Hi Jacques,
thanks for working at this. However I think that there is a simpler/better way to disable the component by default; by using the following patch: Index: framework/start/src/org/ofbiz/base/start/start.properties =================================================================== --- framework/start/src/org/ofbiz/base/start/start.properties (revision 1735404) +++ framework/start/src/org/ofbiz/base/start/start.properties (working copy) @@ -40,7 +40,7 @@ # --- StartupLoader implementations to load (in order) ofbiz.start.loader1=org.ofbiz.base.container.ContainerLoader -ofbiz.start.loader1.loaders=main,rmi +ofbiz.start.loader1.loaders=main # -- Enable the shutdown hook #ofbiz.enable.hook=true I didn't test it but it should work! Jacopo On Fri, Mar 18, 2016 at 11:38 AM, <[hidden email]> wrote: > Author: jleroux > Date: Fri Mar 18 10:38:04 2016 > New Revision: 1735569 > > URL: http://svn.apache.org/viewvc?rev=1735569&view=rev > Log: > Fixes "Comment out RMI related code because of the Java deserialization > issue" - https://issues.apache.org/jira/browse/OFBIZ-6942 > > I decided to comment out as less as possible because once the RMI loaders, > the RMI dispatcher and the related test services are off there is no RMI > related danger left (test services are not a danger but would fail during > tests run). It's then easier for users who need RMI in their projects to > have only to uncomment those and not digg everywhere. Because the naming > (JNDI) server relies on the rmi loader it will also be commented out. > > Modified: > ofbiz/trunk/framework/base/config/ofbiz-containers.xml > ofbiz/trunk/framework/base/ofbiz-component.xml > ofbiz/trunk/framework/common/servicedef/services_test.xml > ofbiz/trunk/framework/service/ofbiz-component.xml > ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties > > Modified: ofbiz/trunk/framework/base/config/ofbiz-containers.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/ofbiz-containers.xml?rev=1735569&r1=1735568&r2=1735569&view=diff > > ============================================================================== > --- ofbiz/trunk/framework/base/config/ofbiz-containers.xml (original) > +++ ofbiz/trunk/framework/base/config/ofbiz-containers.xml Fri Mar 18 > 10:38:04 2016 > @@ -21,8 +21,11 @@ under the License. > <ofbiz-containers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:noNamespaceSchemaLocation=" > http://ofbiz.apache.org/dtds/ofbiz-containers.xsd"> > > + <!-- Because of the danger of Java deserialization when using RMI, we > (PMC) have decided to comment out main RMI related code entries. > + If you need RMI you just need to uncomment those places - See > OFBIZ-6942 for details --> > <!-- load the ofbiz component container (always first) --> > - <container name="component-container" > loaders="main,rmi,pos,load-data" > class="org.ofbiz.base.container.ComponentContainer"/> > + <!-- <container name="component-container" > loaders="main,rmi,pos,load-data" > class="org.ofbiz.base.container.ComponentContainer"/> --> > + <container name="component-container" loaders="main,pos,load-data" > class="org.ofbiz.base.container.ComponentContainer"/> > > <container name="component-container-test" loaders="test" > class="org.ofbiz.base.container.ComponentContainer"> > <property name="ofbiz.instrumenterClassName" > value="org.ofbiz.base.config.CoberturaInstrumenter"/> > > Modified: ofbiz/trunk/framework/base/ofbiz-component.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff > > ============================================================================== > --- ofbiz/trunk/framework/base/ofbiz-component.xml (original) > +++ ofbiz/trunk/framework/base/ofbiz-component.xml Fri Mar 18 10:38:04 2016 > @@ -33,11 +33,13 @@ under the License. > > <test-suite loader="main" location="testdef/basetests.xml"/> > > + <!-- Because of the danger of Java deserialization when using RMI, we > (PMC) have decided to comment out main RMI related code entries. > + If you need RMI you just need to uncomment those places - See > OFBIZ-6942 for details --> > <!-- load the naming (JNDI) server --> > - <container name="naming-container" loaders="rmi" > class="org.ofbiz.base.container.NamingServiceContainer"> > + <!-- <container name="naming-container" loaders="rmi" > class="org.ofbiz.base.container.NamingServiceContainer"> > <property name="host" value="0.0.0.0"/> > <property name="port" value="1099"/> > - </container> > + </container> --> > > <!-- load BeanShell remote telnet server --> > <!-- Commented out by default for security reasons --> > > Modified: ofbiz/trunk/framework/common/servicedef/services_test.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services_test.xml?rev=1735569&r1=1735568&r2=1735569&view=diff > > ============================================================================== > --- ofbiz/trunk/framework/common/servicedef/services_test.xml (original) > +++ ofbiz/trunk/framework/common/servicedef/services_test.xml Fri Mar 18 > 10:38:04 2016 > @@ -47,15 +47,17 @@ under the License. > <service name="testError" engine="java" export="true" > validate="false" require-new-transaction="true" max-retry="1" > location="org.ofbiz.common.CommonServices" > invoke="returnErrorService"> > </service> > + <!-- Because of the danger of Java deserialization when using RMI, we > (PMC) have decided to comment out main RMI related code entries. > + If you need RMI you just need to uncomment those places - See > OFBIZ-6942 for details --> > <!-- see serviceengine.xml to configure the rmi location alias --> > - <service name="testRmi" engine="rmi" validate="false" > + <!-- <service name="testRmi" engine="rmi" validate="false" > location="main-rmi" invoke="testScv"> > <implements service="testScv"/> > </service> > <service name="testRmiFail" engine="rmi" validate="false" > location="main-rmi" invoke="testBsh"> > <implements service="testScv"/> > - </service> > + </service> --> > > <service name="testRollback" engine="java" export="true" > validate="false" > location="org.ofbiz.common.CommonServices" > invoke="testRollbackListener"> > > Modified: ofbiz/trunk/framework/service/ofbiz-component.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff > > ============================================================================== > --- ofbiz/trunk/framework/service/ofbiz-component.xml (original) > +++ ofbiz/trunk/framework/service/ofbiz-component.xml Fri Mar 18 10:38:04 > 2016 > @@ -44,12 +44,17 @@ under the License. > <keystore name="rmitrust" type="jks" password="changeit" > is-truststore="true" > is-certstore="false" loader="main" > location="config/rmitrust.jks"/> > > - <container name="service-container" > loaders="main,rmi,pos,load-data,test" > class="org.ofbiz.service.ServiceContainer"> > + <!-- Because of the danger of Java deserialization when using RMI, we > (PMC) have decided to comment out main RMI related code entries. > + If you need RMI you just need to uncomment those places - See > OFBIZ-6942 for details --> > + <!-- <container name="service-container" > loaders="main,rmi,pos,load-data,test" > class="org.ofbiz.service.ServiceContainer"> --> > + <container name="service-container" loaders="main,pos,load-data,test" > class="org.ofbiz.service.ServiceContainer"> > <property name="dispatcher-factory" > value="org.ofbiz.service.GenericDispatcherFactory"/> > </container> > > + <!-- Because of the danger of Java deserialization when using RMI, we > (PMC) have decided to comment out main RMI related code entries. > + If you need RMI you just need to uncomment those places - See > OFBIZ-6942 for details --> > <!-- RMI Service Dispatcher --> > - <container name="rmi-dispatcher" loaders="rmi" > class="org.ofbiz.service.rmi.RmiServiceContainer"> > + <!-- <container name="rmi-dispatcher" loaders="rmi" > class="org.ofbiz.service.rmi.RmiServiceContainer"> > <property name="bound-name" value="RMIDispatcher"/> > <property name="bound-host" value="127.0.0.1"/> > <property name="bound-port" value="1099"/> > @@ -61,7 +66,7 @@ under the License. > <property name="ssl-keystore-pass" value="changeit"/> > <property name="ssl-keystore-alias" value="rmissl"/> > <property name="ssl-client-auth" value="false"/> > - </container> > + </container> --> > > <!-- JavaMail Listener Container - Triggers MCA Rules --> > <!-- if delete-mail is set to true, will delete messages after > fetching them. otherwise, will try to mark them as seen > > Modified: > ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties?rev=1735569&r1=1735568&r2=1735569&view=diff > > ============================================================================== > --- ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties > (original) > +++ ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties > Fri Mar 18 10:38:04 2016 > @@ -35,7 +35,10 @@ ofbiz.start.loader1=org.ofbiz.base.splas > > # --- StartupLoader implementations to load (in order) > ofbiz.start.loader2=org.ofbiz.base.container.ContainerLoader > -ofbiz.start.loader2.loaders=main,pos,rmi > +# Because of the danger of Java deserialization when using RMI, we (PMC) > have decided to comment out main RMI related code entries. > +# If you need RMI you just need to uncomment those places - See > OFBIZ-6942 for details --> > +#ofbiz.start.loader2.loaders=main,pos,rmi > +ofbiz.start.loader2.loaders=main,pos > > # -- Splash Logo > ofbiz.start.splash.logo=framework/images/webapp/images/ofbiz_logo.gif > > > |
