[jboss-jira] [JBoss JIRA] Commented: (JBPORTAL-2109) CMS Security Issue with LDAP/Clustered mode
Sohil Shah (JIRA)
jira-events at lists.jboss.org
Fri Sep 5 17:56:38 EDT 2008
[ https://jira.jboss.org/jira/browse/JBPORTAL-2109?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12428474#action_12428474 ]
Sohil Shah commented on JBPORTAL-2109:
--------------------------------------
What is the difference between the two:
This is what I have for jboss-portal-ha.sar/conf/hibernate/portlet/hibernate.cfg.xml
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
<!DOCTYPE hibernate-configuration PUBLIC
"-//Hibernate/Hibernate Configuration DTD//EN"
"http://hibernate.sourceforge.net/hibernate-configuration-3.0.dtd">
<hibernate-configuration>
<session-factory>
<property name="connection.datasource">java:@portal.datasource.name@</property>
<property name="show_sql">@portal.sql.show@</property>
<property name="cache.use_second_level_cache">true</property>
<property name="cache.use_query_cache">false</property>
<!--
| Uncomment in clustered mode : use transactional replicated cache
@portal.single.xml.close@
<property name="cache.provider_class">org.jboss.hibernate.jbc.cacheprovider.JmxBoundTreeCacheProvider</property>
<property name="treecache.mbean.object_name">portal:service=TreeCache,type=hibernate</property>
@portal.single.xml.open@
-->
<!--
| Comment in clustered mode
@portal.clustered.xml.close@
<property name="cache.provider_configuration_file_resource_path">conf/hibernate/portlet/ehcache.xml</property>
<property name="cache.provider_class">org.hibernate.cache.EhCacheProvider</property>
@portal.clustered.xml.open@
-->
<!-- Force the dialect instead of using autodetection -->
<!--
<property name="dialect">org.hibernate.dialect.PostgreSQLDialect</property>
-->
<!-- Mapping files -->
<mapping resource="conf/hibernate/portlet/domain.hbm.xml"/>
</session-factory>
</hibernate-configuration>
and this for the cms hibernate configuration
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
<!DOCTYPE hibernate-configuration PUBLIC
"-//Hibernate/Hibernate Configuration DTD//EN"
"http://hibernate.sourceforge.net/hibernate-configuration-3.0.dtd">
<hibernate-configuration>
<session-factory>
<property name="connection.datasource">java:@portal.datasource.name@</property>
<property name="show_sql">@portal.sql.show@</property>
<!-- caching properties -->
<property name="cache.use_second_level_cache">true</property>
<property name="cache.use_query_cache">true</property>
<property name="cache.provider_configuration_file_resource_path">conf/hibernate/cms/ehcache.xml</property>
<property name="cache.provider_class">org.hibernate.cache.EhCacheProvider</property>
<!-- managed environment transaction configuration -->
<property name="hibernate.transaction.manager_lookup_class">org.hibernate.transaction.JBossTransactionManagerLookup</property>
<property name="hibernate.transaction.factory_class">org.hibernate.transaction.JTATransactionFactory</property>
<!-- Force the dialect instead of using autodetection -->
<!--property name="dialect">org.hibernate.dialect.PostgreSQLDialect</property-->
<!--property name="dialect">org.hibernate.dialect.MySQLInnoDBDialect</property-->
<!-- Mapping files -->
<mapping resource="conf/hibernate/cms/domain.hbm.xml"/>
</session-factory>
</hibernate-configuration>
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
I can make the necessary adjustment if you can point me to the proper configuration. It can be included for 2.6 and 2.7, but would leave it out from the patch
Thanks
Sohil
> CMS Security Issue with LDAP/Clustered mode
> -------------------------------------------
>
> Key: JBPORTAL-2109
> URL: https://jira.jboss.org/jira/browse/JBPORTAL-2109
> Project: JBoss Portal
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Portal CMS
> Affects Versions: 2.6.6 Final
> Reporter: Sohil Shah
> Assignee: Sohil Shah
> Fix For: 2.6.7 Final
>
>
> Steps to Reproduce:
> I finally managed to reproduce this. Here's my environment:
> - EAP 4.3, JBoss Portal 2.6.5.SP1 HA (or 2.6.6 HA)
> - enabled TC clustered SSO
> First test:
> ----------
> 1/ start two nodes, one with the Service Binding Manager
> 2/ check if one is CMS master, other slave
> 3/ log in as admin:admin
> 4/ change security setting for the '/default' CMS folder to 'Read=User'
> 5/ logout
> 6/ login as user:user on node1 (master): ok, content is displayed
> 7/ logout
> 8/ login as user:user on node2 (slave): ok, content is displayed
> => TEST PASSED
> Second test:
> -----------
> - same setup as before, but with LDAP:
> <attribute name="ConfigFile">conf/identity/ldap_identity-config.xml</attribute>
> - OpenDS is used on localhost with imported identity/src/resources/example/portal-sample-local.ldif structure
> 1-7 as above
> 8/ login as user:user on node2 (slave): failed, 404 or Access Denied (depending on Portal version)
> => TEST FAILED
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list