Bug 786106 - trying to call ProxyFactory methods inside CLI alert scripts throws AccessControlExceptions
Summary: trying to call ProxyFactory methods inside CLI alert scripts throws AccessCon...
Alias: None
Product: RHQ Project
Classification: Other
Component: Core UI
Version: 4.3
Hardware: Unspecified
OS: Unspecified
high vote
Target Milestone: ---
: RHQ 4.3.0
Assignee: Lukas Krejci
QA Contact: Mike Foley
Depends On:
Blocks: jon310-sprint11, rhq44-sprint11 790018 790030
TreeView+ depends on / blocked
Reported: 2012-01-31 13:30 UTC by Lukas Krejci
Modified: 2013-08-31 10:13 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 790030 (view as bug list)
Last Closed: 2013-08-31 10:13:12 UTC

Attachments (Terms of Use)

Description Lukas Krejci 2012-01-31 13:30:42 UTC
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create CLI script that uses ProxyFactory to obtain some resource (ProxyFactory.getResource(10001)), create alert, attach the script as one of its notifications.
2. Let the alert fire
Actual results:
In the alert history, review the cli notification results - it shows an access control exception

Expected results:
No access control exception should have been thrown

Additional info:

Comment 1 Lukas Krejci 2012-01-31 13:38:48 UTC
commit http://git.fedorahosted.org/git/?p=rhq/rhq.git;a=commitdiff;h=02dafbc97a76c3813afd0f05b213d8a1de70a3c2
Author: Lukas Krejci <lkrejci@redhat.com>
Date:   Tue Jan 31 14:35:07 2012 +0100

    [BZ 786106] Wrap calls to obtain managers in privileged blocks so that 3rd
    callers can safely obtain them.
    The StandardBindings put all the managers into the script context before
    the script engine is initialized with the security measures which makes
    the managers available inside the scripts. Java code that gets injected as
    other params into the scripts (like the "ProxyFactory" (of class
    ResourceClientFactory) would suffer from access control exceptions when
    it tried to obtain some manager while being called from the script because
    it would try to call the methods from the LocalClient to obtain the remote
    interfaces directly, without a wrapping in a privileged block). Obtaining
    the remote interfaces is a safe operation wrt the scripts and so can be
    wrapped in privileged block so that any caller of the LocalClient can
    have access to the regardless of the access control restrictions in place.

Comment 2 Mike Foley 2012-02-02 19:01:06 UTC
created alert ... with CLI script as described in the description.  alert fired many times.  did not see access control exceptions in the server log.

Comment 3 Lukas Krejci 2012-02-13 14:16:47 UTC
Making this BZ block the correct tracker.

Comment 4 Heiko W. Rupp 2013-08-31 10:13:12 UTC
Bulk close of old bugs in VERIFIED state.

Note You need to log in before you can comment on or make changes to this bug.