Hi Ishara, Thanks for the reply. But I think your suggestion won't work either. While debugging in super-tenant mode, I found that we are not sending the tenant id with role name. So it will will still go through the same path and return false for already existing role which has a "@" character.
Thanks. Regards, Megala On Mon, Oct 17, 2016 at 10:50 AM, Ishara Cooray <[email protected]> wrote: > What if the create role context logic is changed as below. > > JDBCRoleContext searchCtx = new JDBCRoleContext(); > String[] roleNameParts = roleName.split(UserCoreConstants. > TENANT_DOMAIN_COMBINER); > if (roleNameParts.length > 1 && (roleNameParts[1] == null || > roleNameParts[1].equals("null"))) { > roleNameParts = new String[]{roleNameParts[0]}; > } > > to > > JDBCRoleContext searchCtx = new JDBCRoleContext(); > String[] roleNameParts = roleName.split(UserCoreConstants. > TENANT_DOMAIN_COMBINER); > if (roleNameParts.length > 1 && (roleNameParts[1] == null || > roleNameParts[1].equals("null"))) { > roleNameParts = new String[]{roleName.substring(0, > roleName.lastIndexOf("@"))}; > } > > However there is no need to create a new string array here. Simply String > should do(you can assign it to a String variable other that using existing > string array). Please check that as well. > > > Thanks & Regards, > Ishara Cooray > Senior Software Engineer > Mobile : +9477 262 9512 > WSO2, Inc. | http://wso2.com/ > Lean . Enterprise . Middleware > > On Mon, Oct 17, 2016 at 9:55 AM, Megala Uthayakumar <[email protected]> > wrote: > >> Hi All, >> >> I am working on a jira issue which is related with problem in updating >> the permissions for the role names with special characters[1]. When I was >> analyzing this issue I found that >> when we have an existing role with a "@" character, the system returns >> false, even that particular role exists in the primary user store. This is >> because, in the JDBCUserStoreManager, before checking whether the >> particular role exists, it creates a role context [2], in which it splits >> the role using "@" character and takes the 1st part of the role as the role >> name and if the split has more than a single part [3], it considers second >> part as the tenant id. >> >> For example if we have a role with a name 'test@', it will consider >> 'test' as a role name, because of that isExisting check, returns false. >> >> This behavior affects the role addition in management console too. After >> creating a role with a name "test@" , if we try to create another role >> name with the same name, it throws, following exception. >> *Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key >> violation: "CONSTRAINT_INDEX_19 ON PUBLIC.UM_ROLE(UM_ROLE_NAME, >> UM_TENANT_ID) VALUES ( /* key:6 */ null, 'adadad@', -1234, null)"; SQL >> statement:* >> *INSERT INTO UM_ROLE (UM_ROLE_NAME, UM_TENANT_ID) VALUES (?, ?) >> [23505-175]* >> * at org.h2.message.DbException.getJdbcSQLException(DbException.java:332)* >> * at org.h2.message.DbException.get(DbException.java:172)* >> * at org.h2.message.DbException.get(DbException.java:149)* >> * at org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:101)* >> * at org.h2.index.PageBtree.find(PageBtree.java:121)* >> * at org.h2.index.PageBtreeLeaf.addRow(PageBtreeLeaf.java:148)* >> * at org.h2.index.PageBtreeLeaf.addRowTry(PageBtreeLeaf.java:101)* >> * at org.h2.index.PageBtreeIndex.ad >> <http://org.h2.index.PageBtreeIndex.ad>dRow(PageBtreeIndex.java:96)* >> * at org.h2.index.PageBtreeIndex.ad >> <http://org.h2.index.PageBtreeIndex.ad>d(PageBtreeIndex.java:87)* >> * at org.h2.table.RegularTable.addRow(RegularTable.java:119)* >> * at org.h2.command.dml.Insert.insertRows(Insert.java:157)* >> * at org.h2.command.dml.Insert.update(Insert.java:115)* >> * at org.h2.command.CommandContainer.update(CommandContainer.java:79)* >> * at org.h2.command.Command.executeUpdate(Command.java:253)* >> * at >> org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:154)* >> * at >> org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:140)* >> * at >> org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager.updateStringValuesToDatabase(JDBCUserStoreManager.java:2352)* >> * ... 78 more* >> *[2016-10-17 09:33:50,836] ERROR >> {org.wso2.carbon.user.mgt.ui.UserAdminClient} - Error occurred while >> getting database type from DB connection* >> *org.apache.axis2.AxisFault: Error occurred while getting database type >> from DB connection* >> * at org.apache.axis2.util.Utils.ge >> <http://org.apache.axis2.util.Utils.ge>tInboundFaultFromMessageContext(Utils.java:531)* >> * at >> org.apache.axis2.description.RobustOutOnlyAxisOperation$RobustOutOnlyOperationClient.handleResponse(RobustOutOnlyAxisOperation.java:91)* >> * at >> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:445)* >> * at >> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)* >> * at >> org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)* >> * at >> org.wso2.carbon.user.mgt.stub.UserAdminStub.addRole(UserAdminStub.java:5002)* >> * at