Administrator
|
Hi Jacopo,
No it's not enough. Without the RmiDispatcher deactivated you can still run RMI services like testRMI. You get in log: [java] 2016-03-18 18:39:22,787 |main |ContainerLoader |I| [Startup] Loading containers from c:/projectsASF/ofbiz/framework/base/config/ofbiz-containers.xml for loaders [main, rmi] [java] 2016-03-18 18:39:24,754 |main |ContainerLoader |I| Loading component's container: rmi-dispatcher [java] 2016-03-18 18:39:24,755 |main |ContainerLoader |I| Loaded component's container: rmi-dispatcher [java] 2016-03-18 18:39:27,966 |main |ContainerLoader |I| Starting container rmi-dispatcher [java] 2016-03-18 18:39:29,346 |main |ServiceDispatcher |I| Registering dispatcher: RMIDispatcher [java] 2016-03-18 18:39:29,346 |main |ServiceContainer |I| Created new dispatcher: RMIDispatcher [java] 2016-03-18 18:39:29,745 |main |ContainerLoader |I| Started container rmi-dispatcher And if you use ant-secure target you see this in is-deserialized.txt org.ofbiz.service.rmi.RemoteDispatcherImpl_Stub java.rmi.server.RemoteStub java.rmi.server.RemoteObject org.ofbiz.service.rmi.socket.ssl.SSLClientSocketFactory [Ljava.rmi.server.ObjID; java.rmi.server.ObjID java.rmi.server.UID java.rmi.dgc.Lease java.rmi.dgc.VMID Those are not issues but shows that RMI is still active. Actually I missed your change in start.properties but did the same in both.properties. Initially I wondered if the only thing needed was not to comment out the RmiDispatcher in service/ofbiz-component.xml Because once you have done that no RMI services can be used. I finally decided to do more because the Distributed Clear Cache relies on JNDI, JMS and RMI. So I also deactivated the JNDI server and then got further with all changes below. Thinking about it now, since the the Rmi Service Dispatcher and the JNDI server are at the root of all, it's maybe the only things which need to be deactivated (trying to minimise the changes) with of course the RMI test services which would fail else. What do you think? Jacques Le 18/03/2016 17:28, Jacopo Cappellato a écrit : > Hi Jacques, > > thanks for working at this. > However I think that there is a simpler/better way to disable the component > by default; by using the following patch: > > Index: framework/start/src/org/ofbiz/base/start/start.properties > =================================================================== > --- framework/start/src/org/ofbiz/base/start/start.properties (revision > 1735404) > +++ framework/start/src/org/ofbiz/base/start/start.properties (working copy) > @@ -40,7 +40,7 @@ > > # --- StartupLoader implementations to load (in order) > ofbiz.start.loader1=org.ofbiz.base.container.ContainerLoader > -ofbiz.start.loader1.loaders=main,rmi > +ofbiz.start.loader1.loaders=main > > # -- Enable the shutdown hook > #ofbiz.enable.hook=true > > I didn't test it but it should work! > > Jacopo > > On Fri, Mar 18, 2016 at 11:38 AM, <[hidden email]> wrote: > >> Author: jleroux >> Date: Fri Mar 18 10:38:04 2016 >> New Revision: 1735569 >> >> URL: http://svn.apache.org/viewvc?rev=1735569&view=rev >> Log: >> Fixes "Comment out RMI related code because of the Java deserialization >> issue" - https://issues.apache.org/jira/browse/OFBIZ-6942 >> >> I decided to comment out as less as possible because once the RMI loaders, >> the RMI dispatcher and the related test services are off there is no RMI >> related danger left (test services are not a danger but would fail during >> tests run). It's then easier for users who need RMI in their projects to >> have only to uncomment those and not digg everywhere. Because the naming >> (JNDI) server relies on the rmi loader it will also be commented out. >> >> Modified: >> ofbiz/trunk/framework/base/config/ofbiz-containers.xml >> ofbiz/trunk/framework/base/ofbiz-component.xml >> ofbiz/trunk/framework/common/servicedef/services_test.xml >> ofbiz/trunk/framework/service/ofbiz-component.xml >> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >> >> Modified: ofbiz/trunk/framework/base/config/ofbiz-containers.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/ofbiz-containers.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >> >> ============================================================================== >> --- ofbiz/trunk/framework/base/config/ofbiz-containers.xml (original) >> +++ ofbiz/trunk/framework/base/config/ofbiz-containers.xml Fri Mar 18 >> 10:38:04 2016 >> @@ -21,8 +21,11 @@ under the License. >> <ofbiz-containers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >> xsi:noNamespaceSchemaLocation=" >> http://ofbiz.apache.org/dtds/ofbiz-containers.xsd"> >> >> + <!-- Because of the danger of Java deserialization when using RMI, we >> (PMC) have decided to comment out main RMI related code entries. >> + If you need RMI you just need to uncomment those places - See >> OFBIZ-6942 for details --> >> <!-- load the ofbiz component container (always first) --> >> - <container name="component-container" >> loaders="main,rmi,pos,load-data" >> class="org.ofbiz.base.container.ComponentContainer"/> >> + <!-- <container name="component-container" >> loaders="main,rmi,pos,load-data" >> class="org.ofbiz.base.container.ComponentContainer"/> --> >> + <container name="component-container" loaders="main,pos,load-data" >> class="org.ofbiz.base.container.ComponentContainer"/> >> >> <container name="component-container-test" loaders="test" >> class="org.ofbiz.base.container.ComponentContainer"> >> <property name="ofbiz.instrumenterClassName" >> value="org.ofbiz.base.config.CoberturaInstrumenter"/> >> >> Modified: ofbiz/trunk/framework/base/ofbiz-component.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >> >> ============================================================================== >> --- ofbiz/trunk/framework/base/ofbiz-component.xml (original) >> +++ ofbiz/trunk/framework/base/ofbiz-component.xml Fri Mar 18 10:38:04 2016 >> @@ -33,11 +33,13 @@ under the License. >> >> <test-suite loader="main" location="testdef/basetests.xml"/> >> >> + <!-- Because of the danger of Java deserialization when using RMI, we >> (PMC) have decided to comment out main RMI related code entries. >> + If you need RMI you just need to uncomment those places - See >> OFBIZ-6942 for details --> >> <!-- load the naming (JNDI) server --> >> - <container name="naming-container" loaders="rmi" >> class="org.ofbiz.base.container.NamingServiceContainer"> >> + <!-- <container name="naming-container" loaders="rmi" >> class="org.ofbiz.base.container.NamingServiceContainer"> >> <property name="host" value="0.0.0.0"/> >> <property name="port" value="1099"/> >> - </container> >> + </container> --> >> >> <!-- load BeanShell remote telnet server --> >> <!-- Commented out by default for security reasons --> >> >> Modified: ofbiz/trunk/framework/common/servicedef/services_test.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services_test.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >> >> ============================================================================== >> --- ofbiz/trunk/framework/common/servicedef/services_test.xml (original) >> +++ ofbiz/trunk/framework/common/servicedef/services_test.xml Fri Mar 18 >> 10:38:04 2016 >> @@ -47,15 +47,17 @@ under the License. >> <service name="testError" engine="java" export="true" >> validate="false" require-new-transaction="true" max-retry="1" >> location="org.ofbiz.common.CommonServices" >> invoke="returnErrorService"> >> </service> >> + <!-- Because of the danger of Java deserialization when using RMI, we >> (PMC) have decided to comment out main RMI related code entries. >> + If you need RMI you just need to uncomment those places - See >> OFBIZ-6942 for details --> >> <!-- see serviceengine.xml to configure the rmi location alias --> >> - <service name="testRmi" engine="rmi" validate="false" >> + <!-- <service name="testRmi" engine="rmi" validate="false" >> location="main-rmi" invoke="testScv"> >> <implements service="testScv"/> >> </service> >> <service name="testRmiFail" engine="rmi" validate="false" >> location="main-rmi" invoke="testBsh"> >> <implements service="testScv"/> >> - </service> >> + </service> --> >> >> <service name="testRollback" engine="java" export="true" >> validate="false" >> location="org.ofbiz.common.CommonServices" >> invoke="testRollbackListener"> >> >> Modified: ofbiz/trunk/framework/service/ofbiz-component.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >> >> ============================================================================== >> --- ofbiz/trunk/framework/service/ofbiz-component.xml (original) >> +++ ofbiz/trunk/framework/service/ofbiz-component.xml Fri Mar 18 10:38:04 >> 2016 >> @@ -44,12 +44,17 @@ under the License. >> <keystore name="rmitrust" type="jks" password="changeit" >> is-truststore="true" >> is-certstore="false" loader="main" >> location="config/rmitrust.jks"/> >> >> - <container name="service-container" >> loaders="main,rmi,pos,load-data,test" >> class="org.ofbiz.service.ServiceContainer"> >> + <!-- Because of the danger of Java deserialization when using RMI, we >> (PMC) have decided to comment out main RMI related code entries. >> + If you need RMI you just need to uncomment those places - See >> OFBIZ-6942 for details --> >> + <!