Hi Supun, The checkSecurity method just checks for a permission. I'm not sure how your fix works. But it doesn't seem to be a proper solution. We might need to debug more and see.
Can you check whether you have fixes for https://wso2.org/jira/browse/IDENTITY-3340? On Fri, Aug 28, 2015 at 9:55 AM, Aruna Karunarathna <[email protected]> wrote: > > > On Thu, Aug 27, 2015 at 6:44 PM, Supun Malinga <[email protected]> wrote: > >> Hi, >> >> Found that the issue happens at the following, >> >> at >> org.wso2.carbon.user.core.common.AbstractUserStoreManager.listUsers(AbstractUserStoreManager.java:2034) >> at >> org.apache.jsp.carbon.usermgt.index_jsp._jspService(index_jsp.java:167) >> >> I did the following fix in CarbonContext (where the user realm is >> retrieved initially), and the issue disappeared. Is this a good enough >> solution ? Or do we have to explicitly do permission checks in >> AbstractUserStoreManager ?. So far there is none in that.. Let me know. >> >> +++ >> b/core/org.wso2.carbon.utils/src/main/java/org/wso2/carbon/context/CarbonContext.java >> @@ -233,6 +233,8 @@ public class CarbonContext { >> * @return the user realm instance. >> */ >> public UserRealm getUserRealm() { >> + CarbonUtils.checkSecurity(); >> return getCarbonContextDataHolder().getUserRealm(); >> } >> > > Any idea why this is not needed for AS 5.2.1?.. > >> >> thanks, >> >> >> On Tue, Aug 25, 2015 at 12:17 PM, Supun Malinga <[email protected]> wrote: >> >>> thanks Isuru. Let me see what I can find. >>> >>> thanks >>> >>> On Tue, Aug 25, 2015 at 12:12 PM, Isuru Perera <[email protected]> wrote: >>> >>>> Hi Supun, >>>> >>>> I'm sorry I missed this mail. We need to identify which method is >>>> accessing the local database. We should never give explicit read >>>> permissions for the H2 database. >>>> >>>> We need to use Java Privileged Block API in Carbon Context APIs. If you >>>> cannot figure out the protection domain for the access failure, please >>>> check Java Security Debug logs. See Troubleshooting section in my Java >>>> Security Manager related blog post [1]. >>>> >>>> With Privileged Block API, we can let Carbon Context APIs to use same >>>> permissions we give to Carbon code. >>>> >>>> Thanks! >>>> >>>> Best Regards, >>>> >>>> [1] >>>> http://isuru-perera.blogspot.com/2014/12/enabling-java-security-manager-for-wso2.html >>>> >>>> >>>> On Thu, Aug 13, 2015 at 3:37 PM, Supun Malinga <[email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> For accessing usermgt via CarbonContext had to provide following >>>>> permission for webapp. >>>>> >>>>> permission java.io.FilePermission >>>>> "/home/supun/smoke/java_sec/530_custom/wso2as-5.3.0-SNAPSHOT/repository/database/WSO2CARBON_DB.data.db", >>>>> "read"; >>>>> >>>>> I tested with AS 5.2.1 and we don't need this in 5.2.1. >>>>> >>>>> Can anyone tell why this is needed and if its an issue ?. >>>>> >>>>> thanks, >>>>> -- >>>>> Supun Malinga, >>>>> >>>>> Senior Software Engineer, >>>>> WSO2 Inc. >>>>> http://wso2.com >>>>> email: [email protected] <[email protected]> >>>>> mobile: +94 (0)71 56 91 321 >>>>> >>>> >>>> >>>> >>>> -- >>>> Isuru Perera >>>> Associate Technical Lead | WSO2, Inc. | http://wso2.com/ >>>> Lean . Enterprise . Middleware >>>> >>>> about.me/chrishantha >>>> Contact: +IsuruPereraWSO2 >>>> <https://www.google.com/+IsuruPereraWSO2/about> >>>> >>> >>> >>> >>> -- >>> Supun Malinga, >>> >>> Senior Software Engineer, >>> WSO2 Inc. >>> http://wso2.com >>> email: [email protected] <[email protected]> >>> mobile: +94 (0)71 56 91 321 >>> >> >> >> >> -- >> Supun Malinga, >> >> Senior Software Engineer, >> WSO2 Inc. >> http://wso2.com >> email: [email protected] <[email protected]> >> mobile: +94 (0)71 56 91 321 >> > > > > -- > > *Aruna Sujith Karunarathna *| Software Engineer > WSO2, Inc | lean. enterprise. middleware. > #20, Palm Grove, Colombo 03, Sri Lanka > Mobile: +94 71 9040362 | Work: +94 112145345 > Email: [email protected] | Web: www.wso2.com > > -- Isuru Perera Associate Technical Lead | WSO2, Inc. | http://wso2.com/ Lean . Enterprise . Middleware about.me/chrishantha Contact: +IsuruPereraWSO2 <https://www.google.com/+IsuruPereraWSO2/about>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
