Websphere Shared Libraries and Java 2 Security - security

I have created a jar file to load a native library ( using System.loadlibrary() ) and configured this as a shared library within WebSphere ( v6.1 ). The server has to run with Java 2 enabled ( it's the law ... )
When I try to access the library I can see that the correct classes are being loaded from my jar file, but the attempt to load the native library gives me the following Security exception : -
Permission:
loadLibrary.gbif : Access denied (java.lang.RuntimePermission loadLibrary.gbif)
Code:
com.dave.nativelibrary.NativeLibraryLoader in {file:/hosting/apps/D03-dave-dev/lib/NativeLibraryLoader.jar}
Stack Trace:
java.security.AccessControlException: Access denied (java.lang.RuntimePermission loadLibrary.gbif)
at java.security.AccessController.checkPermission(AccessController.java:104)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:547)
at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:189)
at java.lang.SecurityManager.checkLink(SecurityManager.java:833)
at java.lang.ClassLoader.loadLibraryWithClassLoader(ClassLoader.java:917)
at java.lang.System.loadLibrary(System.java:453)
at com.dave.nativelibrary.NativeLibraryLoader.(NativeLibraryLoader.java:21)
--- snip ---
I'm not really sure what I'm doing - so I had a couple of attempts to put the following in to my was.policy file
permission java.lang.RuntimePermission "loadLibrary.gbif";
I tried this in both the application and jars section, but it had no beneficial effect.
Can anyone shed any light on what I need to do here?
Thanks
Dave

Instead of wrapping your native libs inside of a jar lib. Have you tried defining your native code as a shared native lib inside of websphere?

Related

Broadleaf - running locally - problem getting started the API project

I'm trying to run Heat Clinic 6.0.1 locally following getting started tutorial: https://www.broadleafcommerce.com/docs/core/current/getting-started/running-locally
I managed to run admin and site but not the API project. The application starts without problems but when I go to http://localhost:8082/api/v1/swagger-ui.html I get a 404. In the log I see this exception:
javax.servlet.ServletException: Circular view path [error]: would dispatch back to the current handler URL [/error] again. Check your ViewResolver setup! (Hint: This may be the result of an unspecified view, due to default view name generation.)
Also trying to log in directly in the API with user broadleafapi and password gives 404.
My environment: Windows 10, jdk 8, maven 3.6
What's wrong? Can you help me? Thank you
Thanks for the report. I reproduced this and it looks like that with the update to Spring Boot 2.0, we did not appropriately override the updated property that specifies the servlet location to embedded Tomcat. Thus, when you went to /api/v1/swagger-ui.html, the application treats it exactly like that URL which is what gave the 404.
Setting the server.servlet.contextPath=/api/v1 property appropriately stripped off this path as part of the servlet context and resolved the 404.
I tested around a bit and was able to 'Authorize' the app (button at the top right of the Swagger page) with the credentials information that get spit out in the logs:
Basic auth configured with user broadleafapi and password: <<generated>>
then I was able to hit the API endpoints.
The changes you will need to make locally in your project to consume the fix are at https://github.com/BroadleafCommerce/DemoSite/commit/422d1cdc37f847afd8bec0be477ab784cbad2e9d#diff-991c59b6dbb0f619b8570d8f8779eaddR11. You will notice that I moved the original definition in default.properties over to common.properties and I recommend that you do the same. To be clear, follow these steps:
Delete the server.servlet.contextPath entry in `api/src/main/resources/runtime-properties/default.properties
Change server.servletPath in api/src/main/resources/runtime-properties/common.properties to server.servlet.contextPath
Thanks for trying out Broadleaf and the report, sorry for the rough early start!

JavaLite ActiveWeb rootPackage

I'm developing a web application with ActiveWeb. I wanted to change the package from app.controller to be.coudron.graphplanner.controller
I created a file activewebproperties and placed it in src/main/resources
the contents of the file are:
freeMarkerConfig=be.coudron.graphplanner.config.FreeMarkerConfig
bootstrap=be.coudron.graphplanner.config.AppBootstrap
dbconfig=be.coudron.graphplanner.config.DbConfig
route_config=be.coudron.graphplanner.config.RouteConfig
controllerConfig=be.coudron.graphplanner.config.AppControllerConfig
rootPackage=be.coudron.graphplanner
When I start the app with mvn jetty:run
I get the error:
org.javalite.activeweb.ControllerException: controller must be
in the 'app.controllers' package
What am i doing wrong?
There are no typos in the code nor the package names.
the exception message is self-explanatory: "controller must be in the 'app.controllers' package"
The file activeweb.properties is part of the framework and not editable. With time, you will appreciate simplicity and consistency of the framework. It requires that controllers are placed into app.controllers package. Please, refer to http://javalite.io/structure_of_activeweb_project#location-of-controllers