-- <container name="service-container" >> loaders="main,rmi,pos,load-data,test" >> class="org.ofbiz.service.ServiceContainer"> --> >> + <container name="service-container" loaders="main,pos,load-data,test" >> class="org.ofbiz.service.ServiceContainer"> >> <property name="dispatcher-factory" >> value="org.ofbiz.service.GenericDispatcherFactory"/> >> </container> >> >> + <!-- Because of the danger of Java deserialization when using RMI, we >> (PMC) have decided to comment out main RMI related code entries. >> + If you need RMI you just need to uncomment those places - See >> OFBIZ-6942 for details --> >> <!-- RMI Service Dispatcher --> >> - <container name="rmi-dispatcher" loaders="rmi" >> class="org.ofbiz.service.rmi.RmiServiceContainer"> >> + <!-- <container name="rmi-dispatcher" loaders="rmi" >> class="org.ofbiz.service.rmi.RmiServiceContainer"> >> <property name="bound-name" value="RMIDispatcher"/> >> <property name="bound-host" value="127.0.0.1"/> >> <property name="bound-port" value="1099"/> >> @@ -61,7 +66,7 @@ under the License. >> <property name="ssl-keystore-pass" value="changeit"/> >> <property name="ssl-keystore-alias" value="rmissl"/> >> <property name="ssl-client-auth" value="false"/> >> - </container> >> + </container> --> >> >> <!-- JavaMail Listener Container - Triggers MCA Rules --> >> <!-- if delete-mail is set to true, will delete messages after >> fetching them. otherwise, will try to mark them as seen >> >> Modified: >> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties?rev=1735569&r1=1735568&r2=1735569&view=diff >> >> ============================================================================== >> --- ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >> (original) >> +++ ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >> Fri Mar 18 10:38:04 2016 >> @@ -35,7 +35,10 @@ ofbiz.start.loader1=org.ofbiz.base.splas >> >> # --- StartupLoader implementations to load (in order) >> ofbiz.start.loader2=org.ofbiz.base.container.ContainerLoader >> -ofbiz.start.loader2.loaders=main,pos,rmi >> +# Because of the danger of Java deserialization when using RMI, we (PMC) >> have decided to comment out main RMI related code entries. >> +# If you need RMI you just need to uncomment those places - See >> OFBIZ-6942 for details --> >> +#ofbiz.start.loader2.loaders=main,pos,rmi >> +ofbiz.start.loader2.loaders=main,pos >> >> # -- Splash Logo >> ofbiz.start.splash.logo=framework/images/webapp/images/ofbiz_logo.gif >> >> >> |
Hi Jacques,
how did you get that log? (how did you start OFBiz) Thanks, Jacopo On Sat, Mar 19, 2016 at 11:47 AM, Jacques Le Roux < [hidden email]> wrote: > Hi Jacopo, > > No it's not enough. Without the RmiDispatcher deactivated you can still > run RMI services like testRMI. > You get in log: > > [java] 2016-03-18 18:39:22,787 |main |ContainerLoader |I| > [Startup] Loading containers from > c:/projectsASF/ofbiz/framework/base/config/ofbiz-containers.xml for loaders > [main, rmi] > [java] 2016-03-18 18:39:24,754 |main |ContainerLoader |I| > Loading component's container: rmi-dispatcher > [java] 2016-03-18 18:39:24,755 |main |ContainerLoader |I| > Loaded component's container: rmi-dispatcher > [java] 2016-03-18 18:39:27,966 |main |ContainerLoader |I| > Starting container rmi-dispatcher > [java] 2016-03-18 18:39:29,346 |main |ServiceDispatcher |I| > Registering dispatcher: RMIDispatcher > [java] 2016-03-18 18:39:29,346 |main |ServiceContainer |I| > Created new dispatcher: RMIDispatcher > [java] 2016-03-18 18:39:29,745 |main |ContainerLoader |I| > Started container rmi-dispatcher > > And if you use ant-secure target you see this in is-deserialized.txt > > org.ofbiz.service.rmi.RemoteDispatcherImpl_Stub > java.rmi.server.RemoteStub > java.rmi.server.RemoteObject > org.ofbiz.service.rmi.socket.ssl.SSLClientSocketFactory > [Ljava.rmi.server.ObjID; > java.rmi.server.ObjID > java.rmi.server.UID > java.rmi.dgc.Lease > java.rmi.dgc.VMID > > Those are not issues but shows that RMI is still active. > > Actually I missed your change in start.properties but did the same in > both.properties. > > Initially I wondered if the only thing needed was not to comment out the > RmiDispatcher in service/ofbiz-component.xml > Because once you have done that no RMI services can be used. > I finally decided to do more because the Distributed Clear Cache relies on > JNDI, JMS and RMI. So I also deactivated the JNDI server and then got > further with all changes below. > > Thinking about it now, since the the Rmi Service Dispatcher and the JNDI > server are at the root of all, it's maybe the only things which need to be > deactivated (trying to minimise the changes) with of course the RMI test > services which would fail else. > > What do you think? > > Jacques > > > Le 18/03/2016 17:28, Jacopo Cappellato a écrit : > >> Hi Jacques, >> >> thanks for working at this. >> However I think that there is a simpler/better way to disable the >> component >> by default; by using the following patch: >> >> Index: framework/start/src/org/ofbiz/base/start/start.properties >> =================================================================== >> --- framework/start/src/org/ofbiz/base/start/start.properties (revision >> 1735404) >> +++ framework/start/src/org/ofbiz/base/start/start.properties (working >> copy) >> @@ -40,7 +40,7 @@ >> >> # --- StartupLoader implementations to load (in order) >> ofbiz.start.loader1=org.ofbiz.base.container.ContainerLoader >> -ofbiz.start.loader1.loaders=main,rmi >> +ofbiz.start.loader1.loaders=main >> >> # -- Enable the shutdown hook >> #ofbiz.enable.hook=true >> >> I didn't test it but it should work! >> >> Jacopo >> >> On Fri, Mar 18, 2016 at 11:38 AM, <[hidden email]> wrote: >> >> Author: jleroux >>> Date: Fri Mar 18 10:38:04 2016 >>> New Revision: 1735569 >>> >>> URL: http://svn.apache.org/viewvc?rev=1735569&view=rev >>> Log: >>> Fixes "Comment out RMI related code because of the Java deserialization >>> issue" - https://issues.apache.org/jira/browse/OFBIZ-6942 >>> >>> I decided to comment out as less as possible because once the RMI >>> loaders, >>> the RMI dispatcher and the related test services are off there is no RMI >>> related danger left (test services are not a danger but would fail during >>> tests run). It's then easier for users who need RMI in their projects to >>> have only to uncomment those and not digg everywhere. Because the naming >>> (JNDI) server relies on the rmi loader it will also be commented out. >>> >>> Modified: >>> ofbiz/trunk/framework/base/config/ofbiz-containers.xml >>> ofbiz/trunk/framework/base/ofbiz-component.xml >>> ofbiz/trunk/framework/common/servicedef/services_test.xml >>> ofbiz/trunk/framework/service/ofbiz-component.xml >>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>> >>> Modified: ofbiz/trunk/framework/base/config/ofbiz-containers.xml >>> URL: >>> >>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/ofbiz-containers.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>> >>> >>> ============================================================================== >>> --- ofbiz/trunk/framework/base/config/ofbiz-containers.xml (original) >>> +++ ofbiz/trunk/framework/base/config/ofbiz-containers.xml Fri Mar 18 >>> 10:38:04 2016 >>> @@ -21,8 +21,11 @@ under the License. >>> <ofbiz-containers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance >>> " >>> xsi:noNamespaceSchemaLocation=" >>> http://ofbiz.apache.org/dtds/ofbiz-containers.xsd"> >>> >>> + <!-- Because of the danger of Java deserialization when using RMI, >>> we >>> (PMC) have decided to comment out main RMI related code entries. >>> + If you need RMI you just need to uncomment those places - See >>> OFBIZ-6942 for details --> >>> <!-- load the ofbiz component container (always first) --> >>> - <container name="component-container" >>> loaders="main,rmi,pos,load-data" >>> class="org.ofbiz.base.container.ComponentContainer"/> >>> + <!-- <container name="component-container" >>> loaders="main,rmi,pos,load-data" >>> class="org.ofbiz.base.container.ComponentContainer"/> --> >>> + <container name="component-container" loaders="main,pos,load-data" >>> class="org.ofbiz.base.container.ComponentContainer"/> >>> >>> <container name="component-container-test" loaders="test" >>> class="org.ofbiz.base.container.ComponentContainer"> >>> <property name="ofbiz.instrumenterClassName" >>> value="org.ofbiz.base.config.CoberturaInstrumenter"/> >>> >>> Modified: ofbiz/trunk/framework/base/ofbiz-component.xml >>> URL: >>> >>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>> >>> >>> ============================================================================== >>> --- ofbiz/trunk/framework/base/ofbiz-component.xml (original) >>> +++ ofbiz/trunk/framework/base/ofbiz-component.xml Fri Mar 18 10:38:04 >>> 2016 >>> @@ -33,11 +33,13 @@ under the License. >>> >>> <test-suite loader="main" location="testdef/basetests.xml"/> >>> >>> + <!-- Because of the danger of Java deserialization when using RMI, >>> we >>> (PMC) have decided to comment out main RMI related code entries. >>> + If you need RMI you just need to uncomment those places - See >>> OFBIZ-6942 for details --> >>> <!-- load the naming (JNDI) server --> >>> - <container name="naming-container" loaders="rmi" >>> class="org.ofbiz.base.container.NamingServiceContainer"> >>> + <!-- <container name="naming-container" loaders="rmi" >>> class="org.ofbiz.base.container.NamingServiceContainer"> >>> <property name="host" value="0.0.0.0"/> >>> <property name="port" value="1099"/> >>> - </container> >>> + </container> --> >>> >>> <!