Re: [Dev] Checking the existence of the roles with the character "@"

Ishara Cooray Sun, 16 Oct 2016 22:21:53 -0700

What if the create role context logic is changed as below.

JDBCRoleContext searchCtx = new JDBCRoleContext();
String[] roleNameParts = roleName.split(UserCoreConstants.
TENANT_DOMAIN_COMBINER);
if (roleNameParts.length > 1 && (roleNameParts[1] == null || roleNameParts[1
].equals("null"))) {
roleNameParts = new String[]{roleNameParts[0]};
}


to

JDBCRoleContext searchCtx = new JDBCRoleContext();
String[] roleNameParts = roleName.split(UserCoreConstants.
TENANT_DOMAIN_COMBINER);
if (roleNameParts.length > 1 && (roleNameParts[1] == null || roleNameParts[1
].equals("null"))) {
roleNameParts = new String[]{roleName.substring(0,
roleName.lastIndexOf("@"))};
}

However there is no need to create a new string array here. Simply String
should do(you can assign it to a String variable other that using existing
string array). Please check that as well.


Thanks & Regards,
Ishara Cooray
Senior Software Engineer
Mobile : +9477 262 9512
WSO2, Inc. | http://wso2.com/
Lean . Enterprise . Middleware

On Mon, Oct 17, 2016 at 9:55 AM, Megala Uthayakumar <[email protected]> wrote:

> Hi All,
>
> I am working on a jira issue which is related with problem in updating the
> permissions for the role names with special characters[1]. When I was
> analyzing this issue I found that
> when we have an existing role with a "@" character, the system returns
> false, even that particular role exists in the primary user store. This is
> because, in the JDBCUserStoreManager, before checking whether the
> particular role exists, it creates a role context [2], in which it splits
> the role using "@" character and takes the 1st part of the role as the role
> name and if the split has more than a single part [3], it considers second
> part as the tenant id.
>
> For example if we have a role with a name 'test@', it will consider
> 'test' as a role name, because of that isExisting check, returns false.
>
> This behavior affects the role addition in management console too. After
> creating a role with a name "test@" , if we try to create another role
> name with the same name, it throws, following exception.
> *Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key
> violation: "CONSTRAINT_INDEX_19 ON PUBLIC.UM_ROLE(UM_ROLE_NAME,
> UM_TENANT_ID) VALUES ( /* key:6 */ null, 'adadad@', -1234, null)"; SQL
> statement:*
> *INSERT INTO UM_ROLE (UM_ROLE_NAME, UM_TENANT_ID) VALUES (?, ?)
> [23505-175]*
> * at org.h2.message.DbException.getJdbcSQLException(DbException.java:332)*
> * at org.h2.message.DbException.get(DbException.java:172)*
> * at org.h2.message.DbException.get(DbException.java:149)*
> * at org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:101)*
> * at org.h2.index.PageBtree.find(PageBtree.java:121)*
> * at org.h2.index.PageBtreeLeaf.addRow(PageBtreeLeaf.java:148)*
> * at org.h2.index.PageBtreeLeaf.addRowTry(PageBtreeLeaf.java:101)*
> * at org.h2.index.PageBtreeIndex.addRow(PageBtreeIndex.java:96)*
> * at org.h2.index.PageBtreeIndex.add(PageBtreeIndex.java:87)*
> * at org.h2.table.RegularTable.addRow(RegularTable.java:119)*
> * at org.h2.command.dml.Insert.insertRows(Insert.java:157)*
> * at org.h2.command.dml.Insert.update(Insert.java:115)*
> * at org.h2.command.CommandContainer.update(CommandContainer.java:79)*
> * at org.h2.command.Command.executeUpdate(Command.java:253)*
> * at
> org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:154)*
> * at
> org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:140)*
> * at
> org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager.updateStringValuesToDatabase(JDBCUserStoreManager.java:2352)*
> * ... 78 more*
> *[2016-10-17 09:33:50,836] ERROR
> {org.wso2.carbon.user.mgt.ui.UserAdminClient} -  Error occurred while
> getting database type from DB connection*
> *org.apache.axis2.AxisFault: Error occurred while getting database type
> from DB connection*
> * at
> org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:531)*
> * at
> org.apache.axis2.description.RobustOutOnlyAxisOperation$RobustOutOnlyOperationClient.handleResponse(RobustOutOnlyAxisOperation.java:91)*
> * at
> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:445)*
> * at
> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)*
> * at
> org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)*
> * at
> org.wso2.carbon.user.mgt.stub.UserAdminStub.addRole(UserAdminStub.java:5002)*
> * at
> org.wso2.carbon.user.mgt.ui.UserAdminClient.addRole(UserAdminClient.java:76)*
> * at
> org.apache.jsp.role.add_002dfinish_002dajaxprocessor_jsp._jspService(add_002dfinish_002dajaxprocessor_jsp.java:159)*
> * at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)*
> * at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)*
> * at
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)*
> * at
> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)*
> * at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)*
> * at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)*
> * at org.wso2.carbon.ui.JspServlet.service(JspServlet.java:155)*
> * at org.wso2.carbon.ui.TilesJspServlet.service(TilesJspServlet.java:80)*
> * at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)*
> * at
> org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)*
> * at
> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)*
> * at
> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)*
> * at
> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)*
> * at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)*
> * at
> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)*
> * at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)*
> * at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)*
> * at
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)*
> * at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)*
> * at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)*
> * at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)*
> * at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)*
> * at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)*
> * at
> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)*
> * at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)*
> * at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)*
> * at
> org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:120)*
> * at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)*
> * at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)*
> * at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)*
> * at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)*
> * at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)*
> * at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)*
> * at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)*
> * at
> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)*
> * at
> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)*
> * at
> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)*
> * at
> org.wso2.carbon.webapp.authenticator.framework.WebappAuthenticationValve.invoke(WebappAuthenticationValve.java:45)*
> * at
> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)*
> * at
> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)*
> * at
> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)*
> * at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)*
> * at
> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)*
> * at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)*
> * at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)*
> * at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1082)*
> * at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:623)*
> * at org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1756)*
> * at org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1715)*
> * at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)*
> * at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)*
> * at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)*
> * at java.lang.Thread.run(Thread.java:745)*
>
> So in that case, in order to avoid this faulty behavior shouldn`t we
> restrict the user from using "@" when creating role names?
>
> Any suggestions or comments on this regard is highly appreciated.
>
> [1] https://wso2.org/jira/browse/EMM-1755
> [2] https://github.com/wso2/carbon-kernel/blob/v4.4.9/
> core/org.wso2.carbon.user.core/src/main/java/org/wso2/
> carbon/user/core/jdbc/JDBCUserStoreManager.java#L717
> [3] https://github.com/wso2/carbon-kernel/blob/v4.4.9/
> core/org.wso2.carbon.user.core/src/main/java/org/wso2/
> carbon/user/core/jdbc/JDBCUserStoreManager.java#L3092
>
>
> Thanks.
>
> Regards,
> Megala
> --
> Megala Uthayakumar
>
> Software Engineer
> Mobile : 0779967122
>
> _______________________________________________
> Dev mailing list
> [email protected]
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>

_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Checking the existence of the roles with the character "@"

Reply via email to