Hi all,
While using the Stanbol Full Launcher I see more and more security
related issues. To reduce the hurdles for users affected by this I am
writing this mail:
(1) Deactivating Security:
To deactivate Security parse the "-no-security" option when starting Stanbol
java -Xmx1024m -XX:MaxPermSize=256M -server
org.apache.stanbol.launchers.full*.jar -no-security
(2) Detecting/Reporting security related issues:
You will need to dig into the Stanbol log file
({working-dir}/stanbol/logs/error.log) and look for Exceptions with
"java.security" (typically "java.security.AccessControlException")
Than look at the Stacktrace and search for affected Stanbol Components
Here an example:
java.security.AccessControlException: access denied
(java.io.FilePermission {file} read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
at java.security.AccessController.checkPermission(AccessController.java:549)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
at java.io.File.exists(File.java:731)
at org.apache.stanbol.commons.stanboltools.datafileprovider.impl.MainDataFileProvider.getDataFile(MainDataFileProvider.java:274)
at org.apache.stanbol.commons.stanboltools.datafileprovider.impl.MainDataFileProvider.getInputStream(MainDataFileProvider.java:156)
at org.apache.stanbol.commons.opennlp.OpenNLP.lookupModelStream(OpenNLP.java:541)
at org.apache.stanbol.commons.opennlp.OpenNLP.initModel(OpenNLP.java:478)
[..]
Here the MainDataFileProvider
(org.apache.stanbol.commons.stanboltools.datafileprovider.impl.MainDataFileProvider)
does missing read permissions to the {file} noted in the stanbol
datafiles folder.
If you find things like that please open an JIRA issue like I have
created STANBOL-864 [1] for the above example. Feel free to also give
a short note on the dev@stanbol.apache.org list (e.g. as a replay to
this mail).
(3) Building Security Aware Components for Apache Stanbol
If you encounter problems like described under (2) in your own Stanbol
extensions you will need to execute the affected code within
AccessController.doPrivileged(..) blocks. An example regarding this is
already available on the Stanbol Homepage [2]
Best
Rupert
[1] https://issues.apache.org/jira/browse/STANBOL-864
[2] http://stanbol.apache.org/development/security.html
On Sun, Dec 23, 2012 at 8:17 AM, Rupert Westenthaler
<ru...@gmail.com> wrote:
> Hi Reto
>
> With revision 1425426 [1] I changed the SolrYard to use
> AccessController.doPrivileged(..) on every request to the SolrServer.
> As expected this has solved the problems (see also STANBOL-863 [2]).
>
> However the build will still be unstable as the Issue with the
> org.apache.stanbol.enhancer.it.BenchmarkTest.testBenchmark(..) still
> persists.
>
> best
> Rupert
>
> [1] http://svn.apache.org/viewvc?rev=1425426&view=rev
> [2] https://issues.apache.org/jira/browse/STANBOL-863
>
> On Sat, Dec 22, 2012 at 3:44 PM, Reto Bachmann-Gmür <re...@apache.org> wrote:
>> Hi Rupert
>>
>> thanks for checking.
>>
>> In this case the solution is to access the files in a priveleged code
>> block. Possibly checking for a specific EntityHub-Read permission first.
>> See http://stanbol.apache.org/development/security.html for an example.
>>
>> Cheers,
>> reto
>>
>> On Sat, Dec 22, 2012 at 11:56 AM, Rupert Westenthaler <
>> rupert.westenthaler@gmail.com> wrote:
>>
>>> I looked into the EntityhubTests problem
>>>
>>> The problem occurs when storing the first Entity at:
>>>
>>> Caused by: org.apache.stanbol.entityhub.servicesapi.yard.YardException:
>>> Exception while adding Document to Solr
>>> at
>>> org.apache.stanbol.entityhub.yard.solr.impl.SolrYard.store(SolrYard.java:1170)
>>>
>>>
>>> The root cause is that the SolrCore does not have File read
>>> permissions in the instanceDir
>>>
>>> Caused by: java.security.AccessControlException: access denied
>>> (java.io.FilePermission
>>>
>>> {stanbol-working-dir}/stanbol/indexes/default/entityhub-2012.12.22/data/index.properties
>>> read)
>>> at
>>> java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
>>> [..]
