Ok,
I have applied my patch, and the output I get is:
[java] 2016-03-21 15:50:18,632 |main |ContainerLoader
|I| [Startup] Loading containers from
./framework/base/config/ofbiz-containers.xml for loaders [main]
However, in order to use the modified start.properties file you have to run:
./ant clean build
before start-secure
Could you please double check if you can get the same results?
Thanks,
Jacopo
On Mon, Mar 21, 2016 at 3:40 PM, Jacques Le Roux <
[email protected]> wrote:
> With start-secure target (same than start but with notsoserial protection
> activated)
>
> Ah, sorry wrote ant-secure target below :)
>
> Jacques
>
>
> Le 21/03/2016 15:18, Jacopo Cappellato a écrit :
>
>> Hi Jacques,
>>
>> how did you get that log? (how did you start OFBiz)
>>
>> Thanks,
>>
>> Jacopo
>>
>> On Sat, Mar 19, 2016 at 11:47 AM, Jacques Le Roux <
>> [email protected]> wrote:
>>
>> Hi Jacopo,
>>>
>>> No it's not enough. Without the RmiDispatcher deactivated you can still
>>> run RMI services like testRMI.
>>> You get in log:
>>>
>>> [java] 2016-03-18 18:39:22,787 |main |ContainerLoader |I|
>>> [Startup] Loading containers from
>>> c:/projectsASF/ofbiz/framework/base/config/ofbiz-containers.xml for
>>> loaders
>>> [main, rmi]
>>> [java] 2016-03-18 18:39:24,754 |main |ContainerLoader |I|
>>> Loading component's container: rmi-dispatcher
>>> [java] 2016-03-18 18:39:24,755 |main |ContainerLoader |I|
>>> Loaded component's container: rmi-dispatcher
>>> [java] 2016-03-18 18:39:27,966 |main |ContainerLoader |I|
>>> Starting container rmi-dispatcher
>>> [java] 2016-03-18 18:39:29,346 |main |ServiceDispatcher |I|
>>> Registering dispatcher: RMIDispatcher
>>> [java] 2016-03-18 18:39:29,346 |main |ServiceContainer |I|
>>> Created new dispatcher: RMIDispatcher
>>> [java] 2016-03-18 18:39:29,745 |main |ContainerLoader |I|
>>> Started container rmi-dispatcher
>>>
>>> And if you use ant-secure target you see this in is-deserialized.txt
>>>
>>> org.ofbiz.service.rmi.RemoteDispatcherImpl_Stub
>>> java.rmi.server.RemoteStub
>>> java.rmi.server.RemoteObject
>>> org.ofbiz.service.rmi.socket.ssl.SSLClientSocketFactory
>>> [Ljava.rmi.server.ObjID;
>>> java.rmi.server.ObjID
>>> java.rmi.server.UID
>>> java.rmi.dgc.Lease
>>> java.rmi.dgc.VMID
>>>
>>> Those are not issues but shows that RMI is still active.
>>>
>>> Actually I missed your change in start.properties but did the same in
>>> both.properties.
>>>
>>> Initially I wondered if the only thing needed was not to comment out the
>>> RmiDispatcher in service/ofbiz-component.xml
>>> Because once you have done that no RMI services can be used.
>>> I finally decided to do more because the Distributed Clear Cache relies
>>> on
>>> JNDI, JMS and RMI. So I also deactivated the JNDI server and then got
>>> further with all changes below.
>>>
>>> Thinking about it now, since the the Rmi Service Dispatcher and the JNDI
>>> server are at the root of all, it's maybe the only things which need to
>>> be
>>> deactivated (trying to minimise the changes) with of course the RMI test
>>> services which would fail else.
>>>
>>> What do you think?
>>>
>>> Jacques
>>>
>>>
>>> Le 18/03/2016 17:28, Jacopo Cappellato a écrit :
>>>
>>> Hi Jacques,
>>>>
>>>> thanks for working at this.
