Category Archives: Spring

Závažná bezpečnostní chyba ve Springu odhalena!

Otázka: Je pravda, že v Košicích upálily rusa?
Odpověd rádia Jerevan: Ano, je to pravda, ale nebylo to v Košicích, ale v Kostnici a nebyl to rus, ale Hus.

Myslel jsem si, že jsem expert na senzační titulky. Ale tento je nepřekonatelný. Mohli jste na něj narazit dnes, například na theserverside.com. Na první pohled to vypadá, že našli závažnou bezpečnostní chybu ve Springu. Na druhý pohled člověk přijde na to, že Rádio Jerevan obnovilo vysílání.
Takže, je pravda, že je ve Springu bezpečnostní chyba? Ano je to pravda, jenom to není ve Springu, ale ve Spring MVC a není to chyba, ale vlastnost.
Jde o to, že Spring MVC napojuje (binduje) hodnoty v HTML formulářích na beany. Pokud mám ve formuláři políčko se jménem name a v beaně pole se stejným jménem, Spring MVC mi automaticky nastaví hodnotu v beaně podle hodnoty ve formuláři. A to je ta chyba. Může se totiž stát, že mám v beaně jinou sadu polí než v HTML formuláři. Útočník teoreticky může v dotazu poslat hodnotu pole, které nebylo ve formuláři, a které tudíž ani nečekám. Prostě a jednoduše mi pošle jeden parametr dotazu (request parameter) navíc. Pokud správně trefí jméno, Spring nastaví hodnotu pole beany, u kterého to neočekávám. Takže teoreticky může změnit něco, co nechci aby se měnilo. To je závažná věc, a je dobré ji mít na paměti. Rozhodně bych to nechtěl zlehčovat. Musím se přiznat, že mi to až dodnes nedošlo.
Nicméně pokud to trochu přeformuluji, tak z toho plyne, že nemáme věřit ničemu, co nám přichází od uživatele. To rozhodně není žádná novinka. Jenom na to často zapomínáme. Uvedený problém má ve Spring MVC jednoduché řešení. Prostě mu řekneme, jaká pole má napojovat.
Samozřejmě to není jenom problém Spring MVC, stejný problém budou mít všechny podobně fungující frameworky (možná kromě JSF). Když mi přijde HTTP dotaz, tak nevím, která políčka byla v HTML formuláři. On tam konec konců ani žádný HTML formulář být nemusel. Dotaz mohl být klidně vygenerovaný nějakou aplikací. Jediné co mohu udělat, je explicitně určit, která pole se mají nastavovat. To Spring MVC umožňuje, jenom to skoro nikdo nepoužívá.
Takže abych to shrnul. Ve Springu bezpečnostní chyba není (alespoň co je mi známo). Chyba ale může vzniknout při jeho neopatrném používání. Doufám že se zítra nedočtu, že je závažná chyba v Oraclu. Doslechl jsem se, že umožňuje zavolat DROP SCHEMA a to může mít závažné následky na integritu dat.

Spring field injection

Few weeks ago, I worked on an interesting task. I had to find out how to migrate my customer’s proprietary framework to Spring. The framework was quite similar to Spring, although there were some differences. They used combination of XML and annotation configuration. Every property had special annotation saying that it is a property. XML schema for configuration was generated based on this annotation. So basically you had XML configuration that said what to inject to the annotated fields. The problem was that they did not have set methods for the fields.

And of course, the customer did not want to change all their classes just to migrate to Spring. It meant that they needed configure all the beans using Spring, but inject the dependencies directly, not through set methods.

I know that it is ugly and not recommended but in this case I think I have good excuse. It is a customer’s requirement. The question of course is how to do it.

You can try to use Spring post-processor. If you register instance of InstantiationAwareBeanPostProcessor you can use method postProcessPropertyValues to manipulate with property values just before Spring attempts to inject them. So you can inject the values into fields by yourself. And it works. The trouble is that you have to do property instantiation and conversion by yourself too. I almost managed to do it when I encountered a big problem – inner beans. In Spring, you can define a bean inside another bean. In order to inject the inner bean to the outer bean, the inner bean has to be already instantiated. But postProcessPropertyValues method is called before inner bean instantiation. So that is a blind alley.

OK, post-processor can not be used, let’s do it more hard-core. Spring has something called BeanWrapper. It is used by Spring for setting bean properties. Great, that is the point where I can force Spring to inject into the fields. The only thing I need to do, is to inject my BeanWrapper implementation into Spring. There is only one small trouble. It is not possible to do it. Unsurprisingly, dependency injection does not work inside the dependency injection code. I tried hard, but did not find any simple and safe way how to replace default BeanWrapper implementation. (If you know how to do it, please let me know)

So, if it is not possible to force Spring to inject without set method, let’s give him what he is asking for. The final solution is simple. When instantiating beans, I do not instantiate the original class but a subclass that is generated in the runtime and has all needed set methods. For the class generation I use Javassist, it is simple and powerful. To make the integration with Spring as simple as possible, I use factory bean. So the Spring XML config file looks like this

