Hi Jacques, how did you get that log? (how did you start OFBiz)
Thanks, Jacopo On Sat, Mar 19, 2016 at 11:47 AM, Jacques Le Roux < [email protected]> wrote: > Hi Jacopo, > > No it's not enough. Without the RmiDispatcher deactivated you can still > run RMI services like testRMI. > You get in log: > > [java] 2016-03-18 18:39:22,787 |main |ContainerLoader |I| > [Startup] Loading containers from > c:/projectsASF/ofbiz/framework/base/config/ofbiz-containers.xml for loaders > [main, rmi] > [java] 2016-03-18 18:39:24,754 |main |ContainerLoader |I| > Loading component's container: rmi-dispatcher > [java] 2016-03-18 18:39:24,755 |main |ContainerLoader |I| > Loaded component's container: rmi-dispatcher > [java] 2016-03-18 18:39:27,966 |main |ContainerLoader |I| > Starting container rmi-dispatcher > [java] 2016-03-18 18:39:29,346 |main |ServiceDispatcher |I| > Registering dispatcher: RMIDispatcher > [java] 2016-03-18 18:39:29,346 |main |ServiceContainer |I| > Created new dispatcher: RMIDispatcher > [java] 2016-03-18 18:39:29,745 |main |ContainerLoader |I| > Started container rmi-dispatcher > > And if you use ant-secure target you see this in is-deserialized.txt > > org.ofbiz.service.rmi.RemoteDispatcherImpl_Stub > java.rmi.server.RemoteStub > java.rmi.server.RemoteObject > org.ofbiz.service.rmi.socket.ssl.SSLClientSocketFactory > [Ljava.rmi.server.ObjID; > java.rmi.server.ObjID > java.rmi.server.UID > java.rmi.dgc.Lease > java.rmi.dgc.VMID > > Those are not issues but shows that RMI is still active. > > Actually I missed your change in start.properties but did the same in > both.properties. > > Initially I wondered if the only thing needed was not to comment out the > RmiDispatcher in service/ofbiz-component.xml > Because once you have done that no RMI services can be used. > I finally decided to do more because the Distributed Clear Cache relies on > JNDI, JMS and RMI. So I also deactivated the JNDI server and then got > further with all changes below. > > Thinking about it now, since the the Rmi Service Dispatcher and the JNDI > server are at the root of all, it's maybe the only things which need to be > deactivated (trying to minimise the changes) with of course the RMI test > services which would fail else. > > What do you think? > > Jacques > > > Le 18/03/2016 17:28, Jacopo Cappellato a écrit : > >> Hi Jacques, >> >> thanks for working at this. >> However I think that there is a simpler/better way to disable the >> component >> by default; by using the following patch: >> >> Index: framework/start/src/org/ofbiz/base/start/start.properties >> =================================================================== >> --- framework/start/src/org/ofbiz/base/start/start.properties (revision >> 1735404) >> +++ framework/start/src/org/ofbiz/base/start/start.properties (working >> copy) >> @@ -40,7 +40,7 @@ >> >> # --- StartupLoader implementations to load (in order) >> ofbiz.start.loader1=org.ofbiz.base.container.ContainerLoader >> -ofbiz.start.loader1.loaders=main,rmi >> +ofbiz.start.loader1.loaders=main >> >> # -- Enable the shutdown hook >> #ofbiz.enable.hook=true >> >> I didn't test it but it should work! >> >> Jacopo >> >> On Fri, Mar 18, 2016 at 11:38 AM, <[email protected]> wrote: >> >> Author: jleroux >>> Date: Fri Mar 18 10:38:04 2016 >>> New Revision: 1735569 >>> >>> URL: http://svn.apache.org/viewvc?rev=1735569&view=rev >>> Log: >>> Fixes "Comment out RMI related code because of the Java deserialization >>> issue" - https://issues.apache.org/jira/browse/OFBIZ-6942 >>> >>> I decided to comment out as less as possible because once the RMI >>> loaders, >>> the RMI dispatcher and the related test services are off there is no RMI >>> related danger left (test services are not a danger but would fail during >>> tests run). It's then easier for users who need RMI in their projects to >>> have only to uncomment those and not digg everywhere. Because the naming >>> (JNDI) server relies on the rmi loader it will also be commented out. >>> >>> Modified: >>> ofbiz/trunk/framework/base/config/ofbiz-containers.xml >>> ofbiz/trunk/framework/base/ofbiz-component.xml >>> ofbiz/trunk/framework/common/servicedef/services_test.xml >>> ofbiz/trunk/framework/service/ofbiz-component.xml >>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>> >>> Modified: ofbiz/trunk/framework/base/config/ofbiz-containers.xml >>> URL: >>> >>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/ofbiz-containers.