logo=framework/images/webapp/images/ofbiz_logo.gif
