3154658-Missing Authorization check in SAP NetWeaver Application Server for Applocking service
Following actions have been introduced:
Following roles have been introduced:
Following roles have been extended:
Following property has been added to Applocking service:
The property is offline modifiable (i.e. requires AS Java restart) and will be added in "Expert" view
Default value for the property:
No roles are needed in the following cases:
EXCEPTION]
java.lang.SecurityException: The user does not have permission: applocking, Action: logical_locking_create
at com.sap.engine.services.applocking.AppLockingAccessPermissionProvider.checkAccessPermission(AppLockingAccessPermissionProvider.java:20)
at com.sap.engine.services.applocking.LogicalLockingFactoryImpl.createLogicalLocking(LogicalLockingFactoryImpl.java:43)
at sun.reflect.GeneratedMethodAccessor498.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
Which are the affected methods:
1.LogicalLockingFactory methods are protected. If you lookup "/LogicalLockingFactory" you should adopt your application.
createLogicalLocking(...)
2. AppLockingRuntimeInterface methods are protected. If you look up "/applocking" you should adopt your application.
registerManagementListener(...)
getTimeStatisticsEntries()
enableTimeStatistics()
disableTimeStatistics()
resetTimeStatistics()
getLifetimeDescriptions()
getLifetimeDescriptionsAsProperties()
getTimeStatisticsEntriesAsProperties()
Define a new role or reuse the predefined one:
<BUSINESSSERVICE NAME="COMPONENT NAME">
<DESCRIPTION LOCALE="en" VALUE="COMPONENT_DESCRIPTION"/>
<ACTION NAME="logical_locking_create">
<DESCRIPTION LOCALE="en" VALUE="Allows calls to create logical locking, i.e. to call LogicalLockingFactoryImpl.createLogicalLocking(...)"/>
<PERMISSION CLASS="com.sap.engine.services.applocking.AppLockingAccessPermission" NAME="applocking" VALUE="logical_locking_create"/>
</ACTION>
<ROLE NAME="SOME_ROLE_NAME">
<ASSIGNEDACTION NAME="logical_locking_create"/>
</ROLE>
</BUSINESSSERVICE>
OR
Assign this role to an existing user:
private void createAssignUser() throws UMException {
IServiceUserFactory userFactory = UMFactory.getServiceUserFactory();
IRoleFactory rf = UMFactory.getRoleFactory();
// Get the desired role
IRole role = rf.getRoleByUniqueName(DESIRED_ROLE);
String roleUniqueID = adminRole.getUniqueID();
// Try to get the user
IUser user= null;
try {
user= userFactory.getServiceUser(DESIRED_USER_NAME);
// Add user to DESIRED_ROLE role if it is still not in this role
boolean isMember = user.isMemberOfRole(roleUniqueID , true);
if (!isMember) {
rf.addUserToRole(user.getUniqueID(), roleUniqueID );
}
} catch (NoSuchUserException noSuchUserExc) {
// The user doesn't exist, create it
try {
userFactory.createServiceUser(DESIRED_USER_NAME);
user = userFactory.getServiceUser(DESIRED_USER_NAME);
// Add user to DESIRED_ROLE role without a check.
// If the user is created on another server node and it is still not
// granted DESIRED_ROLE role we ensure here we are not going to
// use it before we grant it this role. Thus we do not need to have
// special synchronization in cluster
rf.addUserToRole(user.getUniqueID(), roleUniqueID);
} catch (UserAlreadyExistsException uaex) {
user = userFactory.getServiceUser(DESIRED_USER_NAME);
boolean isMember = user.isMemberOfRole(roleUniqueID, true);
if (!isMember) {
rf.addUserToRole(user.getUniqueID(), roleUniqueID);
}
}
}
}
Use the new user:
Using Subject.doAs() method. Run code with user which has desired role. Here is an example:
// Or create separate class
PrivilegedExceptionAction codeToBeExecutedWithGivenUser = new PrivilegedExceptionAction() { public Object run() throws Exception { //Code to be executed with given user and return result return null; } };
IUser doAsUser = UMFactory.getUserFactory().getUserByLogonID("RUN_AS_USER"); // create new Subject final Subject runAsSubject = new Subject(); runAsSubject.getPrincipals().add(doAsUser); try { Object result = Subject.doAs(runAsSubject, codeToBeExecutedWithGivenUser); } catch (PrivilegedActionException pae) { // Process, wrap and rethrow exception }
<ejb-jar>
<assembly-descriptor>
<security-role>
<role-name>SOME_ROLE_NAME</role-name>
</security-role>
</assembly-descriptor>
......
<enterprise-beans>
<message-driven>
....
<security-identity>
<run-as>
<role-name>SOME_ROLE_NAME</role-name>
</run-as>
</security-identity>
</message-driven>
</enterprise-beans>
</ejb-jar>
ejb-j2ee-engine.xml:
<security-permission>
<security-role-map>
<role-name>SOME_ROLE_NAME</role-name>
<server-role-name>APP_LOCKING_CREATE</server-role-name>
</security-role-map>
</security-permission>
@DeclareRoles({"SOME_ROLE_NAME"})
@RunAs("SOME_ROLE_NAME")
<web-app>
<servlet>
<servlet-name>...</servlet-name>
...
<run-as>
<role-name>MyServletRole</role-name>
</run-as>
</servlet>
<security-role>
<role-name>MyServletRole</role-name>
</security-role>
</web-app>
<web-j2ee-engine>
<security-role-map>
<role-name>MyServletRole</role-name>
<server-role-name>MyASJavaRole</server-role-name>
</security-role-map>
</web-j2ee-engine>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
28 | |
17 | |
15 | |
13 | |
11 | |
9 | |
8 | |
8 | |
8 | |
7 |