org.wso2.carbon.user.mgt.ui.Us >> <http://org.wso2.carbon.user.mgt.ui.Us>erAdminClient.addRole(UserAdminClient.java:76)* >> * at >> org.apache.jsp.role.add_002dfinish_002dajaxprocessor_jsp._jspService(add_002dfinish_002dajaxprocessor_jsp.java:159)* >> * at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)* >> * at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)* >> * at >> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)* >> * at >> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)* >> * at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)* >> * at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)* >> * at org.wso2.carbon.ui.JspServlet.service(JspServlet.java:155)* >> * at org.wso2.carbon.ui.TilesJspServlet.service(TilesJspServlet.java:80)* >> * at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)* >> * at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.se >> <http://r.ContextPathServletAdaptor.se>rvice(ContextPathServletAdaptor.java:37)* >> * at >> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)* >> * at >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)* >> * at >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)* >> * at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)* >> * at >> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)* >> * at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)* >> * at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)* >> * at org.apache.tomcat.websocket.se >> <http://org.apache.tomcat.websocket.se>rver.WsFilter.doFilter(WsFilter.java:52)* >> * at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)* >> * at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)* >> * at >> org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)* >> * at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)* >> * at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)* >> * at >> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)* >> * at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)* >> * at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)* >> * at org.apache.catalina.filters.Ht >> <http://org.apache.catalina.filters.Ht>tpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:120)* >> * at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)* >> * at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)* >> * at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)* >> * at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)* >> * at >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)* >> * at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)* >> * at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)* >> * at >> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)* >> * at >> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)* >> * at >> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)* >> * at >> org.wso2.carbon.webapp.authenticator.framework.WebappAuthenticationValve.invoke(WebappAuthenticationValve.java:45)* >> * at >> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)* >> * at >> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)* >> * at >> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)* >> * at >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)* >> * at >> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)* >> * at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)* >> * at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)* >> * at >> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1082)* >> * at >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:623)* >> * at org.apache.tomcat.util.net >> <http://org.apache.tomcat.util.net>.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1756)* >> * at org.apache.tomcat.util.net >> <http://org.apache.tomcat.util.net>.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1715)* >> * at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)* >> * at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)* >> * at >> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)* >> * at java.lang.Thread.run(Thread.java:745)* >> >> So in that case, in order to avoid this faulty behavior shouldn`t we >> restrict the user from using "@" when creating role names? >> >> Any suggestions or comments on this regard is highly appreciated. >> >> [1] https://wso2.org/jira/browse/EMM-1755 >> [2] https://github.com/wso2/carbon-kernel/blob/v4.4.9/core/ >> org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/ >> user/core/jdbc/JDBCUserStoreManager.java#L717 >> [3] https://github.com/wso2/carbon-kernel/blob/v4.4.9/core/ >> org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/ >> user/core/jdbc/JDBCUserStoreManager.java#L3092 >> >> >> Thanks. >> >> Regards, >> Megala >> -- >> Megala Uthayakumar >> >> Software Engineer >> Mobile : 0779967122 >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > -- Megala Uthayakumar Software Engineer Mobile : 0779967122
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