Struts2 simple app throwing HTTP 404 Exception

I am running a "Hello World " struts 2 example.I have put all the required dependencies in the "/WEB-INF/lib" location. I have the following jars in my lib location :
commons.io_2.0.1.jar
commons-collections-3.2.1.jar
commons-fileupload-1.2.2.jar
commons-logging-1.1.1.jar
freemarker-2.3.16.jar
ognl-2.6.11.jar
struts2-core-2.2.3.jar
xwork-2.0.4.jar
Do I need any other jar file to run simple Struts2 app?
I am getting "HTTP Status 404 - requested resource is not available" exception when I am running my app.
Check the web.xml as well as the deployment descriptor created by Eclipse to know if it points to the correct JSP. i.e. if the jsp is under JSP folder, the welcome file should be /JSP/welcome.jsp
FYI: Filter dispatcher has been deprecated in struts2 i must suggest you to use
org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter
its always better to start with updated one
And try adding commons-lang3-3.x file. It might work.

Cannot query Active Directory using ServerBind on non-domain computer in Windows PE

I have a need to write a .NET application which will query Active Directory while running in Windows PE on a computer which is not yet a member of the domain.
We are running this during a Microsoft Deployment Toolkit task sequence (note that MDT 2012 has been configured to load support for .NET into the WinPE environment - the .NET application is starting without any problems).
I am using the code below to bind to the domain:
DirectoryEntry entry = new DirectoryEntry(
path,
username,
password,
AuthenticationTypes.ServerBind | AuthenticationTypes.Secure);
I have tried a path both of the form:
LDAP://domainServer/dc=domain,dc=name
And also without a domain controller name as
LDAP://dc=domain,dc=name
I have also tried using a username both of the form domain\username and also just username.
The DirectoryEntry object seems to be constructed okay, but when I try to execute Console.Writeline(entry.Name) to confirm a valid connection has been made, I get the following exception:
System.Runtime.InteropServices.COMException (0x80005000): Unknown
error (0x80005000) at
System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind() at
System.DirectoryServices.DirectoryEntry.get_Name()
I have tried other variations on this code, trying to execute LDAP queries with various filters, trying to rewrite it in VBScript, etc... but the code posted above is the simplest example I could come up with which reproduces the problem.
From what I have read, in a scenario like this you would always need to use AuthenticationTypes.ServerBind and that is why I am trying to specify the code within the ADSI LDAP path. But what is wrong with the code above? To me, it looks like it is passing all needed information in the parameters to the DirectoryEntry constructor.
There is a way to get it work, but it's not supported by Microsoft. This post helped me a lot. It works, tested and approved for a deployment of new computers :)
Get the ADSIxXX.inf from the zip file to C:\ADSI
Copy the following files from a Windows/System32 to C:\ADSI. Carefull of Architecture
x86 x64 -
adsldp.dll
adsmsext.dll
adsnt.dll
mscoree.dll
mscorier.dll
mscories.dll
Mount the bootimage.wim
No need to load Package (Your WinPE is already configured to load .NET API), juste add ADSI driver:
Dism /Image:C:\Mount /Add-Driver /Driver:C:\ADSI\ADSIxXX.inf /forceunsigned
No need to load his script
Unmount the bootimage.wim
Then it's done, if your .NET application is well implement ;)
I'm not sur the PIPE | is supported as an argument too, just set to AuthenticationTypes.Secure -
DirectoryEntry entry = new DirectoryEntry(
path,
username,
password,
AuthenticationTypes.ServerBind | AuthenticationTypes.Secure);
Link: http://www.deploymentresearch.com/Research/tabid/62/EntryId/74/ADSI-plugin-for-WinPE-4-0.aspx#AddComment

Policy Exception SharePoint

I have a web part and the dll is deployed to the bin of the web application.I have created a custom cas policy and deployed( wss_custom). Just for the sake of testing i have given Unrestricted access to whatever IPermission i knew (around 10). Most of the IPermissions i got is from the PermCalc.exe. Yet i get the following error generated by the web part:
System.Security.Policy.PolicyException
The problem is that i am not able to determine as to what permission is required to be given in the custom cas file.
Appreciate your suggestions.
Thanks
My general advice to find which CAS permissions you need are:
Give your dll SecurityPermission(ControlEvidence = true, ControlPolicy = true) (and of cause also Execution = true and what else you might need)
Catch the Exception and output Exception.ToString() not only Exception.Message
Then you should get a precise listing of the first Permission that failed, add that and try again.
Try to enable logging of .net assembly loader and see what happens with "fuslogvw.exe" tool (see http://msdn.microsoft.com/en-us/library/e74a18c4(VS.80).aspx for more details)

Resources