Description of problem: If you log in as a user with only the "measure" permission assigned for a resource and then browse to that resourcce, the overview page throws and exception instead of loading. PermissionException User [readonly] does not have permission to manage configuration for resource[id=10001] Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. create group with a resource 2. create role with only "measure" permission and assign created group 3. create a user and assign only the role created above 4. browse to resource and view summary -> overview subtab Actual results: PermissionException Expected results: Page should load with whatever data the user should be able to see. e.g. the config section should show a lock or something instead of the config change data Additional info:
We should look at fixing this. For now we dont need a fancy lock icon, just a message.
commit 9b91e5efdfd522c622bb8d779b01bd75b799e616 Author: Joseph Marques <joseph> Date: Fri Jul 16 01:42:31 2010 -0400 BZ-614886: fix permissions necessary for resource/plugin configuration updates * historic/auditing data should not requires permission above and beyond the ability to view the corresponding resource to which that data is attached ----- the user should not be able to the view the entirety of the summary>overview sub-tab without any further permissions beyond having the corresponding resource in some group in one of that user's roles.
Tested on jon-server-2.4.0.GA_QA.zip build# 65. Still getting below error. PermissionException User [testuser] does not have permission to manage configuration for resource[id=10003] You can view the stack trace, return to the previous page, Dashboard, or Browse Resources page. Will keep it in ON_QA and re-test on next build as I'm not sure if the changes were present in the above build.
Sudhir, take note of the timestamp for my comment (1:45am EDT). I only pushed the fix for this a short while before you tested it (4:50am EDT). so the JON build you tested it against wouldn't have had the fix yet. the JON build created at or around noon EDT today will have the fix.
After discussion with the team, we actually want to treat a few subsystems differently - resource configuration and operations. Both of these subsystems should **not** allow users to **view** the data, unless they have the corresponding permission: current and historic resource configuration - CONFIGURE scheduled operations / operation history - CONTROL ----- The fix for each will require a similar strategy: * go to the XXXManagerBean SLSB * find all methods that return current / scheduled / historic data * add the necessary permission check to the top of each of those methods * use IDE tools to inspect the call hierarchy for every single one of these methods ** follow all paths back up to the UI, and test those pages to make sure the top-level exception handling is acceptable (i.e., the entire page shouldn't blow up if this data was only rendering as one small part of it, because that prevents the viewing of data that the user would have otherwise been able to see) ** follow all paths to other SLSB callers, as these new permissions will change the precondition / assumptions of those callers. if overlord was being passed, then we're safe because he can do everything in the system. but if the credentialed user was being passed to the method that has the new security checks, it may now fail in ways previously unhandled. in these instances, we'll have to figure out what should be the right handling on a case-by-case basis. ----- Since we're close to release, we need to isolate this fix to the configuration subsystem first. Time-allowing, we may revisit this for operations as well.
commit c1472c2fa4cc5c3c05321961bfd63408d7b8f08a Author: Joseph Marques <joseph> Date: Sun Jul 18 18:06:03 2010 -0400 BZ-614886: add secondary permission for configuration subsystem part 1 - new enum * rename CONFIGURE perm to CONFIGURE_WRITE ** rename action is safe because permissions are persisted using ordinals, not string names * add new CONFIGURE_READ permission ** must be added to the end of the enum, becuase permissions are persisted using ordinals part 2 - update code paths * update code paths previously using CONFIGURE perm to now use CONFIGURE_WRITE * for ResourceDetailView, change logic to show tab if user has config-read perm on resource
commit c09481313e95c91d65c758117ff2bbe03b5e9eac Author: Joseph Marques <joseph> Date: Sun Jul 18 22:45:03 2010 -0400 BZ-614886: update view/edit role page to accomodate new read/write config permissions * new layout for permissions we may eventually want to have separate read/write bits * new properties in ApplicationResources.properties for i18n * use javascript to keep the read/write bits in "sync" ** if config-write is checked, also check config-read ** if config-read is unckeched, also uncheck config-write * update the RoleManagerBean to ensure config-read is added when config-write is selected ** this will mostly be for remote callers, since our UI already uses javascript to handle this more intuitively