>>> at java.io.File.exists(File.java:731)
>>> at org.apache.solr.core.SolrCore.getNewIndexDir(SolrCore.java:197)
>>>
>>>
>>> The problem here is that it is not really possible to apply explicit
>>> read/write permissions to the Solr instanceDir at SolrYard.store(..)
>>> because this component does not know the directory. The SolrYard can
>>> also be configured to use an remove SolrServer (via the RESTful
>>> interface).
>>>
>>> Any Idea how to deal with this?
>>> Rupert
>>>
>>> On Fri, Dec 21, 2012 at 8:09 PM, Reto Bachmann-Gmür <re...@apache.org>
>>> wrote:
>>> > Regarding the first problem: The requestes permission is an
>>> > org.osgi.framework.AdminPermission for the action "context".
>>> >
>>> > Now there are 3 options:
>>> > - Give the user anonymous this permission
>>> > - Execute this code block as priviledged
>>> > - perform the request as admin
>>> >
>>> > For now I've just added the admin/admin authentication to
>>> StanbolTestBase.
>>> >
>>> > Now I see the following errors:
>>> >
>>> > BenchmarkTest
>>> >
>>> > <pre> Unable to find resource
>>> > '/velocity/benchmark-results.html'</pre></p><h3>Caused
>>> > by:</h3><pre>org.apache.velocity.exception.ResourceNotFoundException:
>>> > Unable to find resource '/velocity/benchmark-results.html'
>>> > at
>>> >
>>> org.apache.velocity.runtime.resource.ResourceManagerImpl.loadResource(ResourceManagerImpl.java:474)
>>> > at
>>> >
>>> org.apache.velocity.runtime.resource.ResourceManagerImpl.getResource(ResourceManagerImpl.java:352)
>>> > at
>>> >
>>> org.apache.velocity.runtime.RuntimeInstance.getTemplate(RuntimeInstance.java:1533)
>>> > at
>>> >
>>> org.apache.velocity.runtime.RuntimeInstance.getTemplate(RuntimeInstance.java:1514)
>>> > at
>>> >
>>> org.apache.velocity.app.VelocityEngine.getTemplate(VelocityEngine.java:373)
>>> > at
>>> >
>>> org.apache.stanbol.enhancer.benchmark.impl.BenchmarkServlet.doPost(BenchmarkServlet.java:217)
>>> >
>>> > There's also a problem in
>>> org.apache.stanbol.enhancer.it.MultiThreadedTest
>>> > of unclear reason and multiple response codes are not matched in
>>> > EntityhubTests. I couldn't find out what exactly is causing these
>>> problems.
>>> >
>>> > Any idea?
>>> >
>>> > Cheers,
>>> > Reto
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > On Fri, Dec 21, 2012 at 3:28 PM, Rupert Westenthaler <
>>> > rupert.westenthaler@gmail.com> wrote:
>>> >
>>> >> Maybe it helps. the ServiceTracker that encounters the
>>> >> "java.security.AccessControlException: access denied" is also tracking
>>> >> Services of other Classloaders (meaning that open(true) is called)
>>> >> Maybe tracking Services with other classloaders requires an additional
>>> >> permission.
>>> >>
>>> >> best
>>> >> Rupert
>>> >>
>>> >> On Fri, Dec 21, 2012 at 3:13 PM, Reto Bachmann-Gmür <re...@apache.org>
>>> >> wrote:
>>> >> > Off the top of my head: Bundle.getResource returns null when the user
>>> >> > doesn't have the required permssion and is thus indistinguishable from
>>> >> when
>>> >> > the resource is missing. Maybe we need giving more permission to the
>>> >> > anonymous user.
>>> >> >
>>> >> > Sorry, I have to run, my son and my dog are waiting to get out.