-- load BeanShell remote telnet server --> >>> <!-- Commented out by default for security reasons --> >>> >>> Modified: ofbiz/trunk/framework/common/servicedef/services_test.xml >>> URL: >>> >>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services_test.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>> >>> >>> ============================================================================== >>> --- ofbiz/trunk/framework/common/servicedef/services_test.xml (original) >>> +++ ofbiz/trunk/framework/common/servicedef/services_test.xml Fri Mar 18 >>> 10:38:04 2016 >>> @@ -47,15 +47,17 @@ under the License. >>> <service name="testError" engine="java" export="true" >>> validate="false" require-new-transaction="true" max-retry="1" >>> location="org.ofbiz.common.CommonServices" >>> invoke="returnErrorService"> >>> </service> >>> + <!-- Because of the danger of Java deserialization when using RMI, >>> we >>> (PMC) have decided to comment out main RMI related code entries. >>> + If you need RMI you just need to uncomment those places - See >>> OFBIZ-6942 for details --> >>> <!-- see serviceengine.xml to configure the rmi location alias --> >>> - <service name="testRmi" engine="rmi" validate="false" >>> + <!-- <service name="testRmi" engine="rmi" validate="false" >>> location="main-rmi" invoke="testScv"> >>> <implements service="testScv"/> >>> </service> >>> <service name="testRmiFail" engine="rmi" validate="false" >>> location="main-rmi" invoke="testBsh"> >>> <implements service="testScv"/> >>> - </service> >>> + </service> --> >>> >>> <service name="testRollback" engine="java" export="true" >>> validate="false" >>> location="org.ofbiz.common.CommonServices" >>> invoke="testRollbackListener"> >>> >>> Modified: ofbiz/trunk/framework/service/ofbiz-component.xml >>> URL: >>> >>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>> >>> >>> ============================================================================== >>> --- ofbiz/trunk/framework/service/ofbiz-component.xml (original) >>> +++ ofbiz/trunk/framework/service/ofbiz-component.xml Fri Mar 18 10:38:04 >>> 2016 >>> @@ -44,12 +44,17 @@ under the License. >>> <keystore name="rmitrust" type="jks" password="changeit" >>> is-truststore="true" >>> is-certstore="false" loader="main" >>> location="config/rmitrust.jks"/> >>> >>> - <container name="service-container" >>> loaders="main,rmi,pos,load-data,test" >>> class="org.ofbiz.service.ServiceContainer"> >>> + <!-- Because of the danger of Java deserialization when using RMI, >>> we >>> (PMC) have decided to comment out main RMI related code entries. >>> + If you need RMI you just need to uncomment those places - See >>> OFBIZ-6942 for details --> >>> + <!-- <container name="service-container" >>> loaders="main,rmi,pos,load-data,test" >>> class="org.ofbiz.service.ServiceContainer"> --> >>> + <container name="service-container" >>> loaders="main,pos,load-data,test" >>> class="org.ofbiz.service.ServiceContainer"> >>> <property name="dispatcher-factory" >>> value="org.ofbiz.service.GenericDispatcherFactory"/> >>> </container> >>> >>> + <!-- Because of the danger of Java deserialization when using RMI, >>> we >>> (PMC) have decided to comment out main RMI related code entries. >>> + If you need RMI you just need to uncomment those places - See >>> OFBIZ-6942 for details --> >>> <!-- RMI Service Dispatcher --> >>> - <container name="rmi-dispatcher" loaders="rmi" >>> class="org.ofbiz.service.rmi.RmiServiceContainer"> >>> + <!-- <container name="rmi-dispatcher" loaders="rmi" >>> class="org.ofbiz.service.rmi.RmiServiceContainer"> >>> <property name="bound-name" value="RMIDispatcher"/> >>> <property name="bound-host" value="127.0.0.1"/> >>> <property name="bound-port" value="1099"/> >>> @@ -61,7 +66,7 @@ under the License. >>> <property name="ssl-keystore-pass" value="changeit"/> >>> <property name="ssl-keystore-alias" value="rmissl"/> >>> <property name="ssl-client-auth" value="false"/> >>> - </container> >>> + </container> --> >>> >>> <!-- JavaMail Listener Container - Triggers MCA Rules --> >>> <!-- if delete-mail is set to true, will delete messages after >>> fetching them. otherwise, will try to mark them as seen >>> >>> Modified: >>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>> URL: >>> >>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties?rev=1735569&r1=1735568&r2=1735569&view=diff >>> >>> >>> ============================================================================== >>> --- ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>> (original) >>> +++ ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>> Fri Mar 18 10:38:04 2016 >>> @@ -35,7 +35,10 @@ ofbiz.start.loader1=org.ofbiz.base.splas >>> >>> # --- StartupLoader implementations to load (in order) >>> ofbiz.start.loader2=org.ofbiz.base.container.ContainerLoader >>> -ofbiz.start.loader2.loaders=main,pos,rmi >>> +# Because of the danger of Java deserialization when using RMI, we (PMC) >>> have decided to comment out main RMI related code entries. >>> +# If you need RMI you just need to uncomment those places - See >>> OFBIZ-6942 for details --> >>> +#ofbiz.start.loader2.loaders=main,pos,rmi >>> +ofbiz.start.loader2.loaders=main,pos >>> >>> # -- Splash Logo >>> ofbiz.start.splash.logo=framework/images/webapp/images/ofbiz_logo.gif >>> >>> >>> >>> |
Administrator
|
With start-secure target (same than start but with notsoserial protection activated)
Ah, sorry wrote ant-secure target below :) Jacques Le 21/03/2016 15:18, Jacopo Cappellato a écrit : > Hi Jacques, > > how did you get that log? (how did you start OFBiz) > > Thanks, > > Jacopo > > On Sat, Mar 19, 2016 at 11:47 AM, Jacques Le Roux < > [hidden email]> wrote: > >> Hi Jacopo, >> >> No it's not enough. Without the RmiDispatcher deactivated you can still >> run RMI services like testRMI. >> You get in log: >> >> [java] 2016-03-18 18:39:22,787 |main |ContainerLoader |I| >> [Startup] Loading containers from >> c:/projectsASF/ofbiz/framework/base/config/ofbiz-containers.xml for loaders >> [main, rmi] >> [java] 2016-03-18 18:39:24,754 |main |ContainerLoader |I| >> Loading component's container: rmi-dispatcher >> [java] 2016-03-18 18:39:24,755 |main |ContainerLoader |I| >> Loaded component's container: rmi-dispatcher >> [java] 2016-03-18 18:39:27,966 |main |ContainerLoader |I| >> Starting container rmi-dispatcher >> [java] 2016-03-18 18:39:29,346 |main |ServiceDispatcher |I| >> Registering dispatcher: RMIDispatcher >> [java] 2016-03-18 18:39:29,346 |main |ServiceContainer |I| >> Created new dispatcher: RMIDispatcher >> [java] 2016-03-18 18:39:29,745 |main |ContainerLoader |I| >> Started container rmi-dispatcher >> >> And if you use ant-secure target you see this in is-deserialized.txt >> >> org.ofbiz.service.rmi.RemoteDispatcherImpl_Stub >> java.rmi.server.RemoteStub >> java.rmi.server.RemoteObject >> org.ofbiz.service.rmi.socket.ssl.SSLClientSocketFactory >> [Ljava.rmi.server.ObjID; >> java.rmi.server.ObjID >> java.rmi.server.UID >> java.rmi.dgc.Lease >> java.rmi.dgc.VMID >> >> Those are not issues but shows that RMI is still active. >> >> Actually I missed your change in start.properties but did the same in >> both.properties. >> >> Initially I wondered if the only thing needed was not to comment out the >> RmiDispatcher in service/ofbiz-component.xml >> Because once you have done that no RMI services can be used. >> I finally decided to do more because the Distributed Clear Cache relies on >> JNDI, JMS and RMI. So I also deactivated the JNDI server and then got >> further with all changes below. >> >> Thinking about it now, since the the Rmi Service Dispatcher and the JNDI >> server are at the root of all, it's maybe the only things which need to be >> deactivated (trying to minimise the changes) with of course the RMI test >> services which would fail else. >> >> What do you think? >> >> Jacques >> >> >> Le 18/03/2016 17:28, Jacopo Cappellato a écrit : >> >>> Hi Jacques, >>> >>> thanks for working at this. >>> However I think that there is a simpler/better way to disable the >>> component >>> by default; by using the following patch: >>> >>> Index: framework/start/src/org/ofbiz/base/start/start.properties >>> =================================================================== >>> --- framework/start/src/org/ofbiz/base/start/start.properties (revision >>> 1735404) >>> +++ framework/start/src/org/ofbiz/base/start/start.properties (working >>> copy) >>> @@ -40,7 +40,7 @@ >>> >>> # --- StartupLoader implementations to load (in order) >>> ofbiz.start.loader1=org.ofbiz.base.container.ContainerLoader >>> -ofbiz.start.loader1.loaders=main,rmi >>> +ofbiz.start.loader1.loaders=main >>> >>> # -- Enable the shutdown hook >>> #ofbiz.enable.hook=true >>> >>> I didn't test it but it should work! >>> >>> Jacopo >>> >>> On Fri, Mar 18, 2016 at 11:38 AM, <[hidden email]> wrote: >>> >>> Author: jleroux >>>> Date: Fri Mar 18 10:38:04 2016 >>>> New Revision: 1735569 >>>> >>>> URL: http://svn.apache.org/viewvc?rev=1735569&view=rev >>>> Log: >>>> Fixes "Comment out RMI related code because of the Java deserialization >>>> issue" - https://issues.apache.org/jira/browse/OFBIZ-6942 >>>> >>>> I decided to comment out as less as possible because once the RMI >>>> loaders, >>>> the RMI dispatcher and the related test services are off there is no RMI >>>> related danger left (test services are not a danger but would fail during >>>> tests run). It's then easier for users who need RMI in their projects to >>>> have only to uncomment those and not digg everywhere. Because the naming >>>> (JNDI) server relies on the rmi loader it will also be commented out. >>>> >>>> Modified: >>>> ofbiz/trunk/framework/base/config/ofbiz-containers.xml >>>> ofbiz/trunk/framework/base/ofbiz-component.xml >>>> ofbiz/trunk/framework/common/servicedef/services_test.xml >>>> ofbiz/trunk/framework/service/ofbiz-component.xml >>>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>>> >>>> Modified: ofbiz/trunk/framework/base/config/ofbiz-containers.xml >>>> URL: >>>> >>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/ofbiz-containers.