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>> >>> >>> ============================================================================== >>> --- ofbiz/trunk/framework/base/config/ofbiz-containers.xml (original) >>> +++ ofbiz/trunk/framework/base/config/ofbiz-containers.xml Fri Mar 18 >>> 10:38:04 2016 >>> @@ -21,8 +21,11 @@ under the License. >>> <ofbiz-containers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance >>> " >>> xsi:noNamespaceSchemaLocation=" >>> http://ofbiz.apache.org/dtds/ofbiz-containers.xsd";> >>> >>> + <!-- Because of the danger of Java deserialization when using RMI, >>> we >>> (PMC) have decided to comment out main RMI related code entries. >>> + If you need RMI you just need to uncomment those places - See >>> OFBIZ-6942 for details --> >>> <!-- load the ofbiz component container (always first) --> >>> - <container name="component-container" >>> loaders="main,rmi,pos,load-data" >>> class="org.ofbiz.base.container.ComponentContainer"/> >>> + <!-- <container name="component-container" >>> loaders="main,rmi,pos,load-data" >>> class="org.ofbiz.base.container.ComponentContainer"/> --> >>> + <container name="component-container" loaders="main,pos,load-data" >>> class="org.ofbiz.base.container.ComponentContainer"/> >>> >>> <container name="component-container-test" loaders="test" >>> class="org.ofbiz.base.container.ComponentContainer"> >>> <property name="ofbiz.instrumenterClassName" >>> value="org.ofbiz.base.config.CoberturaInstrumenter"/> >>> >>> Modified: ofbiz/trunk/framework/base/ofbiz-component.xml >>> URL: >>> >>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>> >>> >>> ============================================================================== >>> --- ofbiz/trunk/framework/base/ofbiz-component.xml (original) >>> +++ ofbiz/trunk/framework/base/ofbiz-component.xml Fri Mar 18 10:38:04 >>> 2016 >>> @@ -33,11 +33,13 @@ under the License. >>> >>> <test-suite loader="main" location="testdef/basetests.xml"/> >>> >>> + <!-- Because of the danger of Java deserialization when using RMI, >>> we >>> (PMC) have decided to comment out main RMI related code entries. >>> + If you need RMI you just need to uncomment those places - See >>> OFBIZ-6942 for details --> >>> <!-- load the naming (JNDI) server --> >>> - <container name="naming-container" loaders="rmi" >>> class="org.ofbiz.base.container.NamingServiceContainer"> >>> + <!-- <container name="naming-container" loaders="rmi" >>> class="org.ofbiz.base.container.NamingServiceContainer"> >>> <property name="host" value="0.0.0.0"/> >>> <property name="port" value="1099"/> >>> - </container> >>> + </container> --> >>> >>> <!-- load BeanShell remote telnet server --> >>> <!-- Commented out by default for security reasons --> >>> >>> Modified: ofbiz/trunk/framework/common/servicedef/services_test.xml >>> URL: >>> >>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services_test.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>> >>> >>> ============================================================================== >>> --- ofbiz/trunk/framework/common/servicedef/services_test.xml (original) >>> +++ ofbiz/trunk/framework/common/servicedef/services_test.xml Fri Mar 18 >>> 10:38:04 2016 >>> @@ -47,15 +47,17 @@ under the License. >>> <service name="testError" engine="java" export="true" >>> validate="false" require-new-transaction="true" max-retry="1" >>> location="org.ofbiz.common.CommonServices" >>> invoke="returnErrorService"> >>> </service> >>> + <!-- Because of the danger of Java deserialization when using RMI, >>> we >>> (PMC) have decided to comment out main RMI related code entries. >>> + If you need RMI you just need to uncomment those places - See >>> OFBIZ-6942 for details --> >>> <!-- see serviceengine.xml to configure the rmi location alias --> >>> - <service name="testRmi" engine="rmi" validate="false" >>> + <!