>>> >> >
>>> >> > Cheers,
>>> >> > Reto
>>> >> >
>>> >> > On Fri, Dec 21, 2012 at 2:37 PM, Rupert Westenthaler <
>>> >> > rupert.westenthaler@gmail.com> wrote:
>>> >> >
>>> >> >> There is also an other exception related to the contenthub
>>> >> >>
>>> >> >> 21.12.2012 12:37:24.260 *WARN* [22953412@qtp-5311938-0]
>>> >> >> org.apache.felix.http.jetty / (java.lang.RuntimeException:
>>> >> >> freemarker.template.TemplateException: Error reading included file
>>> >> >> imports/contenthubDescription.ftl) java.lang.RuntimeException:
>>> >> >> freemarker.template.TemplateException: Error reading included file
>>> >> >> imports/contenthubDescription.ftl
>>> >> >> at
>>> >> >>
>>> >>
>>> org.apache.stanbol.commons.ldpathtemplate.LdRenderer.renderPojo(LdRenderer.java:176)
>>> >> >> at
>>> >> >>
>>> >>
>>> org.apache.stanbol.commons.viewable.mbw.ViewableWriter.writeTo(ViewableWriter.java:66)
>>> >> >> at
>>> >> >>
>>> >>
>>> org.apache.stanbol.commons.viewable.mbw.ViewableWriter.writeTo(ViewableWriter.java:38)
>>> >> >> at
>>> >> >>
>>> >>
>>> com.sun.jersey.spi.container.ContainerResponse.write(ContainerResponse.java:306)
>>> >> >> [..]
>>> >> >> Caused by: freemarker.template.TemplateException: Error reading
>>> >> >> included file imports/contenthubDescription.ftl
>>> >> >> at freemarker.core.Include.accept(Include.java:167)
>>> >> >> [..]
>>> >> >> Caused by: java.io.FileNotFoundException: Template
>>> >> >> imports/contenthubDescription.ftl not found.
>>> >> >> at
>>> freemarker.template.Configuration.getTemplate(Configuration.java:580)
>>> >> >> at
>>> >> >>
>>> >>
>>> freemarker.core.Environment.getTemplateForInclusion(Environment.java:1490)
>>> >> >>
>>> >> >> but other than that things look fine
>>> >> >>
>>> >> >> The full log is available from
>>> >> >>
>>> >> >>
>>> >>
>>> https://builds.apache.org/job/stanbol-trunk-1.6/ws/trunk/integration-tests/target/launchdir/stanbol/logs/
>>> >> >> until the next build
>>> >> >>
>>> >> >> best
>>> >> >> Rupert
>>> >> >>
>>> >> >> On Fri, Dec 21, 2012 at 2:19 PM, Rupert Westenthaler
>>> >> >> <ru...@gmail.com> wrote:
>>> >> >> > Hi all,
>>> >> >> >
>>> >> >> > In the currently running Jenkins build the integration test do hang
>>> >> >> > because the contenthub in unable to start. When looking at the
>>> logging
>>> >> >> > I see
>>> >> >> >
>>> >> >> > 21.12.2012 13:11:48.835 *DEBUG* [4832582@qtp-5311938-35]
>>> >> >> > freemarker.cache Compiling FreeMarker template
>>> >> >> > "imports/common.ftl"["en_US",utf-8,parsed] from
>>> >> >> > "bundle://76.0:1/templates/imports/common.ftl"
>>> >> >> > 21.12.2012 13:11:48.839 *DEBUG* [4832582@qtp-5311938-35]
>>> >> >> > org.apache.stanbol.commons.security.auth.AuthenticatingFilter
>>> >> >> > filtering request
>>> >> >> > 21.12.2012 13:11:48.840 *DEBUG* [4832582@qtp-5311938-35]
>>> >> >> > org.apache.stanbol.commons.security.auth.AuthenticatingFilter
>>> >> >> > filtering request
>>> >> >> > 21.12.2012 13:11:48.841 *INFO* [4832582@qtp-5311938-35]
>>> >> >> > org.apache.stanbol.commons.solr.RegisteredSolrServerTracker ... in
>>> >> >> > addingService for IndexReference[server:default,index:contenthub]
