10 Replies Latest reply on May 29, 2013 2:06 AM by Nicklas Karlsson

    Modifying a session bean program from an other java class

    Meriem L. AARIZOU Newbie

      Hi everyone!

      I created a java class "Hotspot.java" which insert methods and instructions into a session bean (3.x) program.

      The idea is that the class Hotspot opens the session bean class (UtilisateurBean.java= User Bean in french, which is containing in an EJB project that I named Users and in the package "com.application.metier") as a simple file in reader mode, checks for a given position and inserts an instruction on that position. Every thing is fine, until I restart JBoss Server, I have this Exception:

       

      JBAS014775:    New missing/unsatisfied dependencies: service jboss.naming.context.java.comp.Users.Users.UtilisateurBean (missing) dependents: [service jboss.naming.context.java.comp.Users.Users.UtilisateurBean.Validator, service jboss.naming.context.java.comp.Users.Users.UtilisateurBean.ValidatorFactory]

      JBAS014777:   Services which failed to start:      service jboss.deployment.unit."Users.jar".INSTALL: org.jboss.msc.service.StartException in service jboss.deployment.unit."Users.jar".INSTALL: Failed to process phase INSTALL of deployment "Users.jar"

       

      11:30:19,839 ERROR [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) {"JBAS014653: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-2" => {"JBAS014671: Failed services" => {"jboss.deployment.unit.\"Users.jar\".INSTALL" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"Users.jar\".INSTALL: Failed to process phase INSTALL of deployment \"Users.jar\""},"JBAS014771: Services with missing/unavailable dependencies" => ["jboss.naming.context.java.comp.Users.Users.UtilisateurBean.ValidatorFactoryjboss.naming.context.java.comp.Users.Users.Utilisateur

      BeanMissing[jboss.naming.context.java.comp.Users.Users.UtilisateurBean.ValidatorFactoryjboss.naming.context.java.comp.Users.Users.

      UtilisateurBean]","jboss.naming.context.java.comp.Users.Users.UtilisateurBean.Validatorjboss.naming.context.java.comp.Users.Users.

      UtilisateurBeanMissing[jboss.naming.context.java.comp.Users.Users.UtilisateurBean.Validatorjboss.naming.context.java.comp.Users.

      Users.UtilisateurBean]"]}}}

       

      I suppose that the modification of a session bean program involvs other modifications of project properties or something ??

      I don't know... I'm lost

      Any help please!

      Thank you very much

      PS: I use JBoss 7.1 server, and Eclipse EE Juno

        • 1. Re: Modifying a session bean program from an other java class
          Nicklas Karlsson Master

          What do you mean by " insert methods and instructions into a session bean (3.x) program."? Bytecode manipulation? How are you doing it, it sounds suspicious, what are you even trying to accomplish with it? There are proxies involved in EJBs so it's even more complicated...

          • 2. Re: Modifying a session bean program from an other java class
            Meriem L. AARIZOU Newbie

            No, not a bytecode manipulation at all. To be honest, I would like to insert bytcode in a class file, but it sounds very difficult to me. Actually, I'm working on XPath Injection Attacks in a web application, my thechnique is analysing the request before the interaction with the XML file. ie, before the call method:

            javax.xml.xpath.XPathFactory.newInstance().newXPath().evaluate(String expression, InputSource source, QName returnType);

            So for any given java program containing the evaluate method, I open the source code file (RandomAccessFile file=new RandomAccessFile(fileName,"rw");), insert a method declaration:

            @javax.interceptor.Interceptors (com.application.interceptor.Intercepteur.class)

            public Object connexionXML(String staticRequest, String param1, Object param2, javax.xml.namespace.QName param3)

                 {

                  Object objet=null;

                 try {

                      objet= XPathFactory.newInstance().newXPath().evaluate(param1, param2, param3);

                 } catch(Exception e){

                                e.printStackTrace();

                      }

                  return objet;

                 }

            and replace:

            XPathFactory.newInstance().newXPath().evaluate(expression, new InputSource("banque.xml"), XPathConstants.NODESET);

            by:

            connexionXML(key, expression,  new InputSource("banque.xml"),  XPathConstants.NODESET);

            So befor executing the method connexionXML an interceptor analyses the expression. If the exprssion is valid the method body can be executed otherwise it is blocked.