commit 5c5877e4f6c8ae0770e65cc5482a33a4bf75f17b Author: Joseph Marques <joseph> Date: Mon Jul 19 01:03:37 2010 -0400 BZ-614886: fix all callpaths originating from existing UI to respect configuration authorization ----- security changes in resource-specific facelets ----- resource/summary/overview.xhtml configData: !!MISSING!! -> ResourceUIBean.permissions.configureRead resource/configuration/view.xhtml configData: !!MISSING!! -> ResourceUIBean.permissions.configureRead editButtons: ResourceUIBean.permissions.configure -> ResourceUIBean.permissions.configureWrite added error message if user doesn't have read permission on the resource resource/configuration/edit.xhtml configData: !!MISSING!! -> ResourceUIBean.permissions.configureRead editButtons: ResourceUIBean.permissions.configure -> ResourceUIBean.permissions.configureWrite added error message if user doesn't have read permission on the resource resource/configuration/history.xhtml configData: !!MISSING!! -> ResourceUIBean.permissions.configureRead editButtons: ResourceUIBean.permissions.configure -> ResourceUIBean.permissions.configureWrite added error message if user doesn't have read permission on the resource resource/configuration/raw.xhtml (included from other protected pages) ResourceUIBean.permissions.configure -> ResourceUIBean.permissions.configureWrite resource/configuration/structured.xhtml (included from other protected pages) ResourceUIBean.permissions.configure -> ResourceUIBean.permissions.configureWrite ----- security changes in resource-specific jsf managed beans ----- resource/configuration/view.xhtml -> ResourceConfigurationViewer getLatestResourceConfigurationUpdate(subject, resourceId, fromStructured) canViewResource -> hasResourcePermission(CONFIGURE_READ) isResourceConfigurationUpdateInProgress(subject, resourceId) canViewResource -> hasResourcePermission(CONFIGURE_READ) resource/configuration/edit.xhtml -> ResourceConfigurationEditor translateResourceConfiguration(subject, resourceId, configuration, fromStructured) canViewResource -> hasResourcePermission(CONFIGURE_READ) updateStructuredOrRawConfiguration(subject, resourceId, configuration, fromStructured) !!MISSING!! -> hasResourcePermission(CONFIGURE_WRITE) updateResourceConfiguration(subject, resourceId, configuration, fromStructured) !!MISSING!! -> hasResourcePermission(CONFIGURE_WRITE) resource/configuration/history.xhtml -> GetLatestConfigurationUpdateUIBean getLatestResourceConfigurationUpdate(subject, resourceId, fromStructured) already secured as part of resource/configuration/view.xhtml work resource/configuration/history.xhtml -> ListConfigurationUpdateUIBean updateStructuredOrRawConfiguration(subject, resourceId, configuration, fromStructured) already secured as part of resource/configuration/edit.xhtml work updateResourceConfiguration(subject, resourceId, configuration, fromStructured) already secured as part of resource/configuration/edit.xhtml work purgeResourceConfigurationUpdate(subject, configurationUpdateId, purgeInProgress) this method was already correctly using CONFIGURE_WRITE permission findResourceConfigurationUpdates(subject, resourceId, beginDate, endDate, suppressOldest, pc) !!MISSING!! -> hasResourcePermission(CONFIGURE_READ) resource/configuration/history.xhtml -> ViewResourceConfigurationUpdateUIBean translateResourceConfiguration(subject, resourceId, configuration, fromStructured) already secured as part of resource/configuration/edit.xhtml work updateStructuredOrRawConfiguration(subject, resourceId, configuration, fromStructured) already secured as part of resource/configuration/edit.xhtml work updateResourceConfiguration(subject, resourceId, configuration, fromStructured) already secured as part of resource/configuration/edit.xhtml work getLatestResourceConfigurationUpdate(subject, resourceId, fromStructured) already secured as part of resource/configuration/view.xhtml work ----- security changes in group-specific facelets ----- group/configuration/viewCurrent.xhtml configData: !!MISSING!! -> ResourceUIBean.permissions.configureRead editButtons: ResourceUIBean.permissions.configure -> ResourceUIBean.permissions.configureWrite added error message if user doesn't have read permission on the resource group/configuration/editCurrent.xhtml configData: !!MISSING!! -> ResourceUIBean.permissions.configureRead save/reset/cancel buttons: ResourceUIBean.permissions.configure -> ResourceUIBean.permissions.configureWrite added error message if user doesn't have read permission on the resource group/configuration/history.xhtml configData: !!MISSING!! -> ResourceUIBean.permissions.configureRead deleteButton: !!MISSING!! -> ResourceUIBean.permissions.configureWrite added error message if user doesn't have read permission on the resource ----- security changes in group-specific jsf managed beans ----- group/configuration/viewCurrent.xhtml -> ViewGroupResourceConfigurationUIBean getResourceConfigurationsForCompatibleGroup(subject, groupId) !!MISSING!! -> hasResourcePermission(CONFIGURE_READ) group/configuration/editCurrent.xhtml -> EditGroupResourceConfigurationUIBean scheduleGroupResourceConfigurationUpdate(subject, groupId, map(resourceId, config)) already secured correctly CONFIGURE_WRITE, no changes necessary group/configuration/history.xhtml -> GroupResourceConfigurationHistoryUIBean deleteGroupResourceConfigurationUpdates(subject, groupId, groupConfigUpdateIds) already secured correctly CONFIGURE_WRITE, no changes necessary findGroupResourceConfigurationUpdates(groupId, pc) !!MISSING!! - added subject it to interface, then added hasGroupPermission(CONFIGURE_READ) group/configuration/history.xhtml -> GroupResourceConfigurationHistoryDetailsUIBean getResourceConfigurationMapForGroupUpdate(groupConfigUpdateId) !!MISSING!! - added subject it to interface add call into getGroupPluginConfigurationUpdate(subject, groupConfigurationUpdateId) canViewGroup -> hasGroupPermission(CONFIGURE_READ) findResourceConfigurationUpdateCompositesByParentId(groupConfigUpdateId) !!MISSING!! - added subject it to interface add call into into getGroupPluginConfigurationUpdate(subject, groupConfigurationUpdateId) already secured as part of group/configuration/history.xhtml work
commit 2bcb6f216b47999fd85b1f1b136cdb188dc81c30 Author: Joseph Marques <joseph> Date: Mon Jul 19 01:29:00 2010 -0400 BZ-614886: finally, perform necessary upgrade tasks so users see no upgrade impact if some role previously had CONFIGURE perm (now called CONFIGURE_WRITE), give it the implied perm CONFIGURE_READ so users don't experience an unexpected permission restriction after upgrade