>>>> However I think that there is a simpler/better way to disable the
>>>> component
>>>> by default; by using the following patch:
>>>>
>>>> Index: framework/start/src/org/ofbiz/base/start/start.properties
>>>> ===================================================================
>>>> --- framework/start/src/org/ofbiz/base/start/start.properties (revision
>>>> 1735404)
>>>> +++ framework/start/src/org/ofbiz/base/start/start.properties (working
>>>> copy)
>>>> @@ -40,7 +40,7 @@
>>>>
>>>> # --- StartupLoader implementations to load (in order)
>>>> ofbiz.start.loader1=org.ofbiz.base.container.ContainerLoader
>>>> -ofbiz.start.loader1.loaders=main,rmi
>>>> +ofbiz.start.loader1.loaders=main
>>>>
>>>> # -- Enable the shutdown hook
>>>> #ofbiz.enable.hook=true
>>>>
>>>> I didn't test it but it should work!
>>>>
>>>> Jacopo
>>>>
>>>> On Fri, Mar 18, 2016 at 11:38 AM, <[email protected]> wrote:
>>>>
>>>> Author: jleroux
>>>>
>>>>> Date: Fri Mar 18 10:38:04 2016
>>>>> New Revision: 1735569
>>>>>
>>>>> URL: http://svn.apache.org/viewvc?rev=1735569&view=rev
>>>>> Log:
>>>>> Fixes "Comment out RMI related code because of the Java deserialization
>>>>> issue" - https://issues.apache.org/jira/browse/OFBIZ-6942
>>>>>
>>>>> I decided to comment out as less as possible because once the RMI
>>>>> loaders,
>>>>> the RMI dispatcher and the related test services are off there is no
>>>>> RMI
>>>>> related danger left (test services are not a danger but would fail
>>>>> during
>>>>> tests run). It's then easier for users who need RMI in their projects
>>>>> to
>>>>> have only to uncomment those and not digg everywhere. Because the
>>>>> naming
>>>>> (JNDI) server relies on the rmi loader it will also be commented out.
>>>>>
>>>>> Modified:
>>>>> ofbiz/trunk/framework/base/config/ofbiz-containers.xml
>>>>> ofbiz/trunk/framework/base/ofbiz-component.xml
>>>>> ofbiz/trunk/framework/common/servicedef/services_test.xml
>>>>> ofbiz/trunk/framework/service/ofbiz-component.xml
>>>>>
>>>>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties
>>>>>
>>>>> Modified: ofbiz/trunk/framework/base/config/ofbiz-containers.xml
>>>>> URL:
>>>>>
>>>>>
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/ofbiz-containers.xml?rev=1735569&r1=1735568&r2=1735569&view=diff
>>>>>
>>>>>
>>>>>
>>>>> ==============================================================================
>>>>> --- ofbiz/trunk/framework/base/config/ofbiz-containers.xml (original)
>>>>> +++ ofbiz/trunk/framework/base/config/ofbiz-containers.xml Fri Mar 18
>>>>> 10:38:04 2016
>>>>> @@ -21,8 +21,11 @@ under the License.
>>>>> <ofbiz-containers xmlns:xsi="
>>>>> http://www.w3.org/2001/XMLSchema-instance
>>>>> "
>>>>> xsi:noNamespaceSchemaLocation="
>>>>> http://ofbiz.apache.org/dtds/ofbiz-containers.xsd";>
>>>>>
>>>>> + <!-- Because of the danger of Java deserialization when using RMI,
>>>>> we
>>>>> (PMC) have decided to comment out main RMI related code entries.
>>>>> + If you need RMI you just need to uncomment those places - See
>>>>> OFBIZ-6942 for details -->
>>>>> <!-- load the ofbiz component container (always first) -->
>>>>> - <container name="component-container"
>>>>> loaders="main,rmi,pos,load-data"
>>>>> class="org.ofbiz.base.container.ComponentContainer"/>
>>>>> + <!-- <container name="component-container"
>>>>> loaders="main,rmi,pos,load-data"
>>>>> class="org.ofbiz.base.container.ComponentContainer"/> -->
>>>>> + <container name="component-container" loaders="main,pos,load-data"
>>>>> class="org.ofbiz.base.container.ComponentContainer"/>
>>>>>
>>>>> <container name="component-container-test" loaders="test"
>>>>> class="org.ofbiz.base.container.ComponentContainer">
>>>>> <property name="ofbiz.instrumenterClassName"
>>>>> value="org.ofbiz.base.config.CoberturaInstrumenter"/>
>>>>>
>>>>> Modified: ofbiz/trunk/framework/base/ofbiz-component.xml
>>>>> URL:
>>>>>
>>>>>
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff
>>>>>
>>>>>
>>>>>
>>>>> ==============================================================================
>>>>> --- ofbiz/trunk/framework/base/ofbiz-component.xml (original)
>>>>> +++ ofbiz/trunk/framework/base/ofbiz-component.xml Fri Mar 18 10:38:04
>>>>> 2016
>>>>> @@ -33,11 +33,13 @@ under the License.