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>>> >>>> >>>> ============================================================================== >>>> --- ofbiz/trunk/framework/base/config/ofbiz-containers.xml (original) >>>> +++ ofbiz/trunk/framework/base/config/ofbiz-containers.xml Fri Mar 18 >>>> 10:38:04 2016 >>>> @@ -21,8 +21,11 @@ under the License. >>>> <ofbiz-containers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance >>>> " >>>> xsi:noNamespaceSchemaLocation=" >>>> http://ofbiz.apache.org/dtds/ofbiz-containers.xsd"> >>>> >>>> + <!-- Because of the danger of Java deserialization when using RMI, >>>> we >>>> (PMC) have decided to comment out main RMI related code entries. >>>> + If you need RMI you just need to uncomment those places - See >>>> OFBIZ-6942 for details --> >>>> <!-- load the ofbiz component container (always first) --> >>>> - <container name="component-container" >>>> loaders="main,rmi,pos,load-data" >>>> class="org.ofbiz.base.container.ComponentContainer"/> >>>> + <!-- <container name="component-container" >>>> loaders="main,rmi,pos,load-data" >>>> class="org.ofbiz.base.container.ComponentContainer"/> --> >>>> + <container name="component-container" loaders="main,pos,load-data" >>>> class="org.ofbiz.base.container.ComponentContainer"/> >>>> >>>> <container name="component-container-test" loaders="test" >>>> class="org.ofbiz.base.container.ComponentContainer"> >>>> <property name="ofbiz.instrumenterClassName" >>>> value="org.ofbiz.base.config.CoberturaInstrumenter"/> >>>> >>>> Modified: ofbiz/trunk/framework/base/ofbiz-component.xml >>>> URL: >>>> >>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>>> >>>> >>>> ============================================================================== >>>> --- ofbiz/trunk/framework/base/ofbiz-component.xml (original) >>>> +++ ofbiz/trunk/framework/base/ofbiz-component.xml Fri Mar 18 10:38:04 >>>> 2016 >>>> @@ -33,11 +33,13 @@ under the License. >>>> >>>> <test-suite loader="main" location="testdef/basetests.xml"/> >>>> >>>> + <!-- Because of the danger of Java deserialization when using RMI, >>>> we >>>> (PMC) have decided to comment out main RMI related code entries. >>>> + If you need RMI you just need to uncomment those places - See >>>> OFBIZ-6942 for details --> >>>> <!-- load the naming (JNDI) server --> >>>> - <container name="naming-container" loaders="rmi" >>>> class="org.ofbiz.base.container.NamingServiceContainer"> >>>> + <!-- <container name="naming-container" loaders="rmi" >>>> class="org.ofbiz.base.container.NamingServiceContainer"> >>>> <property name="host" value="0.0.0.0"/> >>>> <property name="port" value="1099"/> >>>> - </container> >>>> + </container> --> >>>> >>>> <!-- load BeanShell remote telnet server --> >>>> <!-- Commented out by default for security reasons --> >>>> >>>> Modified: ofbiz/trunk/framework/common/servicedef/services_test.xml >>>> URL: >>>> >>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services_test.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>>> >>>> >>>> ============================================================================== >>>> --- ofbiz/trunk/framework/common/servicedef/services_test.xml (original) >>>> +++ ofbiz/trunk/framework/common/servicedef/services_test.xml Fri Mar 18 >>>> 10:38:04 2016 >>>> @@ -47,15 +47,17 @@ under the License. >>>> <service name="testError" engine="java" export="true" >>>> validate="false" require-new-transaction="true" max-retry="1" >>>> location="org.ofbiz.common.CommonServices" >>>> invoke="returnErrorService"> >>>> </service> >>>> + <!-- Because of the danger of Java deserialization when using RMI, >>>> we >>>> (PMC) have decided to comment out main RMI related code entries. >>>> + If you need RMI you just need to uncomment those places - See >>>> OFBIZ-6942 for details --> >>>> <!-- see serviceengine.xml to configure the rmi location alias --> >>>> - <service name="testRmi" engine="rmi" validate="false" >>>> + <!-- <service name="testRmi" engine="rmi" validate="false" >>>> location="main-rmi" invoke="testScv"> >>>> <implements service="testScv"/> >>>> </service> >>>> <service name="testRmiFail" engine="rmi" validate="false" >>>> location="main-rmi" invoke="testBsh"> >>>> <implements service="testScv"/> >>>> - </service> >>>> + </service> --> >>>> >>>> <service name="testRollback" engine="java" export="true" >>>> validate="false" >>>> location="org.ofbiz.common.CommonServices" >>>> invoke="testRollbackListener"> >>>> >>>> Modified: ofbiz/trunk/framework/service/ofbiz-component.xml >>>> URL: >>>> >>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>>> >>>> >>>> ============================================================================== >>>> --- ofbiz/trunk/framework/service/ofbiz-component.xml (original) >>>> +++ ofbiz/trunk/framework/service/ofbiz-component.xml Fri Mar 18 10:38:04 >>>> 2016 >>>> @@ -44,12 +44,17 @@ under the License. >>>> <keystore name="rmitrust" type="jks" password="changeit" >>>> is-truststore="true" >>>> is-certstore="false" loader="main" >>>> location="config/rmitrust.jks"/> >>>> >>>> - <container name="service-container" >>>> loaders="main,rmi,pos,load-data,test" >>>> class="org.ofbiz.service.ServiceContainer"> >>>> + <!-- Because of the danger of Java deserialization when using RMI, >>>> we >>>> (PMC) have decided to comment out main RMI related code entries. >>>> + If you need RMI you just need to uncomment those places - See >>>> OFBIZ-6942 for details --> >>>> + <!-- <container name="service-container" >>>> loaders="main,rmi,pos,load-data,test" >>>> class="org.ofbiz.service.ServiceContainer"> --> >>>> + <container name="service-container" >>>> loaders="main,pos,load-data,test" >>>> class="org.ofbiz.service.ServiceContainer"> >>>> <property name="dispatcher-factory" >>>> value="org.ofbiz.service.GenericDispatcherFactory"/> >>>> </container> >>>> >>>> + <!-- Because of the danger of Java deserialization when using RMI, >>>> we >>>> (PMC) have decided to comment out main RMI related code entries. >>>> + If you need RMI you just need to uncomment those places - See >>>> OFBIZ-6942 for details --> >>>> <!-- RMI Service Dispatcher --> >>>> - <container name="rmi-dispatcher" loaders="rmi" >>>> class="org.ofbiz.service.rmi.RmiServiceContainer"> >>>> + <!-- <container name="rmi-dispatcher" loaders="rmi" >>>> class="org.ofbiz.service.rmi.RmiServiceContainer"> >>>> <property name="bound-name" value="RMIDispatcher"/> >>>> <property name="bound-host" value="127.0.0.1"/> >>>> <property name="bound-port" value="1099"/> >>>> @@ -61,7 +66,7 @@ under the License. >>>> <property name="ssl-keystore-pass" value="changeit"/> >>>> <property name="ssl-keystore-alias" value="rmissl"/> >>>> <property name="ssl-client-auth" value="false"/> >>>> - </container> >>>> + </container> --> >>>> >>>> <!-- JavaMail Listener Container - Triggers MCA Rules --> >>>> <!-- if delete-mail is set to true, will delete messages after >>>> fetching them. otherwise, will try to mark them as seen >>>> >>>> Modified: >>>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>>> URL: >>>> >>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties?rev=1735569&r1=1735568&r2=1735569&view=diff >>>> >>>> >>>> ============================================================================== >>>> --- ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>>> (original) >>>> +++ ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>>> Fri Mar 18 10:38:04 2016 >>>> @@ -35,7 +35,10 @@ ofbiz.start.loader1=org.ofbiz.base.splas >>>> >>>> # --- StartupLoader implementations to load (in order) >>>> ofbiz.start.loader2=org.ofbiz.base.container.ContainerLoader >>>> -ofbiz.start.loader2.loaders=main,pos,rmi >>>> +# Because of the danger of Java deserialization when using RMI, we (PMC) >>>> have decided to comment out main RMI related code entries. >>>> +# If you need RMI you just need to uncomment those places - See >>>> OFBIZ-6942 for details --> >>>> +#ofbiz.start.loader2.loaders=main,pos,rmi >>>> +ofbiz.start.loader2.loaders=main,pos >>>> >>>> # -- Splash Logo >>>> ofbiz.start.splash.logo=framework/images/webapp/images/ofbiz_logo.gif >>>> >>>> >>>> >>>> |
Ok,