Test setup: * create an "uber" group, containing all resources in the inventory for convenience (you can do this by creating a recursive, mixed group and adding all of the platforms for it) * create a user called "noperm", assign him to a role with no perms, add the uber group to this role * create a user called "config-read", assign him to a role with only CONFIGURE_READ permission, add the uber group to this role * create a user called "config-write", assign him to a role with only CONFIGURE_WRITE permission, add the uber group to this role Test verification: * ensure that "noperm" user get an appropriate error message that he can not view resource configuration data when navigating to the tabs listed below * ensure that "config-read" user get an appropriate error message that he can not edit resource configuration data when navigating to the tabs listed below * ensure that "config-write" user can view and/or edit the configuration data for the tabs listed below tab list: resource tab: summary > overview resource tab: configuration > view resource tab: configuration > edit resource tab: configuration > history group tab: configuration > view group tab: configuration > edit group tab: configuration > history
commit 6eafe393c583fdc260868248a69a827211c5195a Author: Joseph Marques <joseph> Date: Mon Jul 19 02:25:21 2010 -0400 BZ-614886: respect authz when displaying configUpdates in subsystem view * only show config update rows that reference resources with CONFIGURE_READ perm
Tested formal upgrade from RHQ 1.3.0 (JON 2.3.0) to RHQ 3.0.0, and the entire process completed successfully. Logged into the UI and saw that roles which previously had CONFIGURE permission now had both CONFIGURE_READ and CONFIGURE_WRITE permission.
I have verified this in a fresh setup scenario and it is working as expected. Rajan will test the upgraded scenario.
Testing against build 180 of ci-rhq-release hudson job. Encountered a NPE when trying to view a group config update on the group config history subtab. Steps to reproduce: 0. Log in as rhqadmin and do the following as rhqadmin 1. Create compatible group 2. Apply group config update 3. Go to the group tab 4. Go to the configuration history for the group 5. Click on 'View Group Update' and an exception is thrown sending you to error.xhtml Stack trace: javax.faces.FacesException: javax.el.ELException: /rhq/group/configuration/history.xhtml @169,51 configurationSet="#{GroupResourceConfigurationHistoryDetailsUIBean.configurationSet}": Error reading 'configurationSet' on type org.rhq.enterprise.gui.configuration.group.GroupResourceConfigurationHistoryDetailsUIBean at org.rhq.core.gui.util.FacesExpressionUtility.getValue(FacesExpressionUtility.java:50) at org.rhq.core.gui.util.FacesComponentUtility.getExpressionAttribute(FacesComponentUtility.java:336) at org.rhq.core.gui.configuration.propset.ConfigurationSetComponent.getConfigurationDefinition(ConfigurationSetComponent.java:58) at org.rhq.core.gui.configuration.ConfigRenderer.addChildComponents(ConfigRenderer.java:201) at org.rhq.core.gui.configuration.ConfigRenderer.encodeBegin(ConfigRenderer.java:162) at javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:813) at org.ajax4jsf.renderkit.RendererBase.renderChild(RendererBase.java:275) at org.ajax4jsf.renderkit.RendererBase.renderChildren(RendererBase.java:258) at org.ajax4jsf.renderkit.html.AjaxOutputPanelRenderer.encodeChildren(AjaxOutputPanelRenderer.java:78) at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:930) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:933) at javax.faces.render.Renderer.encodeChildren(Renderer.java:148) at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837) at org.ajax4jsf.renderkit.RendererBase.renderChild(RendererBase.java:277) at org.ajax4jsf.renderkit.RendererBase.renderChildren(RendererBase.java:258) at org.richfaces.renderkit.html.PanelRenderer.doEncodeChildren(PanelRenderer.java:200) at org.richfaces.renderkit.html.PanelRenderer.doEncodeChildren(PanelRenderer.java:195) at org.ajax4jsf.renderkit.RendererBase.encodeChildren(RendererBase.java:120) at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:930) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:933) at com.sun.facelets.FaceletViewHandler.renderView(FaceletViewHandler.java:592) at org.rhq.enterprise.gui.common.framework.FaceletRedirectionViewHandler.renderView(FaceletRedirectionViewHandler.java:64) at org.ajax4jsf.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:100) at org.ajax4jsf.application.AjaxViewHandler.renderView(AjaxViewHandler.java:176) at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:110) at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100) at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:266) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:530) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.rhq.enterprise.gui.legacy.WebUserTrackingFilter.doFilter(WebUserTrackingFilter.java:50) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.rhq.enterprise.gui.legacy.AuthenticationFilter.doFilter(AuthenticationFilter.java:129) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83) at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:38) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206) at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290) at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388) at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515) at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:58) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.debug.hot.HotDeployFilter.doFilter(HotDeployFilter.java:51) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.rhq.helpers.rtfilter.filter.RtFilter.doFilter(RtFilter.java:124) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:619) Caused by: javax.el.ELException: /rhq/group/configuration/history.xhtml @169,51 configurationSet="#{GroupResourceConfigurationHistoryDetailsUIBean.configurationSet}": Error reading 'configurationSet' on type org.rhq.enterprise.gui.configuration.group.GroupResourceConfigurationHistoryDetailsUIBean at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:76) at org.rhq.core.gui.util.FacesExpressionUtility.getValue(FacesExpressionUtility.java:48) ... 