            This technique is working very well on every java web application source code that I have. But in some cases, the java source code is a session bean, and the web application is an EJB, and it causes to me the exceptions cited above.

            I've tryed to explain the best way I could. And I'm sorry for my english, I'm better in french than english, even that I'm neither French nor British.

            Thank you very much for the quick answer.

            Have a nice a day

            • 3. Re: Modifying a session bean program from an other java class
              Nicklas Karlsson Master

              So you have people that can deploy stuff to your server but at some stage (in the build process?) you filter the code? Or am I missing something here?

              • 4. Re: Modifying a session bean program from an other java class
                Meriem L. AARIZOU Newbie

                I'm trying to create a module that can be used to secure any web application deployed by anyone who wants to secure his web application against XPath Injection Attacks. In other words, Mr. X has deployed a web application on HIS server, he needs to secure it. He includes my application in his and has as a result a secured code against XPath Injection Attacks.

                • 5. Re: Modifying a session bean program from an other java class
                  Nicklas Karlsson Master

                  A module and not a jar? At which point do you manipulate the java code? And what if the uses initializes the xpath in a different way? I'm still a bit confused about the application.

                  • 6. Re: Modifying a session bean program from an other java class
                    Meriem L. AARIZOU Newbie

                    I mean a jar by saying module, I didn't know that there is diffrences... by bad... Sorry!

                    I suppose that is realisable for any xpath initialization. I replace each evaluate call by a call of my method connexionXML which contains evaluate and is preceded by an interceptor annotation. I called this step identifying HOTSPOTS.

                    I realise an application that can build models of requests at compiling time and analyse the dynamic requests using the models at runtime

                    There is two ways to use my jar:

                    1. deploying a web application, creating models and including interceptor annotations manually. In my application the interceptor checks the validity of the request. In this case we omit the step of identifying hotspots. (Deploy a secured web application directly).
                    2. or securing an existing web application, of a company or some thing.We don't have to rewrite the code, just identifying hotspot, inserting interceptor annotations and creating the models automatically.
                    • 7. Re: Modifying a session bean program from an other java class
                      Meriem L. AARIZOU Newbie

                      Ok... I noticed something. I've tryed to modify the session bean manually without using the hotspot detecting class. Jboss server stops deploying the EJB when I insert the annotation @Interceptors(com.application.interceptor.Interceptor.class and when I removed and re-deploy the EJB on the server it works. I'm confused... I don't understand...

                      Look I know that I'm unable to explain my approach, and you're not convinced about it. But you seem a pro. Please help me

                      • 8. Re: Modifying a session bean program from an other java class
                        Nicklas Karlsson Master

                        I'm no pro, I'm still too confused on what you are trying to achieve to make a comment

                         

                        I understand that you want to provide a library (+perhaps CDI interceptor bindings) people can use to avoid the problem. I'm still not getting the part at which point is your manipulation done? Since you say you're not doing bytecode manipulation, it must be build/pre-build right? I'm not sure it's a good idea to automatically edit other people code based on some vague idea at what looks like vulnerabilities. I could understand if you hook in interceptors at deploy time but since there vulnerabilities happen mid-code, I don't get it how it could work. Or perhaps I'm still misunderstanding...

                        • 9. Re: Modifying a session bean program from an other java class
                          Meriem L. AARIZOU Newbie

                          Hi everyone.

                          I finally could solv the problem, with the help of my teacher actually .

                          The problem was neither from the modification of the bean nor the insertion of the annotation, but I was invoking some methods an instaciating objects from an other service without a lookup. In other words I "linked" two services with a simple "ClassInService1 obj=new ClassInService1()" in the service2. Silly isn't it?

                          I've put the answer just in case someone has the same probleme than me.

                          Thank you. See you

                          • 10. Re: Modifying a session bean program from an other java class
                            Nicklas Karlsson Master

                            two services with a simple "ClassInService1 obj=new ClassInService1()" in the service2. Silly isn't it?

                             

                            Yes.

                             

                            And I still didn't get how this could work on a conceptual level ;-)