On Thu, Aug 27, 2015 at 6:44 PM, Supun Malinga <[email protected]> wrote:
> Hi,
>
> Found that the issue happens at the following,
>
> at
> org.wso2.carbon.user.core.common.AbstractUserStoreManager.listUsers(AbstractUserStoreManager.java:2034)
> at
> org.apache.jsp.carbon.usermgt.index_jsp._jspService(index_jsp.java:167)
>
> I did the following fix in CarbonContext (where the user realm is
> retrieved initially), and the issue disappeared. Is this a good enough
> solution ? Or do we have to explicitly do permission checks in
> AbstractUserStoreManager ?. So far there is none in that.. Let me know.
>
> +++
> b/core/org.wso2.carbon.utils/src/main/java/org/wso2/carbon/context/CarbonContext.java
> @@ -233,6 +233,8 @@ public class CarbonContext {
> * @return the user realm instance.
> */
> public UserRealm getUserRealm() {
> + CarbonUtils.checkSecurity();
> return getCarbonContextDataHolder().getUserRealm();
> }
>
Any idea why this is not needed for AS 5.2.1?..
>
> thanks,
>
>
> On Tue, Aug 25, 2015 at 12:17 PM, Supun Malinga <[email protected]> wrote:
>
>> thanks Isuru. Let me see what I can find.
>>
>> thanks
>>
>> On Tue, Aug 25, 2015 at 12:12 PM, Isuru Perera <[email protected]> wrote:
>>
>>> Hi Supun,
>>>
>>> I'm sorry I missed this mail. We need to identify which method is
>>> accessing the local database. We should never give explicit read
>>> permissions for the H2 database.
>>>
>>> We need to use Java Privileged Block API in Carbon Context APIs. If you
>>> cannot figure out the protection domain for the access failure, please
>>> check Java Security Debug logs. See Troubleshooting section in my Java
>>> Security Manager related blog post [1].
>>>
>>> With Privileged Block API, we can let Carbon Context APIs to use same
>>> permissions we give to Carbon code.
>>>
>>> Thanks!
>>>
>>> Best Regards,
>>>
>>> [1]
>>> http://isuru-perera.blogspot.com/2014/12/enabling-java-security-manager-for-wso2.html
>>>
>>>
>>> On Thu, Aug 13, 2015 at 3:37 PM, Supun Malinga <[email protected]> wrote:
>>>
>>>> Hi,
>>>>
>>>> For accessing usermgt via CarbonContext had to provide following
>>>> permission for webapp.
>>>>
>>>> permission java.io.FilePermission
>>>> "/home/supun/smoke/java_sec/530_custom/wso2as-5.3.0-SNAPSHOT/repository/database/WSO2CARBON_DB.data.db",
>>>> "read";
>>>>
>>>> I tested with AS 5.2.1 and we don't need this in 5.2.1.
>>>>
>>>> Can anyone tell why this is needed and if its an issue ?.
>>>>
>>>> thanks,
>>>> --
>>>> Supun Malinga,
>>>>
>>>> Senior Software Engineer,
>>>> WSO2 Inc.
>>>> http://wso2.com
>>>> email: [email protected] <[email protected]>
>>>> mobile: +94 (0)71 56 91 321
>>>>
>>>
>>>
>>>
>>> --
>>> Isuru Perera
>>> Associate Technical Lead | WSO2, Inc. | http://wso2.com/
>>> Lean . Enterprise . Middleware
>>>
>>> about.me/chrishantha
>>> Contact: +IsuruPereraWSO2
>>> <https://www.google.com/+IsuruPereraWSO2/about>
>>>
>>
>>
>>
>> --
>> Supun Malinga,
>>
>> Senior Software Engineer,
>> WSO2 Inc.
>> http://wso2.com
>> email: [email protected] <[email protected]>
>> mobile: +94 (0)71 56 91 321
>>
>
>
>
> --
> Supun Malinga,
>
> Senior Software Engineer,
> WSO2 Inc.
> http://wso2.com
> email: [email protected] <[email protected]>
> mobile: +94 (0)71 56 91 321
>
--
*Aruna Sujith Karunarathna *| Software Engineer
WSO2, Inc | lean. enterprise. middleware.
#20, Palm Grove, Colombo 03, Sri Lanka
Mobile: +94 71 9040362 | Work: +94 112145345
Email: [email protected] | Web: www.wso2.com
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