81 more Caused by: javax.ejb.EJBException: java.lang.NullPointerException at org.jboss.ejb3.tx.Ejb3TxPolicy.handleExceptionInOurTx(Ejb3TxPolicy.java:63) at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:83) at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:191) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:95) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:62) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77) at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:240) at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:210) at org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:84) at $Proxy365.getResourceConfigurationMapForGroupUpdate(Unknown Source) at org.rhq.enterprise.gui.configuration.group.GroupResourceConfigurationHistoryDetailsUIBean.getConfigurationSet(GroupResourceConfigurationHistoryDetailsUIBean.java:69) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at javax.el.BeanELResolver.getValue(BeanELResolver.java:62) at javax.el.CompositeELResolver.getValue(CompositeELResolver.java:53) at com.sun.faces.el.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:72) at org.jboss.el.parser.AstPropertySuffix.getValue(AstPropertySuffix.java:53) at org.jboss.el.parser.AstValue.getValue(AstValue.java:67) at org.jboss.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:186) at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71) ... 82 more Caused by: java.lang.NullPointerException at org.rhq.enterprise.server.configuration.ConfigurationManagerBean.getGroupPluginConfigurationUpdate(ConfigurationManagerBean.java:1969) at org.rhq.enterprise.server.configuration.ConfigurationManagerBean.getResourceConfigurationMapForGroupUpdate(ConfigurationManagerBean.java:1742) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:112) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:166) at org.rhq.enterprise.server.common.TransactionInterruptInterceptor.addCheckedActionToTransactionManager(TransactionInterruptInterceptor.java:77) at sun.reflect.GeneratedMethodAccessor195.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118) at org.rhq.enterprise.server.authz.RequiredPermissionsInterceptor.checkRequiredPermissions(RequiredPermissionsInterceptor.java:156) at sun.reflect.GeneratedMethodAccessor194.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118) at org.jboss.ejb3.interceptor.EJB3InterceptorsInterceptor.invoke(EJB3InterceptorsInterceptor.java:63) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:54) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79) ... 111 more /rhq/group/configuration/history.xhtml @169,51 configurationSet="#{GroupResourceConfigurationHistoryDetailsUIBean.configurationSet}": Error reading 'configurationSet' on type org.rhq.enterprise.gui.configuration.group.GroupResourceConfigurationHistoryDetailsUIBean javax.el.ELException: /rhq/group/configuration/history.xhtml @169,51 configurationSet="#{GroupResourceConfigurationHistoryDetailsUIBean.configurationSet}": Error reading 'configurationSet' on type org.rhq.enterprise.gui.configuration.group.GroupResourceConfigurationHistoryDetailsUIBean at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:76) at org.rhq.core.gui.util.FacesExpressionUtility.getValue(FacesExpressionUtility.java:48) at org.rhq.core.gui.util.FacesComponentUtility.getExpressionAttribute(FacesComponentUtility.java:336) at org.rhq.core.gui.configuration.propset.ConfigurationSetComponent.getConfigurationDefinition(ConfigurationSetComponent.java:58) at org.rhq.core.gui.configuration.ConfigRenderer.addChildComponents(ConfigRenderer.java:201) at org.rhq.core.gui.configuration.ConfigRenderer.encodeBegin(ConfigRenderer.java:162) at javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:813) at org.ajax4jsf.renderkit.RendererBase.renderChild(RendererBase.java:275) at org.ajax4jsf.renderkit.RendererBase.renderChildren(RendererBase.java:258) at org.ajax4jsf.renderkit.html.AjaxOutputPanelRenderer.encodeChildren(AjaxOutputPanelRenderer.java:78) at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:930) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:933) at javax.faces.render.Renderer.encodeChildren(Renderer.java:148) at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837) at org.ajax4jsf.renderkit.RendererBase.renderChild(RendererBase.java:277) at org.ajax4jsf.renderkit.RendererBase.renderChildren(RendererBase.java:258) at org.richfaces.renderkit.html.PanelRenderer.doEncodeChildren(PanelRenderer.java:200) at org.richfaces.renderkit.html.PanelRenderer.doEncodeChildren(PanelRenderer.java:195) at org.ajax4jsf.renderkit.RendererBase.encodeChildren(RendererBase.java:120) at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:930) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:933) at com.sun.facelets.FaceletViewHandler.renderView(FaceletViewHandler.java:592) at org.rhq.enterprise.gui.common.framework.FaceletRedirectionViewHandler.renderView(FaceletRedirectionViewHandler.java:64) at org.ajax4jsf.