Bug 627023

Summary: jboss-as plugin should not require Internet access to manage resources
Product: [Other] RHQ Project Reporter: John Sanda <jsanda>
Component: PluginsAssignee: Charles Crouch <ccrouch>
Status: CLOSED CURRENTRELEASE QA Contact: Mike Foley <mfoley>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.2CC: ccrouch, hbrock, jshaughn, lkrejci, loleary
Target Milestone: ---   
Target Release: RHQ 4.3.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: 4.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-31 06:14:00 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 625146, 847379    

Description John Sanda 2010-08-24 17:35:40 EDT
Description of problem:
The jboss-as plugin is designed to manage JBoss resources only running on the same machine as the agent; therefore, the plugin should not have dependencies on resources that reside somewhere else on the network on the internet. This can be problematic today for resources such data sources and connection factories whose configurations are stored in and parsed from xml files that can reference external resources. Consider the following snippet,

<!DOCTYPE connection-factories PUBLIC
          "-//JBoss//DTD JBOSS JCA Config 1.5//EN"
          "http://www.jboss.org/j2ee/dtd/jboss-ds_1_5.dtd">
<connection-factories>
  ...
</connection-factories>

When the resource configuration editor code in the jboss-as plugin sees the doctype declaration, it will attempt to fetch the referenced the dtd file. We need to explicitly disable validation or do whatever else is necessary to ensure that the underlying XML parser does not make any requests across the network or internet.

I know that this is a problem in the ConnectionFactoryConfigurationEditor class in the jboss-as plugin. We need to review other classes in the plugin to see where this might be an issue. And we ought to review the jboss-as-5 plugin as well.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 2 Ian Springer 2011-11-08 11:17:03 EST
[master 09872c1] and [master eff5f3c] fix this - we now use JBossEntityResolver to locally resolve DTDs and XSDs referenced in XML config files parsed by the jboss-as, jboss-cache, and mod-cluster plugins - this allows these plugins to function even if the RHQ Agent cannot access the Internet.

http://git.fedorahosted.org/git?p=rhq/rhq.git;a=commitdiff;h=09872c1
http://git.fedorahosted.org/git?p=rhq/rhq.git;a=commitdiff;h=eff5f3c
Comment 3 Ian Springer 2011-11-09 16:18:40 EST
[master cacf370] switches to an alternative solution: add SelectiveSkippingEntityResolver class to plugin-api and use that, rather than JBossEntityResolver, as the entity resolver when parsing XML config files in the jboss-as, jboss-cache, and mod-cluster plugins; SelectiveSkippingEntityResolver returns an empty InputSource for any entity whose system ID ends with ".dtd" or "xsd"; this bogus resolution effectively prevents any attempt by the parser to load DTDs or XSDs from remote URLs

It has been decided not to include this fix in JON3, so I'm keeping this ON_QA.
Comment 4 Ian Springer 2011-11-10 10:10:42 EST
QA test steps
=============
1) setup a managed AS or EAP 4.x instance with a datasource *whose ds.xml file contains a DTD or XSD reference*, e.g. foo-ds.xml:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE datasources
    PUBLIC "-//JBoss//DTD JBOSS JCA Config 1.5//EN"
    "http://www.jboss.org/j2ee/dtd/jboss-ds_1_5.dtd">

<datasources>
   
   <local-tx-datasource>
      <jndi-name>foo</jndi-name>
      <use-java-context>false</use-java-context>
      <connection-url>jdbc:hsqldb:.</connection-url>
      <driver-class>org.hsqldb.jdbcDriver</driver-class>
      <user-name>sa</user-name>
      <password></password>
   </local-tx-datasource>
    
</datasources>

2) disconnect the machine running the Agent from the Internet - test that it is truly disconnected by running "ping google.com" from the command line of the Agent box
 
3) go the Configuration>Current subtab for the DataSource Reosurce corresponding to the foo datasource defined in foo-ds.xml.

4) verify the config loads without errors and is displayed in the config editor

5) edit the values of a couple properties, then save the config

6) ensure the config saves successfully with no errors

7) go back to the Configuration>Current subtab and verify that your changes "stuck"

8) open foo-ds.xml and verify that the changes were made and that the file is not corrupt
Comment 5 Lukas Krejci 2011-11-24 14:52:24 EST
verified in master
Comment 6 Jay Shaughnessy 2013-02-26 17:19:46 EST
Moving to verified.
Comment 8 Heiko W. Rupp 2013-08-31 06:14:00 EDT
Bulk close of old bugs in VERIFIED state.