3 Replies Latest reply on Nov 15, 2002 7:40 AM by adrian.brock

BMP - Very Interesting Situation

jmejia424 Nov 14, 2002 11:47 AM

I have JBoss 3 with Tomcat 4 and have written an application for my clients. I have tickets (work orders), however, tickets should only be seen by the appropriate client. Because of compatibility issues with existing systems, I have had to implement BMPs.

So, I have created a TicketEJB which is a BMP. If the user is not in the Admin role, the ejbFindByPrimaryKey has been implemented to select the id from the Tickets table where the client="logged in user" otherwise the where client="logged in user" isn't appended to the sql statement.

The caveat to all of this is that if someone pulls up a ticket, let say id=100 and client "XYZ", then another user from client "ABC" issues a request for id=100, the ejbFindByPrimaryKey is not executed again. Yet, it seems that a cached version of the Ticket (id=100) is returned to anyone requesting Ticket (id=100) irregardless of the user or client. This is a HUGE security breach. I can't go into production with this behaving this way.

I know that there is some way to accomplish the task at hand. It appears to me that the Ticket EJB instance is being cached within JBoss.

So:
1. Is there anyway that I can force JBoss to execute ejbFindByPrimaryKey every time a request is made for the TicketEJB?

2. Is there a better way for me to implement data-instance security around multiple clients?

I am scheduled to go into production in three days. Please help if anyone can.

Thanks.

1. Re: BMP - Very Interesting Situation

scoy Nov 15, 2002 12:26 AM (in response to jmejia424)

I'll answer this with a caveat: I haven't used BMP so I may be completely wrong here, but:

I would think that the "ejbFindByPrimaryKey" method must have consistent semantics; ie it is a special method that the container expects to return the same result always.

You should probably write an "ejbFindForUser" method and use that for your nefarious purposes.

Of course, there are better ways for you to implement security, but I doubt that you're going to get thru that in 3 days.

Steve
Actions
2. Re: BMP - Very Interesting Situation

vickyk Nov 15, 2002 3:27 AM (in response to jmejia424)

Hi,
Let me give you my solution as per my experience and knowledge ,In Jboss3 there will be the standardjboss.xml file where you have the entry as the following :

<container-configuration>
<container-name>Standard BMP EntityBean</container-name>
<call-logging>false</call-logging>
<container-invoker>org.jboss.proxy.ejb.ProxyFactory</container-invoker>
<container-interceptors>
org.jboss.ejb.plugins.LogInterceptor
org.jboss.ejb.plugins.SecurityInterceptor
org.jboss.ejb.plugins.TxInterceptorCMT
org.jboss.ejb.plugins.MetricsInterceptor
org.jboss.ejb.plugins.EntityCreationInterceptor
org.jboss.ejb.plugins.EntityLockInterceptor
org.jboss.ejb.plugins.EntityInstanceInterceptor org.jboss.resource.connectionmanager.CachedConnectionInterceptor
org.jboss.ejb.plugins.EntitySynchronizationInterceptor
</container-interceptors>
<client-interceptors>

org.jboss.proxy.ejb.HomeInterceptor
org.jboss.proxy.SecurityInterceptor
org.jboss.proxy.TransactionInterceptor
org.jboss.invocation.InvokerInterceptor

org.jboss.proxy.ejb.EntityInterceptor
org.jboss.proxy.SecurityInterceptor
org.jboss.proxy.TransactionInterceptor
org.jboss.invocation.InvokerInterceptor

<list-entity>
org.jboss.proxy.ejb.ListEntityInterceptor
org.jboss.proxy.SecurityInterceptor
org.jboss.proxy.TransactionInterceptor
org.jboss.invocation.InvokerInterceptor
</list-entity>
</client-interceptors>
<instance-pool>org.jboss.ejb.plugins.EntityInstancePool</instance-pool>
<instance-cache>org.jboss.ejb.plugins.EntityInstanceCache</instance-cache>
<persistence-manager>org.jboss.ejb.plugins.BMPPersistenceManager</persistence-manager>
<transaction-manager>org.jboss.tm.TxManager</transaction-manager>
<locking-policy>org.jboss.ejb.plugins.lock.QueuedPessimisticEJBLock</locking-policy>
<container-cache-conf>
<cache-policy>org.jboss.ejb.plugins.LRUEnterpriseContextCachePolicy</cache-policy>
<cache-policy-conf>
<min-capacity>50</min-capacity>
<max-capacity>1000000</max-capacity>
<overager-period>300</overager-period>
<max-bean-age>600</max-bean-age>
<resizer-period>400</resizer-period>
<max-cache-miss-period>60</max-cache-miss-period>
<min-cache-miss-period>1</min-cache-miss-period>
<cache-load-factor>0.75</cache-load-factor>
</cache-policy-conf>
</container-cache-conf>
<container-pool-conf>
100
</container-pool-conf>
<commit-option>A</commit-option>
</container-configuration>

In this you can see the Commit Option mentioned as A (default),which is just causing all the issues you have mentioned.If you see the page202 of the ejb2.1 specs you will get the details of the Commit Option types.If you still dont get I will explain.
Please change <commit-option>A</commit-option> to <commit-option>C or B</commit-option>.
I think this will solve your problem .
Please let me know about the results.
Regards
Vicky
Actions
3. Re: BMP - Very Interesting Situation

adrian.brock Nov 15, 2002 7:40 AM (in response to jmejia424)

Or you can implement a SecurityProxyInterceptor.

This will allow you to say yes or no to the invocation
before it even gets to the entity part of the container.

Regards,
Adrian
Actions

Go to original post