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:100) at org.ajax4jsf.application.AjaxViewHandler.renderView(AjaxViewHandler.java:176) at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:110) at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100) at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:266) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:530) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.rhq.enterprise.gui.legacy.WebUserTrackingFilter.doFilter(WebUserTrackingFilter.java:50) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.rhq.enterprise.gui.legacy.AuthenticationFilter.doFilter(AuthenticationFilter.java:129) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83) at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:38) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206) at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290) at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388) at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515) at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:58) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.debug.hot.HotDeployFilter.doFilter(HotDeployFilter.java:51) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.rhq.helpers.rtfilter.filter.RtFilter.doFilter(RtFilter.java:124) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:619) Caused by: javax.ejb.EJBException: java.lang.NullPointerException at org.jboss.ejb3.tx.Ejb3TxPolicy.handleExceptionInOurTx(Ejb3TxPolicy.java:63) at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:83) at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:191) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:95) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:62) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77) at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:240) at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:210) at org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:84) at $Proxy365.getResourceConfigurationMapForGroupUpdate(Unknown Source) at org.rhq.enterprise.gui.configuration.group.GroupResourceConfigurationHistoryDetailsUIBean.getConfigurationSet(GroupResourceConfigurationHistoryDetailsUIBean.java:69) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at javax.el.BeanELResolver.getValue(BeanELResolver.java:62) at javax.el.CompositeELResolver.getValue(CompositeELResolver.java:53) at com.sun.faces.el.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:72) at org.jboss.el.parser.AstPropertySuffix.getValue(AstPropertySuffix.java:53) at org.jboss.el.parser.AstValue.getValue(AstValue.java:67) at org.jboss.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:186) at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71) ... 82 more Caused by: java.lang.NullPointerException at org.rhq.enterprise.server.configuration.ConfigurationManagerBean.getGroupPluginConfigurationUpdate(ConfigurationManagerBean.java:1969) at org.rhq.enterprise.server.configuration.ConfigurationManagerBean.getResourceConfigurationMapForGroupUpdate(ConfigurationManagerBean.java:1742) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:112) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:166) at org.rhq.enterprise.server.common.TransactionInterruptInterceptor.addCheckedActionToTransactionManager(TransactionInterruptInterceptor.java:77) at sun.reflect.GeneratedMethodAccessor195.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118) at org.rhq.enterprise.server.authz.RequiredPermissionsInterceptor.checkRequiredPermissions(RequiredPermissionsInterceptor.java:156) at sun.reflect.GeneratedMethodAccessor194.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118) at org.jboss.ejb3.interceptor.EJB3InterceptorsInterceptor.invoke(EJB3InterceptorsInterceptor.java:63) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:54) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79) ... 111 more java.lang.NullPointerException javax.ejb.EJBException: java.lang.NullPointerException at org.jboss.ejb3.tx.Ejb3TxPolicy.handleExceptionInOurTx(Ejb3TxPolicy.java:63) at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:83) at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:191) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:95) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:62) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77) at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:240) at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:210) at org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:84) at $Proxy365.getResourceConfigurationMapForGroupUpdate(Unknown Source) at org.rhq.enterprise.gui.configuration.group.GroupResourceConfigurationHistoryDetailsUIBean.getConfigurationSet(GroupResourceConfigurationHistoryDetailsUIBean.java:69) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at javax.el.BeanELResolver.getValue(BeanELResolver.java:62) at javax.el.CompositeELResolver.getValue(CompositeELResolver.java:53) at com.sun.faces.el.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:72) at org.jboss.el.parser.AstPropertySuffix.getValue(AstPropertySuffix.java:53) at org.jboss.el.parser.AstValue.getValue(AstValue.java:67) at org.jboss.