>>>>>
>>>>> <test-suite loader="main" location="testdef/basetests.xml"/>
>>>>>
>>>>> + <!-- Because of the danger of Java deserialization when using RMI,
>>>>> we
>>>>> (PMC) have decided to comment out main RMI related code entries.
>>>>> + If you need RMI you just need to uncomment those places - See
>>>>> OFBIZ-6942 for details -->
>>>>> <!-- load the naming (JNDI) server -->
>>>>> - <container name="naming-container" loaders="rmi"
>>>>> class="org.ofbiz.base.container.NamingServiceContainer">
>>>>> + <!-- <container name="naming-container" loaders="rmi"
>>>>> class="org.ofbiz.base.container.NamingServiceContainer">
>>>>> <property name="host" value="0.0.0.0"/>
>>>>> <property name="port" value="1099"/>
>>>>> - </container>
>>>>> + </container> -->
>>>>>
>>>>> <!-- load BeanShell remote telnet server -->
>>>>> <!-- Commented out by default for security reasons -->
>>>>>
>>>>> Modified: ofbiz/trunk/framework/common/servicedef/services_test.xml
>>>>> URL:
>>>>>
>>>>>
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services_test.xml?rev=1735569&r1=1735568&r2=1735569&view=diff
>>>>>
>>>>>
>>>>>
>>>>> ==============================================================================
>>>>> --- ofbiz/trunk/framework/common/servicedef/services_test.xml
>>>>> (original)
>>>>> +++ ofbiz/trunk/framework/common/servicedef/services_test.xml Fri Mar
>>>>> 18
>>>>> 10:38:04 2016
>>>>> @@ -47,15 +47,17 @@ under the License.
>>>>> <service name="testError" engine="java" export="true"
>>>>> validate="false" require-new-transaction="true" max-retry="1"
>>>>> location="org.ofbiz.common.CommonServices"
>>>>> invoke="returnErrorService">
>>>>> </service>
>>>>> + <!-- Because of the danger of Java deserialization when using RMI,
>>>>> we
>>>>> (PMC) have decided to comment out main RMI related code entries.
>>>>> + If you need RMI you just need to uncomment those places - See
>>>>> OFBIZ-6942 for details -->
>>>>> <!-- see serviceengine.xml to configure the rmi location alias
>>>>> -->
>>>>> - <service name="testRmi" engine="rmi" validate="false"
>>>>> + <!-- <service name="testRmi" engine="rmi" validate="false"
>>>>> location="main-rmi" invoke="testScv">
>>>>> <implements service="testScv"/>
>>>>> </service>
>>>>> <service name="testRmiFail" engine="rmi" validate="false"
>>>>> location="main-rmi" invoke="testBsh">
>>>>> <implements service="testScv"/>
>>>>> - </service>
>>>>> + </service> -->
>>>>>
>>>>> <service name="testRollback" engine="java" export="true"
>>>>> validate="false"
>>>>> location="org.ofbiz.common.CommonServices"
>>>>> invoke="testRollbackListener">
>>>>>
>>>>> Modified: ofbiz/trunk/framework/service/ofbiz-component.xml
>>>>> URL:
>>>>>
>>>>>
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff
>>>>>
>>>>>
>>>>>
>>>>> ==============================================================================
>>>>> --- ofbiz/trunk/framework/service/ofbiz-component.xml (original)
>>>>> +++ ofbiz/trunk/framework/service/ofbiz-component.xml Fri Mar 18
>>>>> 10:38:04
>>>>> 2016
>>>>> @@ -44,12 +44,17 @@ under the License.