I have applied my patch, and the output I get is: [java] 2016-03-21 15:50:18,632 |main |ContainerLoader |I| [Startup] Loading containers from ./framework/base/config/ofbiz-containers.xml for loaders [main] However, in order to use the modified start.properties file you have to run: ./ant clean build before start-secure Could you please double check if you can get the same results? Thanks, Jacopo On Mon, Mar 21, 2016 at 3:40 PM, Jacques Le Roux < [hidden email]> wrote: > With start-secure target (same than start but with notsoserial protection > activated) > > Ah, sorry wrote ant-secure target below :) > > Jacques > > > Le 21/03/2016 15:18, Jacopo Cappellato a écrit : > >> Hi Jacques, >> >> how did you get that log? (how did you start OFBiz) >> >> Thanks, >> >> Jacopo >> >> On Sat, Mar 19, 2016 at 11:47 AM, Jacques Le Roux < >> [hidden email]> wrote: >> >> Hi Jacopo, >>> >>> No it's not enough. Without the RmiDispatcher deactivated you can still >>> run RMI services like testRMI. >>> You get in log: >>> >>> [java] 2016-03-18 18:39:22,787 |main |ContainerLoader |I| >>> [Startup] Loading containers from >>> c:/projectsASF/ofbiz/framework/base/config/ofbiz-containers.xml for >>> loaders >>> [main, rmi] >>> [java] 2016-03-18 18:39:24,754 |main |ContainerLoader |I| >>> Loading component's container: rmi-dispatcher >>> [java] 2016-03-18 18:39:24,755 |main |ContainerLoader |I| >>> Loaded component's container: rmi-dispatcher >>> [java] 2016-03-18 18:39:27,966 |main |ContainerLoader |I| >>> Starting container rmi-dispatcher >>> [java] 2016-03-18 18:39:29,346 |main |ServiceDispatcher |I| >>> Registering dispatcher: RMIDispatcher >>> [java] 2016-03-18 18:39:29,346 |main |ServiceContainer |I| >>> Created new dispatcher: RMIDispatcher >>> [java] 2016-03-18 18:39:29,745 |main |ContainerLoader |I| >>> Started container rmi-dispatcher >>> >>> And if you use ant-secure target you see this in is-deserialized.txt >>> >>> org.ofbiz.service.rmi.RemoteDispatcherImpl_Stub >>> java.rmi.server.RemoteStub >>> java.rmi.server.RemoteObject >>> org.ofbiz.service.rmi.socket.ssl.SSLClientSocketFactory >>> [Ljava.rmi.server.ObjID; >>> java.rmi.server.ObjID >>> java.rmi.server.UID >>> java.rmi.dgc.Lease >>> java.rmi.dgc.VMID >>> >>> Those are not issues but shows that RMI is still active. >>> >>> Actually I missed your change in start.properties but did the same in >>> both.properties. >>> >>> Initially I wondered if the only thing needed was not to comment out the >>> RmiDispatcher in service/ofbiz-component.xml >>> Because once you have done that no RMI services can be used. >>> I finally decided to do more because the Distributed Clear Cache relies >>> on >>> JNDI, JMS and RMI. So I also deactivated the JNDI server and then got >>> further with all changes below. >>> >>> Thinking about it now, since the the Rmi Service Dispatcher and the JNDI >>> server are at the root of all, it's maybe the only things which need to >>> be >>> deactivated (trying to minimise the changes) with of course the RMI test >>> services which would fail else. >>> >>> What do you think? >>> >>> Jacques >>> >>> >>> Le 18/03/2016 17:28, Jacopo Cappellato a écrit : >>> >>> Hi Jacques, >>>> >>>> thanks for working at this. >>>> However I think that there is a simpler/better way to disable the >>>> component >>>> by default; by using the following patch: >>>> >>>> Index: framework/start/src/org/ofbiz/base/start/start.properties >>>> =================================================================== >>>> --- framework/start/src/org/ofbiz/base/start/start.properties (revision >>>> 1735404) >>>> +++ framework/start/src/org/ofbiz/base/start/start.properties (working >>>> copy) >>>> @@ -40,7 +40,7 @@ >>>> >>>> # --- StartupLoader implementations to load (in order) >>>> ofbiz.start.loader1=org.ofbiz.base.container.ContainerLoader >>>> -ofbiz.start.loader1.loaders=main,rmi >>>> +ofbiz.start.loader1.loaders=main >>>> >>>> # -- Enable the shutdown hook >>>> #ofbiz.enable.hook=true >>>> >>>> I didn't test it but it should work! >>>> >>>> Jacopo >>>> >>>> On Fri, Mar 18, 2016 at 11:38 AM, <[hidden email]> wrote: >>>> >>>> Author: jleroux >>>> >>>>> Date: Fri Mar 18 10:38:04 2016 >>>>> New Revision: 1735569 >>>>> >>>>> URL: http://svn.apache.org/viewvc?rev=1735569&view=rev >>>>> Log: >>>>> Fixes "Comment out RMI related code because of the Java deserialization >>>>> issue" - https://issues.apache.org/jira/browse/OFBIZ-6942 >>>>> >>>>> I decided to comment out as less as possible because once the RMI >>>>> loaders, >>>>> the RMI dispatcher and the related test services are off there is no >>>>> RMI >>>>> related danger left (test services are not a danger but would fail >>>>> during >>>>> tests run). It's then easier for users who need RMI in their projects >>>>> to >>>>> have only to uncomment those and not digg everywhere. Because the >>>>> naming >>>>> (JNDI) server relies on the rmi loader it will also be commented out. >>>>> >>>>> Modified: >>>>> ofbiz/trunk/framework/base/config/ofbiz-containers.xml >>>>> ofbiz/trunk/framework/base/ofbiz-component.xml >>>>> ofbiz/trunk/framework/common/servicedef/services_test.xml >>>>> ofbiz/trunk/framework/service/ofbiz-component.xml >>>>> >>>>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>>>> >>>>> Modified: ofbiz/trunk/framework/base/config/ofbiz-containers.xml >>>>> URL: >>>>> >>>>> >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/ofbiz-containers.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>>>> >>>>> >>>>> >>>>> ============================================================================== >>>>> --- ofbiz/trunk/framework/base/config/ofbiz-containers.xml (original) >>>>> +++ ofbiz/trunk/framework/base/config/ofbiz-containers.xml Fri Mar 18 >>>>> 10:38:04 2016 >>>>> @@ -21,8 +21,11 @@ under the License. >>>>> <ofbiz-containers xmlns:xsi=" >>>>> http://www.w3.org/2001/XMLSchema-instance >>>>> " >>>>> xsi:noNamespaceSchemaLocation=" >>>>> http://ofbiz.apache.org/dtds/ofbiz-containers.xsd"> >>>>> >>>>> + <!-- Because of the danger of Java deserialization when using RMI, >>>>> we >>>>> (PMC) have decided to comment out main RMI related code entries. >>>>> + If you need RMI you just need to uncomment those places - See >>>>> OFBIZ-6942 for details --> >>>>> <!-- load the ofbiz component container (always first) --> >>>>> - <container name="component-container" >>>>> loaders="main,rmi,pos,load-data" >>>>> class="org.ofbiz.base.container.ComponentContainer"/> >>>>> + <!-- <container name="component-container" >>>>> loaders="main,rmi,pos,load-data" >>>>> class="org.ofbiz.base.container.ComponentContainer"/> --> >>>>> + <container name="component-container" loaders="main,pos,load-data" >>>>> class="org.ofbiz.base.container.ComponentContainer"/> >>>>> >>>>> <container name="component-container-test" loaders="test" >>>>> class="org.ofbiz.base.container.ComponentContainer"> >>>>> <property name="ofbiz.instrumenterClassName" >>>>> value="org.ofbiz.base.config.CoberturaInstrumenter"/> >>>>> >>>>> Modified: ofbiz/trunk/framework/base/ofbiz-component.xml >>>>> URL: >>>>> >>>>> >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>>>> >>>>> >>>>> >>>>> ============================================================================== >>>>> --- ofbiz/trunk/framework/base/ofbiz-component.xml (original) >>>>> +++ ofbiz/trunk/framework/base/ofbiz-component.xml Fri Mar 18 10:38:04 >>>>> 2016 >>>>> @@ -33,11 +33,13 @@ under the License. >>>>> >>>>> <test-suite loader="main" location="testdef/basetests.xml"/> >>>>> >>>>> + <!-- Because of the danger of Java deserialization when using RMI, >>>>> we >>>>> (PMC) have decided to comment out main RMI related code entries. >>>>> + If you need RMI you just need to uncomment those places - See >>>>> OFBIZ-6942 for details --> >>>>> <!-- load the naming (JNDI) server --> >>>>> - <container name="naming-container" loaders="rmi" >>>>> class="org.ofbiz.base.container.NamingServiceContainer"> >>>>> + <!-- <container name="naming-container" loaders="rmi" >>>>> class="org.ofbiz.base.container.NamingServiceContainer"> >>>>> <property name="host" value="0.0.0.0"/> >>>>> <property name="port" value="1099"/> >>>>> - </container> >>>>> + </container> --> >>>>> >>>>> <!-- load BeanShell remote telnet server --> >>>>> <!-- Commented out by default for security reasons --> >>>>> >>>>> Modified: ofbiz/trunk/framework/common/servicedef/services_test.xml >>>>> URL: >>>>> >>>>> >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services_test.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>>>> >>>>> >>>>> >>>>> ============================================================================== >>>>> --- ofbiz/trunk/framework/common/servicedef/services_test.xml >>>>> (original) >>>>> +++ ofbiz/trunk/framework/common/servicedef/services_test.xml Fri Mar >>>>> 18 >>>>> 10:38:04 2016 >>>>> @@ -47,15 +47,17 @@ under the License. >>>>> <service name="testError" engine="java" export="true" >>>>> validate="false" require-new-transaction="true" max-retry="1" >>>>> location="org.ofbiz.common.CommonServices" >>>>> invoke="returnErrorService"> >>>>> </service> >>>>> + <!-- Because of the danger of Java deserialization when using RMI, >>>>> we >>>>> (PMC) have decided to comment out main RMI related code entries. >>>>> + If you need RMI you just need to uncomment those places - See >>>>> OFBIZ-6942 for details --> >>>>> <!-- see serviceengine.xml to configure the rmi location alias >>>>> --> >>>>> - <service name="testRmi" engine="rmi" validate="false" >>>>> + <!