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:186) at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71) at org.rhq.core.gui.util.FacesExpressionUtility.getValue(FacesExpressionUtility.java:48) at org.rhq.core.gui.util.FacesComponentUtility.getExpressionAttribute(FacesComponentUtility.java:336) at org.rhq.core.gui.configuration.propset.ConfigurationSetComponent.getConfigurationDefinition(ConfigurationSetComponent.java:58) at org.rhq.core.gui.configuration.ConfigRenderer.addChildComponents(ConfigRenderer.java:201) at org.rhq.core.gui.configuration.ConfigRenderer.encodeBegin(ConfigRenderer.java:162) at javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:813) at org.ajax4jsf.renderkit.RendererBase.renderChild(RendererBase.java:275) at org.ajax4jsf.renderkit.RendererBase.renderChildren(RendererBase.java:258) at org.ajax4jsf.renderkit.html.AjaxOutputPanelRenderer.encodeChildren(AjaxOutputPanelRenderer.java:78) at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:930) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:933) at javax.faces.render.Renderer.encodeChildren(Renderer.java:148) at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837) at org.ajax4jsf.renderkit.RendererBase.renderChild(RendererBase.java:277) at org.ajax4jsf.renderkit.RendererBase.renderChildren(RendererBase.java:258) at org.richfaces.renderkit.html.PanelRenderer.doEncodeChildren(PanelRenderer.java:200) at org.richfaces.renderkit.html.PanelRenderer.doEncodeChildren(PanelRenderer.java:195) at org.ajax4jsf.renderkit.RendererBase.encodeChildren(RendererBase.java:120) at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:930) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:933) at com.sun.facelets.FaceletViewHandler.renderView(FaceletViewHandler.java:592) at org.rhq.enterprise.gui.common.framework.FaceletRedirectionViewHandler.renderView(FaceletRedirectionViewHandler.java:64) at org.ajax4jsf.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:100) at org.ajax4jsf.application.AjaxViewHandler.renderView(AjaxViewHandler.java:176) at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:110) at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100) at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:266) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:530) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.rhq.enterprise.gui.legacy.WebUserTrackingFilter.doFilter(WebUserTrackingFilter.java:50) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.rhq.enterprise.gui.legacy.AuthenticationFilter.doFilter(AuthenticationFilter.java:129) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83) at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:38) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206) at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290) at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388) at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515) at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:58) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.debug.hot.HotDeployFilter.doFilter(HotDeployFilter.java:51) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.rhq.helpers.rtfilter.filter.RtFilter.doFilter(RtFilter.java:124) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:619) Caused by: java.lang.NullPointerException at org.rhq.enterprise.server.configuration.ConfigurationManagerBean.getGroupPluginConfigurationUpdate(ConfigurationManagerBean.java:1969) at org.rhq.enterprise.server.configuration.ConfigurationManagerBean.getResourceConfigurationMapForGroupUpdate(ConfigurationManagerBean.java:1742) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:112) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:166) at org.rhq.enterprise.server.common.TransactionInterruptInterceptor.addCheckedActionToTransactionManager(TransactionInterruptInterceptor.java:77) at sun.reflect.GeneratedMethodAccessor195.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118) at org.rhq.enterprise.server.authz.RequiredPermissionsInterceptor.checkRequiredPermissions(RequiredPermissionsInterceptor.java:156) at sun.reflect.GeneratedMethodAccessor194.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118) at org.jboss.ejb3.interceptor.EJB3InterceptorsInterceptor.invoke(EJB3InterceptorsInterceptor.java:63) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:54) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79) ... 111 more java.lang.NullPointerException at org.rhq.enterprise.server.configuration.ConfigurationManagerBean.getGroupPluginConfigurationUpdate(ConfigurationManagerBean.java:1969) at org.rhq.enterprise.server.configuration.ConfigurationManagerBean.getResourceConfigurationMapForGroupUpdate(ConfigurationManagerBean.java:1742) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:112) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:166) at org.rhq.enterprise.server.common.TransactionInterruptInterceptor.addCheckedActionToTransactionManager(TransactionInterruptInterceptor.java:77) at sun.reflect.GeneratedMethodAccessor195.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118) at org.rhq.enterprise.server.authz.RequiredPermissionsInterceptor.checkRequiredPermissions(RequiredPermissionsInterceptor.java:156) at sun.reflect.GeneratedMethodAccessor194.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118) at org.jboss.ejb3.interceptor.EJB3InterceptorsInterceptor.invoke(EJB3InterceptorsInterceptor.java:63) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:54) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79) at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:191) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:95) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:62) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77) at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:240) at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:210) at org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:84) at $Proxy365.getResourceConfigurationMapForGroupUpdate(Unknown Source) at org.rhq.enterprise.gui.configuration.group.GroupResourceConfigurationHistoryDetailsUIBean.getConfigurationSet(GroupResourceConfigurationHistoryDetailsUIBean.java:69) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at javax.el.BeanELResolver.getValue(BeanELResolver.java:62) at javax.el.CompositeELResolver.getValue(CompositeELResolver.java:53) at com.sun.faces.el.