Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    Security Issue: required in datasource

    Using
    com.isomorphic.pe
    3.1p.2013-01-31

    and executing on the server:
    DSRequest dsRequest = new DSRequest("MydatasourceID, "fetch");
    final DSResponse dsResponse = dsRequest.execute();

    it will not apply the velocity logic within the required attribute of the operationDefinition for fetch.
    Even if I set required="false" it will pass.

    #2
    That's correct behavior. Declarative Security applies to client-initiated requests and is not intended to hobble your ability to use DataSources from server code.

    Comment


      #3
      Hi,

      I'm using smartgwt-power-3.1-p20130712.
      And I want to use few datasources only on the server side. They should not be available from client.
      I set on on these datasources all the operationBinding/requires="false", but then when I call them from the server I get error that the requires expression is not fulfilled.

      That looks different than with 3.1p.2013-01-31.
      What is the correct behavior?
      And how else to achieve such server only datasources?

      Thanks,
      Mihnea

      Comment


        #4
        Attempting to call an operation that is disallowed should indeed result in an error - can you clarify what you were expecting?

        Comment


          #5
          In the DMI class of datasource "DS1"/ add method(..) I need to call other datasource/add method like here:
          Code:
          DSRequest otherDsRequest = new DSRequest("otherDatasource", "add");
          otherDsRequest.setRPCManager(dsRequest.getRPCManager());
          otherDsRequest.setJoinTransaction(true);
          final Map<String, Object> values = new HashMap<String, Object>();
          values.put("field1", "value1");
          values.put("field2", "value2");
          otherDsRequest.setValues(values);
          DSResponse otherResponse = otherDsRequest.execute();
          But I would like that the clients to not be able to call otherDatasource.add operation.

          Comment


            #6
            Set requires="false" to cause an operationBinding to be callable only by server code.

            Comment


              #7
              I tried. See my previous post.
              I get this error:
              Code:
              === 2013-07-18 15:57:49,891 [ec-9] DEBUG DataSourceDMI - Invocation threw exception
              java.lang.SecurityException: DataSource 'otherDatasource', operationType 'add', operationId 'null'.  Failed the "requires" check.
              	at com.isomorphic.datasource.DSRequest.execute(DSRequest.java:1906)

              Comment


                #8
                Can you post the remainder of that stacktrace please?

                Comment


                  #9
                  Here it is:
                  Code:
                  java.lang.SecurityException: DataSource 'mseAddresses', operationType 'add', operationId 'null'.  Failed the "requires" check.
                  	at com.isomorphic.datasource.DSRequest.execute(DSRequest.java:1906)
                  	at com.company.module.ContactAddUpdateBaseDMI.addOrUpdateAddress(ContactAddUpdateBaseDMI.java:54)
                  	at com.company.module.ContactAddDMI.add(ContactAddDMI.java:44)
                  	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                  	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                  	at java.lang.reflect.Method.invoke(Method.java:597)
                  	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:318)
                  	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
                  	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
                  	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:61)
                  	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
                  	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110)
                  	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
                  	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
                  	at $Proxy161.add(Unknown Source)
                  	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                  	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                  	at java.lang.reflect.Method.invoke(Method.java:597)
                  	at com.isomorphic.base.Reflection.adaptArgsAndInvoke(Reflection.java:972)
                  	at com.isomorphic.datasource.DataSourceDMI.execute(DataSourceDMI.java:416)
                  	at com.isomorphic.datasource.DataSourceDMI.execute(DataSourceDMI.java:64)
                  	at com.isomorphic.datasource.DSRequest.execute(DSRequest.java:2034)
                  	at com.company.security.IDACall.handleDSRequest(IDACall.java:97)
                  	at com.isomorphic.servlet.IDACall.processRPCTransaction(IDACall.java:173)
                  	at com.isomorphic.servlet.IDACall.processRequest(IDACall.java:138)
                  	at com.isomorphic.servlet.IDACall.doPost(IDACall.java:74)
                  	at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
                  	at com.isomorphic.servlet.BaseServlet.service(BaseServlet.java:152)
                  	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)

                  Comment


                    #10
                    OK, we're looking into it - we'll post on this thread when we have an update

                    Comment


                      #11
                      Can you please revisit the claim that this behavior is different with 3.1p.2013-01-31? We believe that this would not be the case - this is backed up by local testing with versions earlier than that date. We want to provide a solution for you, but first we need to confirm whether there has really been a regression here.

                      Comment


                        #12
                        I cannot test easily using that version anymore.

                        Comment


                          #13
                          OK, well we're almost 100% certain that the same behavior would have been present in that January build, and the suspicion of a regression since then has some other cause. We have gone ahead and fixed this so that server-created DSRequests will completely skip declarative security, unless you explicitly call the setClientRequest() method. So now, the way to define operationBindings that are completely forbidden from the client but completely unrestricted from the server, is indeed to just set requires="false" on the binding.