	<bean id="beanFactory" class="net.krecan.beanfactory.SetMethodGeneratingBeanFactory"/>
	<bean id="sampleClass" 
		      factory-bean="beanFactory"
		      factory-method="createBean">
		<constructor-arg value="net.krecan.beanfactory.Sample"/>
		<property name="textProperty" value="test.txt"/>
		<property name="intProperty" value="123"/>
		<property name="simpleSample">
			<bean factory-bean="beanFactory" 
			   factory-method="createBean">
				<constructor-arg value="net.krecan.beanfactory.SimpleSample"/>
				<property name="textProperty" value="hallo"/>


			</bean>

		</property>
	</bean>

Instead of providing class name in the bean definition, factory-bean attribute is used. Spring than calls method createBean on the factory bean with parameter taken from the constructor-arg element. It contains the class name of the bean. The result of the method call is used as a bean instance and all the properties are set by Spring.

Of course, you do not have to write it this way every time you want to instantiate this kind of bean. Simple custom namespace can be created in order to simplify the syntax.

In the future, when my customer realize that setters are a good thing, the factory can be easily replaced by a dummy implementation.

To reiterate, direct injection of dependencies from XML to the fields without using set methods is not supported by Spring. You can choose between XML based configuration using set methods or annotation based configuration. It is extremely hard to change default Spring behavior. And maybe it is a good thing. So if you need to do ugly XML based field injection, your only choice is to generate set methods in the runtime. Or maybe something else, but I have no idea what.

Continue reading

Let’s play with OSGi, Spring and Maven, part 2

In the first part of this article, we have finished and tested DAO part of the application. Today we are going to create the UI and connect all the parts using Service bundle.

If you think about it, you realize that UI bundle is exactly the same as the DAO bundle. It only exports a service. In this case it implements DataReceiver interface from the Common bundle. Therefore, pom.xml, generated MANIFEST.MF file and Spring configuration file will be similar to that we have seen in part 1. So I will skip this bundle and jump directly to the Service layer.

In the Service bundle we want to use both DAO and UI. We want to periodically pull the data from the DataLoader and push them to the DataReceiver service.

Let’s start with bundle metadata.

	<plugin>
	    <groupId>org.apache.felix</groupId>
	    <artifactId>maven-bundle-plugin</artifactId>
	    <extensions>true</extensions>
	    <configuration>
	    	<instructions>
	    	 <Private-Package>
	    	    net.krecan.spring.osgi.service.*
	    	 </Private-Package>
	    	</instructions>
	    </configuration>
	  </plugin>

This configuration of the Maven OSGi plugin is going to generate following MANIFEST.MF file.


Manifest-Version: 1.0
Bundle-Name: demo-spring-osgi-service
Build-Jdk: 1.5.0_15
Built-By: lukas
Created-By: Apache Maven Bundle Plugin
Private-Package: net.krecan.spring.osgi.service
Import-Package: net.krecan.spring.osgi,org.apache.commons.logging
Bundle-ManifestVersion: 2
Bundle-SymbolicName: net.krecan.spring-osgi.demo-spring-osgi-service
Tool: Bnd-0.0.255
Bnd-LastModified: 1212320410936
Bundle-Version: 1.0.0.SNAPSHOT

You can see that we do not export any package. It is not needed. Service bundle only coordinates DAO and UI, it does not need to expose anything.

Import-Package directive is more interesting. Maven plugin analyzed Java classes and figured out that import of net.krecan.spring.osgi and org.apache.commons.logging package is needed. The first one is exported by our Common bundle, the other one is provided by the commons-logging package. Great, I do not have to specify dependencies by hand, Maven plugin does it automatically.

OK, OSGi is configured, we can try to use our services. Again, I will use Spring OSGi integration. I will create following Spring XML configuration in the META-INF/spring directory of the Service bundle

<?xml version="1.0" encoding="UTF-8"?>
<beans ...>

	<osgi:reference id="dataLoader" interface="net.krecan.spring.osgi.DataLoader"/>
	
	<osgi:list id="receivers"  interface="net.krecan.spring.osgi.DataReceiver"/>
	
	<bean id="dataDistributor" class="net.krecan.spring.osgi.service.DataDistributor">
		<property name="dataLoader" ref="dataLoader"/>
		<property name="receivers" ref="receivers"/>
	</bean>
	
	<!-- Timer config -->
	...	
	
</beans>

(Full version can be downloade here)

By osgi:reference element we say, that we want to find a service that implements DataLoader service. If such service is running in the OSGi engine, we can use the reference as a Spring bean with ID “dataLoader”. So we can inject it to the dataDistributor bean like any other Spring bean. That is great. The source code is not bound to OSGi at all. If you wish, you can switch form OSGi to a simple deployment, to remote invocation, web service or whatever you want. The source code will remain unchanged. The only thing we need to change is the configuration.

Do you wonder what happens, if there is no DataLoader service running? The answer is simple. Service bundle will wait for it. When DataLoader became available, the Service bundle will start to pull data from it. (This behavior can be changed by the cardinality attribute)

osgi:list element is similar to osgi:reference. It supports multiple references. It implements normal java.util.List. Again, we can inject it to an ordinary Spring bean. Moreover, the list is magic. If new service with given interface appears in the OSGi container, it is automagically added to the list. So I do not have to care about it.