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:72) at org.jboss.el.parser.AstPropertySuffix.getValue(AstPropertySuffix.java:53) at org.jboss.el.parser.AstValue.getValue(AstValue.java:67) at org.jboss.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:186) at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71) at org.rhq.core.gui.util.FacesExpressionUtility.getValue(FacesExpressionUtility.java:48) at org.rhq.core.gui.util.FacesComponentUtility.getExpressionAttribute(FacesComponentUtility.java:336) at org.rhq.core.gui.configuration.propset.ConfigurationSetComponent.getConfigurationDefinition(ConfigurationSetComponent.java:58) at org.rhq.core.gui.configuration.ConfigRenderer.addChildComponents(ConfigRenderer.java:201) at org.rhq.core.gui.configuration.ConfigRenderer.encodeBegin(ConfigRenderer.java:162) at javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:813) at org.ajax4jsf.renderkit.RendererBase.renderChild(RendererBase.java:275) at org.ajax4jsf.renderkit.RendererBase.renderChildren(RendererBase.java:258) at org.ajax4jsf.renderkit.html.AjaxOutputPanelRenderer.encodeChildren(AjaxOutputPanelRenderer.java:78) at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:930) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:933) at javax.faces.render.Renderer.encodeChildren(Renderer.java:148) at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837) at org.ajax4jsf.renderkit.RendererBase.renderChild(RendererBase.java:277) at org.ajax4jsf.renderkit.RendererBase.renderChildren(RendererBase.java:258) at org.richfaces.renderkit.html.PanelRenderer.doEncodeChildren(PanelRenderer.java:200) at org.richfaces.renderkit.html.PanelRenderer.doEncodeChildren(PanelRenderer.java:195) at org.ajax4jsf.renderkit.RendererBase.encodeChildren(RendererBase.java:120) at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:930) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:933) at com.sun.facelets.FaceletViewHandler.renderView(FaceletViewHandler.java:592) at org.rhq.enterprise.gui.common.framework.FaceletRedirectionViewHandler.renderView(FaceletRedirectionViewHandler.java:64) at org.ajax4jsf.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:100) at org.ajax4jsf.application.AjaxViewHandler.renderView(AjaxViewHandler.java:176) at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:110) at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100) at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:266) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:530) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.rhq.enterprise.gui.legacy.WebUserTrackingFilter.doFilter(WebUserTrackingFilter.java:50) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.rhq.enterprise.gui.legacy.AuthenticationFilter.doFilter(AuthenticationFilter.java:129) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83) at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:38) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206) at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290) at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388) at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515) at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:58) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.debug.hot.HotDeployFilter.doFilter(HotDeployFilter.java:51) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.rhq.helpers.rtfilter.filter.RtFilter.doFilter(RtFilter.java:124) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:619) Sending back to dev.
I get the NPE described in commnent 14 when logged in as user having only CONFIGURE_READ permission as well.
Ian, can you take a look at John's most recent comment, it may be an existing issue not related to the recent perm changes.
I got the same NPE even when logged in as rhqadmin, so it had nothing to do with authz perms. It turned out to be a one-line fix of a bug that looked like a copy-paste error. Commit 13f415c fixes it but has not been pushed to origin yet. A patch containing the commit is attached for dev review.
Created attachment 433230 [details] patch that fixes this issue
patch looks kosher ian. you got my sign-off.
Pushed to release-3.0.0 branch.
Retested the scenario reported in comment 14 with build 188 of the ci-rhq-release hudson job. I was able to view the group config updates with rhqadmin, user having CONFIGURE_READ, and a user having CONFIGURE_WRITE.
Created attachment 433358 [details] Group conifguration update Verified Comment# 14 on jon-server-2.4.0.GA_QA.zip build# 71. Click on Group config update did not throw any error. I'm attaching the screen shot of the success message. Marking the bug verified.
Oh yes, I also verified as config read and config write and was able to see the group config update from history without any error.
Sudhir, if you don't mind I'd like to move this back to ON_QA. I have questions about security around some of the CLI apis. I am still working through some scenarios for the CLI.
For my no permission user from the CLI I am able to view a resource configuration with, * ConfigurationManager.getResourceConfiguration * ConfigurationManager.getConfiguration In the web ui, my no permission user is not able to view the same resource configuration that he can access from the CLI. I see in the implementation for getResourceConfiguration that we do a security check to see whether or not the user has access to the resource. Looks like we just need to change the permission we are checking. As for getConfiguration it has no security checks, and I question whether or not we should even expose that in the remote APIs. Since you are just passing in a config id, you could be trying to fetch something other than a resource configuration, maybe like a plugin configuration which my no perm user should be able to access. Sending back to dev to resolve these issues.