                          These changes should be in 3.1p and greater nightly builds as of tomorrow, July 23.

                          Comment


                            #14
                            Hi, I tested today with smartgwt-power:3.1-p20130725.
                            I found still two problems, related with fetch.

                            1) Initial datasource client call: mseContacts/update
                            - that calls mseContactRoleMap/add -> works OK with requires="false"
                            --- that calls mseContactRoleMap/fetch -> doesn't work with requires="false"
                            Code:
                            === 2013-07-25 17:49:11,020 [ec-6] DEBUG DataSourceDMI - Invocation threw exception
                            java.lang.SecurityException: DataSource 'mseContactRoleMap', operationType 'fetch', operationId 'null'.  Failed the "requires" check.
                            	at com.isomorphic.datasource.DSRequest.execute(DSRequest.java:1913)
                            	at com.isomorphic.sql.SQLDataSource.getLastRow(SQLDataSource.java:547)
                            	at com.isomorphic.sql.SQLDataSource.SQLExecute(SQLDataSource.java:1517)
                            	at com.isomorphic.sql.SQLDataSource.processRequest(SQLDataSource.java:314)
                            	at com.isomorphic.sql.SQLDataSource.executeAdd(SQLDataSource.java:266)
                            	at com.isomorphic.datasource.DataSource.execute(DataSource.java:1370)
                            	at com.isomorphic.application.AppBase.executeDefaultDSOperation(AppBase.java:723)
                            	at com.isomorphic.application.AppBase.executeAppOperation(AppBase.java:658)
                            	at com.isomorphic.application.AppBase.execute(AppBase.java:491)
                            	at com.isomorphic.datasource.DSRequest.execute(DSRequest.java:2044)
                            	at com.company.module.ContactAddUpdateBaseDMI.addContactRole(ContactAddUpdateBaseDMI.java:144)
                            	at com.company.module.ContactUpdateDMI.update(ContactUpdateDMI.java:89)
                            	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                            	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                            	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                            	at java.lang.reflect.Method.invoke(Method.java:597)
                            	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:318)
                            	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
                            	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
                            	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:61)
                            	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
                            	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110)
                            	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
                            	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
                            	at $Proxy163.update(Unknown Source)
                            	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                            	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                            	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                            	at java.lang.reflect.Method.invoke(Method.java:597)
                            	at com.isomorphic.base.Reflection.adaptArgsAndInvoke(Reflection.java:972)
                            	at com.isomorphic.datasource.DataSourceDMI.execute(DataSourceDMI.java:416)
                            	at com.isomorphic.datasource.DataSourceDMI.execute(DataSourceDMI.java:64)
                            	at com.isomorphic.datasource.DSRequest.execute(DSRequest.java:2041)
                            	at com.company.security.IDACall.handleDSRequest(IDACall.java:97)
                            	at com.isomorphic.servlet.IDACall.processRPCTransaction(IDACall.java:173)
                            	at com.isomorphic.servlet.IDACall.processRequest(IDACall.java:138)
                            	at com.isomorphic.servlet.IDACall.doPost(IDACall.java:74)
                            	at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
                            	at com.isomorphic.servlet.BaseServlet.service(BaseServlet.java:152)
                            	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
                            For mseContactRoleMap that is supposed to be server only datasource it seems that for "add" operations the "requires=false" didn't create problems, but for the fetch yes.



                            2) Initial client request: mseContacts/fetch (fetchContactById)
                            - mseContacts datasource includes using includeFrom several fields from msePersons datasource
                            - msePersons has all operations with requires="false" (is not meant for direct calls from client)
                            Code:
                            === 2013-07-25 17:55:25,152 [ec-4] WARN  RequestContext - dsRequest.execute() failed: 
                            java.lang.SecurityException: Security check on related DataSource 'mseContacts', required for included field 'title', failed.  Failure message is: "DataSource 'msePersons', operationType 'fetch', operationId 'fetchContactById'.  Failed the "requires" check."
                            	at com.isomorphic.datasource.DSRequest.execute(DSRequest.java:1913)
                            	at com.company.security.IDACall.handleDSRequest(IDACall.java:97)
                            	at com.isomorphic.servlet.IDACall.processRPCTransaction(IDACall.java:173)
                            	at com.isomorphic.servlet.IDACall.processRequest(IDACall.java:138)
                            	at com.isomorphic.servlet.IDACall.doPost(IDACall.java:74)
                            	at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
                            	at com.isomorphic.servlet.BaseServlet.service(BaseServlet.java:152)
                            	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
                            How can I make msePersons a server only datasource, but to have its fields included by mseContacts that is meant to be called by clients?

                            Comment


                              #15
                              The first problem is a case we missed when arranging for server-originated requests to skip declarative security. It is corrected now.

                              The second issue is simply declarative security working as designed. Declarative security does not allow includeFrom to fetch from DataSources that the user is not authorized to fetch from, unless the fetch originated on the server.

                              Comment

                              Working...
                              X