-- <service name="testRmi" engine="rmi" validate="false" >>> location="main-rmi" invoke="testScv"> >>> <implements service="testScv"/> >>> </service> >>> <service name="testRmiFail" engine="rmi" validate="false" >>> location="main-rmi" invoke="testBsh"> >>> <implements service="testScv"/> >>> - </service> >>> + </service> --> >>> >>> <service name="testRollback" engine="java" export="true" >>> validate="false" >>> location="org.ofbiz.common.CommonServices" >>> invoke="testRollbackListener"> >>> >>> Modified: ofbiz/trunk/framework/service/ofbiz-component.xml >>> URL: >>> >>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>> >>> >>> ============================================================================== >>> --- ofbiz/trunk/framework/service/ofbiz-component.xml (original) >>> +++ ofbiz/trunk/framework/service/ofbiz-component.xml Fri Mar 18 10:38:04 >>> 2016 >>> @@ -44,12 +44,17 @@ under the License. >>> <keystore name="rmitrust" type="jks" password="changeit" >>> is-truststore="true" >>> is-certstore="false" loader="main" >>> location="config/rmitrust.jks"/> >>> >>> - <container name="service-container" >>> loaders="main,rmi,pos,load-data,test" >>> class="org.ofbiz.service.ServiceContainer"> >>> + <!-- Because of the danger of Java deserialization when using RMI, >>> we >>> (PMC) have decided to comment out main RMI related code entries. >>> + If you need RMI you just need to uncomment those places - See >>> OFBIZ-6942 for details --> >>> + <!-- <container name="service-container" >>> loaders="main,rmi,pos,load-data,test" >>> class="org.ofbiz.service.ServiceContainer"> --> >>> + <container name="service-container" >>> loaders="main,pos,load-data,test" >>> class="org.ofbiz.service.ServiceContainer"> >>> <property name="dispatcher-factory" >>> value="org.ofbiz.service.GenericDispatcherFactory"/> >>> </container> >>> >>> + <!-- Because of the danger of Java deserialization when using RMI, >>> we >>> (PMC) have decided to comment out main RMI related code entries. >>> + If you need RMI you just need to uncomment those places - See >>> OFBIZ-6942 for details --> >>> <!-- RMI Service Dispatcher --> >>> - <container name="rmi-dispatcher" loaders="rmi" >>> class="org.ofbiz.service.rmi.RmiServiceContainer"> >>> + <!-- <container name="rmi-dispatcher" loaders="rmi" >>> class="org.ofbiz.service.rmi.RmiServiceContainer"> >>> <property name="bound-name" value="RMIDispatcher"/> >>> <property name="bound-host" value="127.0.0.1"/> >>> <property name="bound-port" value="1099"/> >>> @@ -61,7 +66,7 @@ under the License. >>> <property name="ssl-keystore-pass" value="changeit"/> >>> <property name="ssl-keystore-alias" value="rmissl"/> >>> <property name="ssl-client-auth" value="false"/> >>> - </container> >>> + </container> --> >>> >>> <!-- JavaMail Listener Container - Triggers MCA Rules --> >>> <!-- if delete-mail is set to true, will delete messages after >>> fetching them. otherwise, will try to mark them as seen >>> >>> Modified: >>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>> URL: >>> >>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties?rev=1735569&r1=1735568&r2=1735569&view=diff >>> >>> >>> ============================================================================== >>> --- ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>> (original) >>> +++ ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>> Fri Mar 18 10:38:04 2016 >>> @@ -35,7 +35,10 @@ ofbiz.start.loader1=org.ofbiz.base.splas >>> >>> # --- StartupLoader implementations to load (in order) >>> ofbiz.start.loader2=org.ofbiz.base.container.ContainerLoader >>> -ofbiz.start.loader2.loaders=main,pos,rmi >>> +# Because of the danger of Java deserialization when using RMI, we (PMC) >>> have decided to comment out main RMI related code entries. >>> +# If you need RMI you just need to uncomment those places - See >>> OFBIZ-6942 for details --> >>> +#ofbiz.start.loader2.loaders=main,pos,rmi >>> +ofbiz.start.loader2.loaders=main,pos >>> >>> # -- Splash Logo >>> ofbiz.start.splash.logo=framework/images/webapp/images/ofbiz_logo.gif >>> >>> >>> >>>