Looks like ConfigurationManager.getGroupResourceConfigurationUpdate checks the wrong permission as well as my no permission user is able to access the group configuration through this method.
here's a patch of what I think needs to change based on jsanda's last comment (getConfiguration should not be a remote API, and have CONFIG_READ perm checks be performed in the two methods where they are not): diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/configuration/ConfigurationManagerBean.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/configuration/ConfigurationManagerBean.java index 99e2d5a..a691bd1 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/configuration/ConfigurationManagerBean.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/configuration/ConfigurationManagerBean.java @@ -272,7 +272,7 @@ public class ConfigurationManagerBean implements ConfigurationManagerLocal, Conf throw new NoResultException("Cannot get live configuration for unknown resource [" + resourceId + "]"); } - if (!authorizationManager.canViewResource(subject, resource.getId())) { + if (!authorizationManager.hasResourcePermission(subject, Permission.CONFIGURE_READ, resource.getId())) { throw new PermissionException("User [" + subject.getName() + "] does not have permission to view resource configuration for [" + resource + "]"); } @@ -1980,7 +1980,7 @@ public class ConfigurationManagerBean implements ConfigurationManagerLocal, Conf GroupResourceConfigurationUpdate update = getGroupResourceConfigurationById(configurationUpdateId); int groupId = update.getGroup().getId(); - if (authorizationManager.canViewGroup(subject, groupId) == false) { + if (authorizationManager.hasGroupPermission(subject, Permission.CONFIGURE_READ, groupId) == false) { throw new PermissionException("User[" + subject.getName() + "] does not have permission to view group resourceConfiguration[id=" + configurationUpdateId + "]"); } diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/configuration/ConfigurationManagerLocal.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/configuration/ConfigurationManagerLocal.java index 4242153..6a1c114 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/configuration/ConfigurationManagerLocal.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/configuration/ConfigurationManagerLocal.java @@ -381,6 +381,8 @@ public interface ConfigurationManagerLocal { */ void checkForTimedOutConfigurationUpdateRequests(); + public Configuration getConfiguration(Subject subject, int configurationId); + // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! // // The following are shared with the Remote Interface @@ -392,8 +394,6 @@ public interface ConfigurationManagerLocal { public GroupResourceConfigurationUpdate getGroupResourceConfigurationUpdate(Subject subject, int configurationUpdateId); - public Configuration getConfiguration(Subject subject, int configurationId); - /** * Get the current plugin configuration for the {@link Resource} with the given id, or <code>null</code> if the * resource's plugin configuration is not yet initialized. diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/configuration/ConfigurationManagerRemote.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/configuration/ConfigurationManagerRemote.java index b25fa9d..b4836c6 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/configuration/ConfigurationManagerRemote.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/configuration/ConfigurationManagerRemote.java @@ -65,11 +65,6 @@ public interface ConfigurationManagerRemote { @WebParam(name = "subject") Subject subject, // @WebParam(name = "configurationUpdateId") int configurationUpdateId); - @WebMethod - Configuration getConfiguration( // - @WebParam(name = "subject") Subject subject, // - @WebParam(name = "configurationId") int configurationId); - /** * Get the current plugin configuration for the {@link Resource} with the given id, or <code>null</code> if the * resource's plugin configuration is not yet initialized.
release-3.0.0 branch commit 09963f393cdfd19d2a54d9b6985259a22aa4ecac three things one, change view check to CONFIG_READ check for resource two, change view check to *group* CONFIG_READ check three, remove getConfiguration from remote interface
I tested both UI and CLI again from the John's test scenarios. Everything looks good. I get the message for noperm user correctly for cli as below, Wrapped org.rhq.enterprise.server.authz.PermissionException: [Warning] User [noperm] does not have permission to view resource configuration for [Resource[id=10004, type=RHQ Agent, key=RHQ Agent, name=RHQ Agent, parent=Sudhir RHEL5.5, version=3.0.0.GA_QA]] (<Unknown source>#1) ConfigurationManager.getLatestResourceConfigurationUpdate(10004) ^ For the group I get below, Wrapped org.rhq.enterprise.server.authz.PermissionException: [Warning] User[noperm] does not have permission to view group resourceConfiguration[id=10001] (<Unknown source>#1) ConfigurationManager.getGroupPluginConfigurationUpdate(10001) I get and NPE if I give the wrong groupID. As discussed with John Sanda, I've raised Bug 617598 of low priority. John found another bug with permission and has raised bug 617603 Marking this bug as verified.
I think it is worth noting that we can rigorously verify the expected behavior (at the EJB level where the security checks are performed) with blazing fast unit tests. And by blazing fast, I mean tests that neither have dependencies on a database nor on the embedded EJB container. The automated tests that we have for ConfigurationManagerBean in ConfigurationManagerBeanTest all use the overlord so security isn't really exercised. And no new tests were introduced with these code changes.
Mass-closure of verified bugs against JON.