-- <service name="testRmi" engine="rmi" validate="false" >>>>> location="main-rmi" invoke="testScv"> >>>>> <implements service="testScv"/> >>>>> </service> >>>>> <service name="testRmiFail" engine="rmi" validate="false" >>>>> location="main-rmi" invoke="testBsh"> >>>>> <implements service="testScv"/> >>>>> - </service> >>>>> + </service> --> >>>>> >>>>> <service name="testRollback" engine="java" export="true" >>>>> validate="false" >>>>> location="org.ofbiz.common.CommonServices" >>>>> invoke="testRollbackListener"> >>>>> >>>>> Modified: ofbiz/trunk/framework/service/ofbiz-component.xml >>>>> URL: >>>>> >>>>> >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>>>> >>>>> >>>>> >>>>> ============================================================================== >>>>> --- ofbiz/trunk/framework/service/ofbiz-component.xml (original) >>>>> +++ ofbiz/trunk/framework/service/ofbiz-component.xml Fri Mar 18 >>>>> 10:38:04 >>>>> 2016 >>>>> @@ -44,12 +44,17 @@ under the License. >>>>> <keystore name="rmitrust" type="jks" password="changeit" >>>>> is-truststore="true" >>>>> is-certstore="false" loader="main" >>>>> location="config/rmitrust.jks"/> >>>>> >>>>> - <container name="service-container" >>>>> loaders="main,rmi,pos,load-data,test" >>>>> class="org.ofbiz.service.ServiceContainer"> >>>>> + <!-- Because of the danger of Java deserialization when using RMI, >>>>> we >>>>> (PMC) have decided to comment out main RMI related code entries. >>>>> + If you need RMI you just need to uncomment those places - See >>>>> OFBIZ-6942 for details --> >>>>> + <!-- <container name="service-container" >>>>> loaders="main,rmi,pos,load-data,test" >>>>> class="org.ofbiz.service.ServiceContainer"> --> >>>>> + <container name="service-container" >>>>> loaders="main,pos,load-data,test" >>>>> class="org.ofbiz.service.ServiceContainer"> >>>>> <property name="dispatcher-factory" >>>>> value="org.ofbiz.service.GenericDispatcherFactory"/> >>>>> </container> >>>>> >>>>> + <!-- Because of the danger of Java deserialization when using RMI, >>>>> we >>>>> (PMC) have decided to comment out main RMI related code entries. >>>>> + If you need RMI you just need to uncomment those places - See >>>>> OFBIZ-6942 for details --> >>>>> <!-- RMI Service Dispatcher --> >>>>> - <container name="rmi-dispatcher" loaders="rmi" >>>>> class="org.ofbiz.service.rmi.RmiServiceContainer"> >>>>> + <!-- <container name="rmi-dispatcher" loaders="rmi" >>>>> class="org.ofbiz.service.rmi.RmiServiceContainer"> >>>>> <property name="bound-name" value="RMIDispatcher"/> >>>>> <property name="bound-host" value="127.0.0.1"/> >>>>> <property name="bound-port" value="1099"/> >>>>> @@ -61,7 +66,7 @@ under the License. >>>>> <property name="ssl-keystore-pass" value="changeit"/> >>>>> <property name="ssl-keystore-alias" value="rmissl"/> >>>>> <property name="ssl-client-auth" value="false"/> >>>>> - </container> >>>>> + </container> --> >>>>> >>>>> <!-- JavaMail Listener Container - Triggers MCA Rules --> >>>>> <!-- if delete-mail is set to true, will delete messages after >>>>> fetching them. otherwise, will try to mark them as seen >>>>> >>>>> Modified: >>>>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>>>> URL: >>>>> >>>>> >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties?rev=1735569&r1=1735568&r2=1735569&view=diff >>>>> >>>>> >>>>> >>>>> ============================================================================== >>>>> --- >>>>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>>>> (original) >>>>> +++ >>>>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>>>> Fri Mar 18 10:38:04 2016 >>>>> @@ -35,7 +35,10 @@ ofbiz.start.loader1=org.ofbiz.base.splas >>>>> >>>>> # --- StartupLoader implementations to load (in order) >>>>> ofbiz.start.loader2=org.ofbiz.base.container.ContainerLoader >>>>> -ofbiz.start.loader2.loaders=main,pos,rmi >>>>> +# Because of the danger of Java deserialization when using RMI, we >>>>> (PMC) >>>>> have decided to comment out main RMI related code entries. >>>>> +# If you need RMI you just need to uncomment those places - See >>>>> OFBIZ-6942 for details --> >>>>> +#ofbiz.start.loader2.loaders=main,pos,rmi >>>>> +ofbiz.start.loader2.loaders=main,pos >>>>> >>>>> # -- Splash Logo >>>>> >>>>> ofbiz.start.splash.logo=framework/images/webapp/images/ofbiz_logo.gif >>>>> >>>>> >>>>> >>>>> >>>>> |
Administrator
|
Ah, indeed I did not clean before. After cleaning, using a clean working copy at "Révision : 1735435" (svn info), I get the same than you, can not run
testRmi service and is-deserialized.txt contains not RMI reference So it's pretty neat. I will revert my changes and use this change with both.properties and the rmi test services commented out. All that with the same comment, in only 3 places now. Thanks! Jacques Le 21/03/2016 15:53, Jacopo Cappellato a écrit : > Ok, > > I have applied my patch, and the output I get is: > > [java] 2016-03-21 15:50:18,632 |main |ContainerLoader > |I| [Startup] Loading containers from > ./framework/base/config/ofbiz-containers.xml for loaders [main] > > However, in order to use the modified start.properties file you have to run: > > ./ant clean build > > before start-secure > > Could you please double check if you can get the same results? > > Thanks, > > Jacopo > > On Mon, Mar 21, 2016 at 3:40 PM, Jacques Le Roux < > [hidden email]> wrote: > >> With start-secure target (same than start but with notsoserial protection >> activated) >> >> Ah, sorry wrote ant-secure target below :) >> >> Jacques >> >> >> Le 21/03/2016 15:18, Jacopo Cappellato a écrit : >> >>> Hi Jacques, >>> >>> how did you get that log? (how did you start OFBiz) >>> >>> Thanks, >>> >>> Jacopo >>> >>> On Sat, Mar 19, 2016 at 11:47 AM, Jacques Le Roux < >>> [hidden email]> wrote: >>> >>> Hi Jacopo, >>>> No it's not enough. Without the RmiDispatcher deactivated you can still >>>> run RMI services like testRMI. >>>> You get in log: >>>> >>>> [java] 2016-03-18 18:39:22,787 |main |ContainerLoader |I| >>>> [Startup] Loading containers from >>>> c:/projectsASF/ofbiz/framework/base/config/ofbiz-containers.xml for >>>> loaders >>>> [main, rmi] >>>> [java] 2016-03-18 18:39:24,754 |main |ContainerLoader |I| >>>> Loading component's container: rmi-dispatcher >>>> [java] 2016-03-18 18:39:24,755 |main |ContainerLoader |I| >>>> Loaded component's container: rmi-dispatcher >>>> [java] 2016-03-18 18:39:27,966 |main |ContainerLoader |I| >>>> Starting container rmi-dispatcher >>>> [java] 2016-03-18 18:39:29,346 |main |ServiceDispatcher |I| >>>> Registering dispatcher: RMIDispatcher >>>> [java] 2016-03-18 18:39:29,346 |main |ServiceContainer |I| >>>> Created new dispatcher: RMIDispatcher >>>> [java] 2016-03-18 18:39:29,745 |main |ContainerLoader |I| >>>> Started container rmi-dispatcher >>>> >>>> And if you use ant-secure target you see this in is-deserialized.txt >>>> >>>> org.ofbiz.service.rmi.RemoteDispatcherImpl_Stub >>>> java.rmi.server.RemoteStub >>>> java.rmi.server.RemoteObject >>>> org.ofbiz.service.rmi.socket.ssl.SSLClientSocketFactory >>>> [Ljava.rmi.server.ObjID; >>>> java.rmi.server.ObjID >>>> java.rmi.server.UID >>>> java.rmi.dgc.Lease >>>> java.rmi.dgc.VMID >>>> >>>> Those are not issues but shows that RMI is still active. >>>> >>>> Actually I missed your change in start.properties but did the same in >>>> both.properties. >>>> >>>> Initially I wondered if the only thing needed was not to comment out the >>>> RmiDispatcher in service/ofbiz-component.xml >>>> Because once you have done that no RMI services can be used. >>>> I finally decided to do more because the Distributed Clear Cache relies >>>> on >>>> JNDI, JMS and RMI. So I also deactivated the JNDI server and then got >>>> further with all changes below. >>>> >>>> Thinking about it now, since the the Rmi Service Dispatcher and the JNDI >>>> server are at the root of all, it's maybe the only things which need to >>>> be >>>> deactivated (trying to minimise the changes) with of course the RMI test >>>> services which would fail else. >>>> >>>> What do you think? >>>> >>>> Jacques >>>> >>>> >>>> Le 18/03/2016 17:28, Jacopo Cappellato a écrit : >>>> >>>> Hi Jacques, >>>>> thanks for working at this. >>>>> However I think that there is a simpler/better way to disable the >>>>> component >>>>> by default; by using the following patch: >>>>> >>>>> Index: framework/start/src/org/ofbiz/base/start/start.properties >>>>> =================================================================== >>>>> --- framework/start/src/org/ofbiz/base/start/start.properties (revision >>>>> 1735404) >>>>> +++ framework/start/src/org/ofbiz/base/start/start.properties (working >>>>> copy) >>>>> @@ -40,7 +40,7 @@ >>>>> >>>>> # --- StartupLoader implementations to load (in order) >>>>> ofbiz.start.loader1=org.ofbiz.base.container.ContainerLoader >>>>> -ofbiz.start.loader1.loaders=main,rmi >>>>> +ofbiz.start.loader1.loaders=main >>>>> >>>>> # -- Enable the shutdown hook >>>>> #ofbiz.enable.hook=true >>>>> >>>>> I didn't test it but it should work! >>>>> >>>>> Jacopo >>>>> >>>>> On Fri, Mar 18, 2016 at 11:38 AM, <[hidden email]> wrote: >>>>> >>>>> Author: jleroux >>>>> >>>>>> Date: Fri Mar 18 10:38:04 2016 >>>>>> New Revision: 1735569 >>>>>> >>>>>> URL: http://svn.apache.org/viewvc?rev=1735569&view=rev >>>>>> Log: >>>>>> Fixes "Comment out RMI related code because of the Java deserialization >>>>>> issue" - https://issues.apache.org/jira/browse/OFBIZ-6942 >>>>>> >>>>>> I decided to comment out as less as possible because once the RMI >>>>>> loaders, >>>>>> the RMI dispatcher and the related test services are off there is no >>>>>> RMI >>>>>> related danger left (test services are not a danger but would fail >>>>>> during >>>>>> tests run). It's then easier for users who need RMI in their projects >>>>>> to >>>>>> have only to uncomment those and not digg everywhere. Because the >>>>>> naming >>>>>> (JNDI) server relies on the rmi loader it will also be commented out. >>>>>> >>>>>> Modified: >>>>>> ofbiz/trunk/framework/base/config/ofbiz-containers.xml >>>>>> ofbiz/trunk/framework/base/ofbiz-component.xml >>>>>> ofbiz/trunk/framework/common/servicedef/services_test.xml >>>>>> ofbiz/trunk/framework/service/ofbiz-component.xml >>>>>> >>>>>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>>>>> >>>>>> Modified: ofbiz/trunk/framework/base/config/ofbiz-containers.xml >>>>>> URL: >>>>>> >>>>>> >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/ofbiz-containers.