>>> >> >> > (ref: [org.apache.solr.core.SolrCore])
>>> >> >> > 21.12.2012 13:11:48.842 *DEBUG* [4832582@qtp-5311938-35]
>>> >> >> > org.apache.stanbol.commons.security.auth.AuthenticatingFilter
>>> >> >> > SecurityException: {} java.security.AccessControlException: access
>>> >> >> > denied (org.osgi.framework.AdminPermission (id=155) context)
>>> >> >> > at
>>> >> >>
>>> >>
>>> java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
>>> >> >> > at
>>> >> >>
>>> >>
>>> java.security.AccessController.checkPermission(AccessController.java:546)
>>> >> >> > at
>>> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>>> >> >> > at
>>> >> >>
>>> >>
>>> org.apache.felix.framework.BundleImpl.getBundleContext(BundleImpl.java:206)
>>> >> >> > at
>>> >> >>
>>> >>
>>> org.apache.felix.framework.util.EventDispatcher.wrapListener(EventDispatcher.java:578)
>>> >> >> > at
>>> >> >>
>>> >>
>>> org.apache.felix.framework.util.EventDispatcher.removeListener(EventDispatcher.java:347)
>>> >> >> > at
>>> >> >>
>>> org.apache.felix.framework.Felix.removeServiceListener(Felix.java:2768)
>>> >> >> > at
>>> >> >>
>>> >>
>>> org.apache.felix.framework.BundleContextImpl.removeServiceListener(BundleContextImpl.java:209)
>>> >> >> > at
>>> org.osgi.util.tracker.ServiceTracker.close(ServiceTracker.java:391)
>>> >> >> > at
>>> >> >>
>>> >>
>>> org.apache.stanbol.contenthub.store.solr.manager.SolrCoreManager.getSolrServerFromTracker(SolrCoreManager.java:137)
>>> >> >> > at
>>> >> >>
>>> >>
>>> org.apache.stanbol.contenthub.store.solr.manager.SolrCoreManager.getServer(SolrCoreManager.java:169)
>>> >> >> > at
>>> >> >>
>>> >>
>>> org.apache.stanbol.contenthub.search.solr.SolrSearchImpl.search(SolrSearchImpl.java:108)
>>> >> >> > at
>>> >> >>
>>> >>
>>> org.apache.stanbol.contenthub.web.resources.StoreResource.getView(StoreResource.java:698)
>>> >> >> > at sun.reflect.GeneratedMethodAccessor69.invoke(Unknown Source)
>>> >> >> >
>>> >> >> > Before looking into that in more details I would like to ask if
>>> >> >> > someone has an Idea why this could happen.
>>> >> >> >
>>> >> >> > best
>>> >> >> > Rupert
>>> >> >> >
>>> >> >> > --
>>> >> >> > | Rupert Westenthaler rupert.westenthaler@gmail.com
>>> >> >> > | Bodenlehenstraße 11
>>> ++43-699-11108907
>>> >> >> > | A-5500 Bischofshofen
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> --
>>> >> >> | Rupert Westenthaler rupert.westenthaler@gmail.com
>>> >> >> | Bodenlehenstraße 11 ++43-699-11108907
>>> >> >> | A-5500 Bischofshofen
>>> >> >>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> | Rupert Westenthaler rupert.westenthaler@gmail.com
>>> >> | Bodenlehenstraße 11 ++43-699-11108907
>>> >> | A-5500 Bischofshofen
>>> >>
>>>
>>>
>>>
>>> --
>>> | Rupert Westenthaler rupert.westenthaler@gmail.com
>>> | Bodenlehenstraße 11 ++43-699-11108907
>>> | A-5500 Bischofshofen
>>>
>
>
>
> --
> | Rupert Westenthaler rupert.westenthaler@gmail.com
> | Bodenlehenstraße 11 ++43-699-11108907
> | A-5500 Bischofshofen
--
| Rupert Westenthaler rupert.westenthaler@gmail.com
| Bodenlehenstraße 11 ++43-699-11108907
| A-5500 Bischofshofen