The rest of the Spring config is not connected with OSGi. It just starts timer job that calls dataDistributor.loadAndSend method every 100ms.

And now we can test it. We will again use Spring OSGi support for integration tests. First of all, we have to say which bundles we are going to use.

	protected String[] getTestBundlesNames() {
		return new String[] {
			"net.krecan.spring-osgi, demo-spring-osgi-dao, "+DEMO_VERSION, 
			"net.krecan.spring-osgi, demo-spring-osgi-ui, "+DEMO_VERSION, 
			"net.krecan.spring-osgi, demo-spring-osgi-service, "+DEMO_VERSION, 
		};
	}

And now we can run the test.

	public void testAddUi() throws InterruptedException, BundleException, IOException
	{
		Thread.sleep(500);
		LOG.info("Starting alternative UI");
		Resource bundleResource = locateBundle("net.krecan.spring-osgi, demo-spring-osgi-ui-alternative, "+DEMO_VERSION);
		Bundle bundle = bundleContext.installBundle(bundleResource.getURL().toString());
		bundle.start();
		LOG.info("Alternative UI started");
		Thread.sleep(500);
		LOG.info("Stopping alternative UI");
		bundle.stop();
		LOG.info("Alternative UI stopped");
		Thread.sleep(500);
		
	}

To make it more interesting, we will run the test for 500ms and then we will add and start alternative UI bundle. After another 500ms we will stop the alternative UI bundle again. It will result into following log output.

2008-06-01 14:33:55,818 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:55 CEST 2008 )
2008-06-01 14:33:55,908 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:55 CEST 2008 )
2008-06-01 14:33:56,009 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:56 CEST 2008 )
2008-06-01 14:33:56,108 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:56 CEST 2008 )
2008-06-01 14:33:56,209 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:56 CEST 2008 )
2008-06-01 14:33:56,308 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:56 CEST 2008 )
2008-06-01 14:33:56,317 INFO [net.krecan.spring.osgi.dao.ServiceOsgiTest] {main} – Starting alternative UI
2008-06-01 14:33:56,384 INFO [net.krecan.spring.osgi.dao.ServiceOsgiTest] {main} – Alternative UI started
2008-06-01 14:33:56,408 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:56 CEST 2008 )
2008-06-01 14:33:56,508 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:56 CEST 2008 )
2008-06-01 14:33:56,508 INFO [net.krecan.spring.osgi.ui.alternative.AlternativeDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:56 CEST 2008 )
2008-06-01 14:33:56,609 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:56 CEST 2008 )
2008-06-01 14:33:56,609 INFO [net.krecan.spring.osgi.ui.alternative.AlternativeDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:56 CEST 2008 )
2008-06-01 14:33:56,708 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:56 CEST 2008 )
2008-06-01 14:33:56,708 INFO [net.krecan.spring.osgi.ui.alternative.AlternativeDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:56 CEST 2008 )
2008-06-01 14:33:56,809 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:56 CEST 2008 )
2008-06-01 14:33:56,809 INFO [net.krecan.spring.osgi.ui.alternative.AlternativeDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:56 CEST 2008 )
2008-06-01 14:33:56,884 INFO [net.krecan.spring.osgi.dao.ServiceOsgiTest] {main} – Stopping alternative UI
2008-06-01 14:33:56,909 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:56 CEST 2008 )
2008-06-01 14:33:56,909 INFO [net.krecan.spring.osgi.ui.alternative.AlternativeDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:56 CEST 2008 )
2008-06-01 14:33:57,009 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:57 CEST 2008 )
2008-06-01 14:33:57,009 INFO [net.krecan.spring.osgi.ui.alternative.AlternativeDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:57 CEST 2008 )
2008-06-01 14:33:57,101 INFO [net.krecan.spring.osgi.dao.ServiceOsgiTest] {main} – Alternative UI stopped
2008-06-01 14:33:57,108 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:57 CEST 2008 )
2008-06-01 14:33:57,209 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:57 CEST 2008 )
2008-06-01 14:33:57,311 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:57 CEST 2008 )
2008-06-01 14:33:57,409 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:57 CEST 2008 )
2008-06-01 14:33:57,509 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:57 CEST 2008 )
2008-06-01 14:33:57,614 INFO [net.krecan.spring.osgi.ui.DefaultDataReceiver] {timerFactory} – ***** Received data: Data ( text = Hallo Sun Jun 01 14:33:57 CEST 2008 )

It looks exactly how it should. Messages from the alternative UI appear and then disappear together with corresponding bundle. That’s what OSGi is all about. It enables dynamic binding of components. We can replace or plug-in services dynamically in the runtime.

To reiterate. Today we have seen OSGi in action. We have connected several services using Spring support and we have seen dynamic nature of OSGi. And what’s the best, our source code is not aware of OSGi. What a nice example of dependency injection.

Next time, we will try to play a bit with the example. I want to run it standalone, without Spring integration testing support and I’d like to test how it is resistant to class loader leaks.

Source code is accessible in here.