>>>>> <keystore name="rmitrust" type="jks" password="changeit"
>>>>> is-truststore="true"
>>>>> is-certstore="false" loader="main"
>>>>> location="config/rmitrust.jks"/>
>>>>>
>>>>> - <container name="service-container"
>>>>> loaders="main,rmi,pos,load-data,test"
>>>>> class="org.ofbiz.service.ServiceContainer">
>>>>> + <!-- Because of the danger of Java deserialization when using RMI,
>>>>> we
>>>>> (PMC) have decided to comment out main RMI related code entries.
>>>>> + If you need RMI you just need to uncomment those places - See
>>>>> OFBIZ-6942 for details -->
>>>>> + <!-- <container name="service-container"
>>>>> loaders="main,rmi,pos,load-data,test"
>>>>> class="org.ofbiz.service.ServiceContainer"> -->
>>>>> + <container name="service-container"
>>>>> loaders="main,pos,load-data,test"
>>>>> class="org.ofbiz.service.ServiceContainer">
>>>>> <property name="dispatcher-factory"
>>>>> value="org.ofbiz.service.GenericDispatcherFactory"/>
>>>>> </container>
>>>>>
>>>>> + <!-- Because of the danger of Java deserialization when using RMI,
>>>>> we
>>>>> (PMC) have decided to comment out main RMI related code entries.
>>>>> + If you need RMI you just need to uncomment those places - See
>>>>> OFBIZ-6942 for details -->
>>>>> <!-- RMI Service Dispatcher -->
>>>>> - <container name="rmi-dispatcher" loaders="rmi"
>>>>> class="org.ofbiz.service.rmi.RmiServiceContainer">
>>>>> + <!-- <container name="rmi-dispatcher" loaders="rmi"
>>>>> class="org.ofbiz.service.rmi.RmiServiceContainer">
>>>>> <property name="bound-name" value="RMIDispatcher"/>
>>>>> <property name="bound-host" value="127.0.0.1"/>
>>>>> <property name="bound-port" value="1099"/>
>>>>> @@ -61,7 +66,7 @@ under the License.
>>>>> <property name="ssl-keystore-pass" value="changeit"/>
>>>>> <property name="ssl-keystore-alias" value="rmissl"/>
>>>>> <property name="ssl-client-auth" value="false"/>
>>>>> - </container>
>>>>> + </container> -->
>>>>>
>>>>> <!-- JavaMail Listener Container - Triggers MCA Rules -->
>>>>> <!-- if delete-mail is set to true, will delete messages after
>>>>> fetching them. otherwise, will try to mark them as seen
>>>>>
>>>>> Modified:
>>>>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties
>>>>> URL:
>>>>>
>>>>>
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties?rev=1735569&r1=1735568&r2=1735569&view=diff
>>>>>
>>>>>
>>>>>
>>>>> ==============================================================================
>>>>> ---
>>>>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties
>>>>> (original)
>>>>> +++
>>>>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties
>>>>> Fri Mar 18 10:38:04 2016
>>>>> @@ -35,7 +35,10 @@ ofbiz.start.loader1=org.ofbiz.base.splas
>>>>>
>>>>> # --- StartupLoader implementations to load (in order)
>>>>> ofbiz.start.loader2=org.ofbiz.base.container.ContainerLoader
>>>>> -ofbiz.start.loader2.loaders=main,pos,rmi
>>>>> +# Because of the danger of Java deserialization when using RMI, we
>>>>> (PMC)
>>>>> have decided to comment out main RMI related code entries.
>>>>> +# If you need RMI you just need to uncomment those places - See
>>>>> OFBIZ-6942 for details -->
>>>>> +#ofbiz.start.loader2.loaders=main,pos,rmi
>>>>> +ofbiz.start.loader2.loaders=main,pos
>>>>>
>>>>> # -- Splash Logo
>>>>>
>>>>> ofbiz.start.splash.logo=framework/images/webapp/images/ofbiz_logo.gif
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
