Why is it different? The https://wso2.org/jira/browse/IDENTITY-3340 fixes the issues with Java Security Manager when accessing User Manager APIs from the Carbon Context. You are also trying a similar scenario, right?
Can you merge the PR locally and test? Please discard your changes. (PR uses Java Reflection. I was against that decision and asked to fix it properly. However it should fix your issue as the PR has added a Privileged Block API for listUsers method.) On Fri, Aug 28, 2015 at 11:42 AM, Supun Malinga <[email protected]> wrote: > > > On Fri, Aug 28, 2015 at 11:27 AM, Isuru Perera <[email protected]> wrote: > >> Hi Supun, >> >> The checkSecurity method just checks for a permission. I'm not sure how >> your fix works. But it doesn't seem to be a proper solution. We might need >> to debug more and see. >> >> Can you check whether you have fixes for >> https://wso2.org/jira/browse/IDENTITY-3340? >> > > No, I don't PR is not merged yet.. > I had a chat with KasunB, its for a different error however. > > >> >> On Fri, Aug 28, 2015 at 9:55 AM, Aruna Karunarathna <[email protected]> >> wrote: >> >>> >>> >>> On Thu, Aug 27, 2015 at 6:44 PM, Supun Malinga <[email protected]> wrote: >>> >>>> Hi, >>>> >>>> Found that the issue happens at the following, >>>> >>>> at >>>> org.wso2.carbon.user.core.common.AbstractUserStoreManager.listUsers(AbstractUserStoreManager.java:2034) >>>> at >>>> org.apache.jsp.carbon.usermgt.index_jsp._jspService(index_jsp.java:167) >>>> >>>> I did the following fix in CarbonContext (where the user realm is >>>> retrieved initially), and the issue disappeared. Is this a good enough >>>> solution ? Or do we have to explicitly do permission checks in >>>> AbstractUserStoreManager ?. So far there is none in that.. Let me know. >>>> >>>> +++ >>>> b/core/org.wso2.carbon.utils/src/main/java/org/wso2/carbon/context/CarbonContext.java >>>> @@ -233,6 +233,8 @@ public class CarbonContext { >>>> * @return the user realm instance. >>>> */ >>>> public UserRealm getUserRealm() { >>>> + CarbonUtils.checkSecurity(); >>>> return getCarbonContextDataHolder().getUserRealm(); >>>> } >>>> >>> >>> Any idea why this is not needed for AS 5.2.1?.. >>> >>>> >>>> thanks, >>>> >>>> >>>> On Tue, Aug 25, 2015 at 12:17 PM, Supun Malinga <[email protected]> >>>> wrote: >>>> >>>>> thanks Isuru. Let me see what I can find. >>>>> >>>>> thanks >>>>> >>>>> On Tue, Aug 25, 2015 at 12:12 PM, Isuru Perera <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Supun, >>>>>> >>>>>> I'm sorry I missed this mail. We need to identify which method is >>>>>> accessing the local database. We should never give explicit read >>>>>> permissions for the H2 database. >>>>>> >>>>>> We need to use Java Privileged Block API in Carbon Context APIs. If >>>>>> you cannot figure out the protection domain for the access failure, >>>>>> please >>>>>> check Java Security Debug logs. See Troubleshooting section in my Java >>>>>> Security Manager related blog post [1]. >>>>>> >>>>>> With Privileged Block API, we can let Carbon Context APIs to use same >>>>>> permissions we give to Carbon code. >>>>>> >>>>>> Thanks! >>>>>> >>>>>> Best Regards, >>>>>> >>>>>> [1] >>>>>> http://isuru-perera.blogspot.com/2014/12/enabling-java-security-manager-for-wso2.html >>>>>> >>>>>> >>>>>> On Thu, Aug 13, 2015 at 3:37 PM, Supun Malinga <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> For accessing usermgt via CarbonContext had to provide following >>>>>>> permission for webapp. >>>>>>> >>>>>>> permission java.io.FilePermission >>>>>>> "/home/supun/smoke/java_sec/530_custom/wso2as-5.3.0-SNAPSHOT/repository/database/WSO2CARBON_DB.data.db", >>>>>>> "read"; >>>>>>> >>>>>>> I tested with AS 5.2.1 and we don't need this in 5.2.1. >>>>>>> >>>>>>> Can anyone tell why this is needed and if its an issue ?. >>>>>>> >>>>>>> thanks, >>>>>>> -- >>>>>>> Supun Malinga, >>>>>>> >>>>>>> Senior Software Engineer, >>>>>>> WSO2 Inc. >>>>>>> http://wso2.com >>>>>>> email: [email protected] <[email protected]> >>>>>>> mobile: +94 (0)71 56 91 321 >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Isuru Perera >>>>>> Associate Technical Lead | WSO2, Inc. | http://wso2.com/ >>>>>> Lean . Enterprise . Middleware >>>>>> >>>>>> about.me/chrishantha >>>>>> Contact: +IsuruPereraWSO2 >>>>>> <https://www.google.com/+IsuruPereraWSO2/about> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Supun Malinga, >>>>> >>>>> Senior Software Engineer, >>>>> WSO2 Inc. >>>>> http://wso2.com >>>>> email: [email protected] <[email protected]> >>>>> mobile: +94 (0)71 56 91 321 >>>>> >>>> >>>> >>>> >>>> -- >>>> Supun Malinga, >>>> >>>> Senior Software Engineer, >>>> WSO2 Inc. >>>> http://wso2.com >>>> email: [email protected] <[email protected]> >>>> mobile: +94 (0)71 56 91 321 >>>> >>> >>> >>> >>> -- >>> >>> *Aruna Sujith Karunarathna *| Software Engineer >>> WSO2, Inc | lean. enterprise. middleware. >>> #20, Palm Grove, Colombo 03, Sri Lanka >>> Mobile: +94 71 9040362 | Work: +94 112145345 >>> Email: [email protected] | Web: www.wso2.com >>> >>> >> >> >> >> -- >> Isuru Perera >> Associate Technical Lead | WSO2, Inc. | http://wso2.com/ >> Lean . Enterprise . Middleware >> >> about.me/chrishantha >> Contact: +IsuruPereraWSO2 <https://www.google.com/+IsuruPereraWSO2/about> >> > > > > -- > Supun Malinga, > > Senior Software Engineer, > WSO2 Inc. > http://wso2.com > email: [email protected] <[email protected]> > mobile: +94 (0)71 56 91 321 > -- Isuru Perera Associate Technical Lead | WSO2, Inc. | http://wso2.com/ Lean . Enterprise . Middleware about.me/chrishantha Contact: +IsuruPereraWSO2 <https://www.google.com/+IsuruPereraWSO2/about>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