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>>>>> >>>>>> >>>>>> >>>>>> ============================================================================== >>>>>> --- ofbiz/trunk/framework/base/config/ofbiz-containers.xml (original) >>>>>> +++ ofbiz/trunk/framework/base/config/ofbiz-containers.xml Fri Mar 18 >>>>>> 10:38:04 2016 >>>>>> @@ -21,8 +21,11 @@ under the License. >>>>>> <ofbiz-containers xmlns:xsi=" >>>>>> http://www.w3.org/2001/XMLSchema-instance >>>>>> " >>>>>> xsi:noNamespaceSchemaLocation=" >>>>>> http://ofbiz.apache.org/dtds/ofbiz-containers.xsd"> >>>>>> >>>>>> + <!-- Because of the danger of Java deserialization when using RMI, >>>>>> we >>>>>> (PMC) have decided to comment out main RMI related code entries. >>>>>> + If you need RMI you just need to uncomment those places - See >>>>>> OFBIZ-6942 for details --> >>>>>> <!-- load the ofbiz component container (always first) --> >>>>>> - <container name="component-container" >>>>>> loaders="main,rmi,pos,load-data" >>>>>> class="org.ofbiz.base.container.ComponentContainer"/> >>>>>> + <!-- <container name="component-container" >>>>>> loaders="main,rmi,pos,load-data" >>>>>> class="org.ofbiz.base.container.ComponentContainer"/> --> >>>>>> + <container name="component-container" loaders="main,pos,load-data" >>>>>> class="org.ofbiz.base.container.ComponentContainer"/> >>>>>> >>>>>> <container name="component-container-test" loaders="test" >>>>>> class="org.ofbiz.base.container.ComponentContainer"> >>>>>> <property name="ofbiz.instrumenterClassName" >>>>>> value="org.ofbiz.base.config.CoberturaInstrumenter"/> >>>>>> >>>>>> Modified: ofbiz/trunk/framework/base/ofbiz-component.xml >>>>>> URL: >>>>>> >>>>>> >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>>>>> >>>>>> >>>>>> >>>>>> ============================================================================== >>>>>> --- ofbiz/trunk/framework/base/ofbiz-component.xml (original) >>>>>> +++ ofbiz/trunk/framework/base/ofbiz-component.xml Fri Mar 18 10:38:04 >>>>>> 2016 >>>>>> @@ -33,11 +33,13 @@ under the License. >>>>>> >>>>>> <test-suite loader="main" location="testdef/basetests.xml"/> >>>>>> >>>>>> + <!-- Because of the danger of Java deserialization when using RMI, >>>>>> we >>>>>> (PMC) have decided to comment out main RMI related code entries. >>>>>> + If you need RMI you just need to uncomment those places - See >>>>>> OFBIZ-6942 for details --> >>>>>> <!-- load the naming (JNDI) server --> >>>>>> - <container name="naming-container" loaders="rmi" >>>>>> class="org.ofbiz.base.container.NamingServiceContainer"> >>>>>> + <!-- <container name="naming-container" loaders="rmi" >>>>>> class="org.ofbiz.base.container.NamingServiceContainer"> >>>>>> <property name="host" value="0.0.0.0"/> >>>>>> <property name="port" value="1099"/> >>>>>> - </container> >>>>>> + </container> --> >>>>>> >>>>>> <!-- load BeanShell remote telnet server --> >>>>>> <!-- Commented out by default for security reasons --> >>>>>> >>>>>> Modified: ofbiz/trunk/framework/common/servicedef/services_test.xml >>>>>> URL: >>>>>> >>>>>> >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services_test.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>>>>> >>>>>> >>>>>> >>>>>> ============================================================================== >>>>>> --- ofbiz/trunk/framework/common/servicedef/services_test.xml >>>>>> (original) >>>>>> +++ ofbiz/trunk/framework/common/servicedef/services_test.xml Fri Mar >>>>>> 18 >>>>>> 10:38:04 2016 >>>>>> @@ -47,15 +47,17 @@ under the License. >>>>>> <service name="testError" engine="java" export="true" >>>>>> validate="false" require-new-transaction="true" max-retry="1" >>>>>> location="org.ofbiz.common.CommonServices" >>>>>> invoke="returnErrorService"> >>>>>> </service> >>>>>> + <!-- Because of the danger of Java deserialization when using RMI, >>>>>> we >>>>>> (PMC) have decided to comment out main RMI related code entries. >>>>>> + If you need RMI you just need to uncomment those places - See >>>>>> OFBIZ-6942 for details --> >>>>>> <!-- see serviceengine.xml to configure the rmi location alias >>>>>> --> >>>>>> - <service name="testRmi" engine="rmi" validate="false" >>>>>> + <!-- <service name="testRmi" engine="rmi" validate="false" >>>>>> location="main-rmi" invoke="testScv"> >>>>>> <implements service="testScv"/> >>>>>> </service> >>>>>> <service name="testRmiFail" engine="rmi" validate="false" >>>>>> location="main-rmi" invoke="testBsh"> >>>>>> <implements service="testScv"/> >>>>>> - </service> >>>>>> + </service> --> >>>>>> >>>>>> <service name="testRollback" engine="java" export="true" >>>>>> validate="false" >>>>>> location="org.ofbiz.common.CommonServices" >>>>>> invoke="testRollbackListener"> >>>>>> >>>>>> Modified: ofbiz/trunk/framework/service/ofbiz-component.xml >>>>>> URL: >>>>>> >>>>>> >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/ofbiz-component.xml?rev=1735569&r1=1735568&r2=1735569&view=diff >>>>>> >>>>>> >>>>>> >>>>>> ============================================================================== >>>>>> --- ofbiz/trunk/framework/service/ofbiz-component.xml (original) >>>>>> +++ ofbiz/trunk/framework/service/ofbiz-component.xml Fri Mar 18 >>>>>> 10:38:04 >>>>>> 2016 >>>>>> @@ -44,12 +44,17 @@ under the License. >>>>>> <keystore name="rmitrust" type="jks" password="changeit" >>>>>> is-truststore="true" >>>>>> is-certstore="false" loader="main" >>>>>> location="config/rmitrust.jks"/> >>>>>> >>>>>> - <container name="service-container" >>>>>> loaders="main,rmi,pos,load-data,test" >>>>>> class="org.ofbiz.service.ServiceContainer"> >>>>>> + <!-- Because of the danger of Java deserialization when using RMI, >>>>>> we >>>>>> (PMC) have decided to comment out main RMI related code entries. >>>>>> + If you need RMI you just need to uncomment those places - See >>>>>> OFBIZ-6942 for details --> >>>>>> + <!-- <container name="service-container" >>>>>> loaders="main,rmi,pos,load-data,test" >>>>>> class="org.ofbiz.service.ServiceContainer"> --> >>>>>> + <container name="service-container" >>>>>> loaders="main,pos,load-data,test" >>>>>> class="org.ofbiz.service.ServiceContainer"> >>>>>> <property name="dispatcher-factory" >>>>>> value="org.ofbiz.service.GenericDispatcherFactory"/> >>>>>> </container> >>>>>> >>>>>> + <!-- Because of the danger of Java deserialization when using RMI, >>>>>> we >>>>>> (PMC) have decided to comment out main RMI related code entries. >>>>>> + If you need RMI you just need to uncomment those places - See >>>>>> OFBIZ-6942 for details --> >>>>>> <!-- RMI Service Dispatcher --> >>>>>> - <container name="rmi-dispatcher" loaders="rmi" >>>>>> class="org.ofbiz.service.rmi.RmiServiceContainer"> >>>>>> + <!-- <container name="rmi-dispatcher" loaders="rmi" >>>>>> class="org.ofbiz.service.rmi.RmiServiceContainer"> >>>>>> <property name="bound-name" value="RMIDispatcher"/> >>>>>> <property name="bound-host" value="127.0.0.1"/> >>>>>> <property name="bound-port" value="1099"/> >>>>>> @@ -61,7 +66,7 @@ under the License. >>>>>> <property name="ssl-keystore-pass" value="changeit"/> >>>>>> <property name="ssl-keystore-alias" value="rmissl"/> >>>>>> <property name="ssl-client-auth" value="false"/> >>>>>> - </container> >>>>>> + </container> --> >>>>>> >>>>>> <!-- JavaMail Listener Container - Triggers MCA Rules --> >>>>>> <!-- if delete-mail is set to true, will delete messages after >>>>>> fetching them. otherwise, will try to mark them as seen >>>>>> >>>>>> Modified: >>>>>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>>>>> URL: >>>>>> >>>>>> >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties?rev=1735569&r1=1735568&r2=1735569&view=diff >>>>>> >>>>>> >>>>>> >>>>>> ============================================================================== >>>>>> --- >>>>>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>>>>> (original) >>>>>> +++ >>>>>> ofbiz/trunk/framework/start/src/org/ofbiz/base/start/both.properties >>>>>> Fri Mar 18 10:38:04 2016 >>>>>> @@ -35,7 +35,10 @@ ofbiz.start.loader1=org.ofbiz.base.splas >>>>>> >>>>>> # --- StartupLoader implementations to load (in order) >>>>>> ofbiz.start.loader2=org.ofbiz.base.container.ContainerLoader >>>>>> -ofbiz.start.loader2.loaders=main,pos,rmi >>>>>> +# Because of the danger of Java deserialization when using RMI, we >>>>>> (PMC) >>>>>> have decided to comment out main RMI related code entries. >>>>>> +# If you need RMI you just need to uncomment those places - See >>>>>> OFBIZ-6942 for details --> >>>>>> +#ofbiz.start.loader2.loaders=main,pos,rmi >>>>>> +ofbiz.start.loader2.loaders=main,pos >>>>>> >>>>>> # -- Splash Logo >>>>>> >>>>>> ofbiz.start.splash.logo=framework/images/webapp/images/ofbiz_logo.gif >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> |
Free forum by Nabble | Edit this page |