7. Issues fixed in this release
- JBPAPP-3952: A security issue in the JMX Console configuration has been identified that allows an attacker to bypass security authentication.The JMX Console configuration only specified an authentication requirement for requests that used the GET and POST HTTP "verbs". An attacker could create a HTTP request that did not specify GET or POST and it would be executed by the default GET handler without authentication. This release contains a JMX Console with an updated configuration that no longer specifies the HTTP verbs. This means that the authentication requirement is applied to all requests.For additional information on this vulnerability refer to: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738All users are advised to upgrade to this release to resolve this issue.If an immediate upgrade is not possible or the server deployment has been customized then the fix can be applied by editing the deployment descriptor (
WEB-INF/web.xml) of the JMX Console WAR. Details of how to apply this fix can be found at http://kbase.redhat.com/faq/docs/DOC-30741. Contact Red Hat JBoss Support for advice before making these changes.Red Hat would like to thank Stefano di Paola and Giorgio Fedon of Minded Security for responsibly reporting the CVE-2010-0738 issue.
- CVE-2009-3555: A vulnerability in the TLS protocol allowed an attacker to inject arbitrary requests into a TLS stream during renegotiation. The JBoss Web blocking IO (BIO) connector uses the JSSE implementation of TLS provided by the JVM; therefore, the BIO connector is vulnerable because the JSSE version used is vulnerable. Until a fix is available in JSSE, a new connector attribute,
allowUnsafeLegacyRenegotiationhas been added to the BIO connector to work around this issue. It should be set to
false(the default) to protect against this vulnerability. Users should be aware that the impact of disabling renegotiation will vary with both application and client. In some circumstances disabling renegotiation may result in some clients being unable to access the application.
- JBPAPP-3079: Session expiration did not trigger flushing of the JBoss Authentication Cache. The
PrincipalSessionAttributeFilterhas been created in order to place the principal as an attribute of the HTTP session. This attribute is checked when the session expires and, if found, triggers flushing of the authenticated cache. You must uncolmment this filter in Tomcat's
web.xmlto use this feature.
- JBPAPP-2873: Twiddle logged all command line arguments, including the JMX password, to
twiddle.log. This log file is publicly readable and is created in the current directory. The password argument is now masked in the log file.
- JBPAPP-3430: Undefined behavior occurred on remote clients that used
NestedTransactionwhen nested transactions were disabled in
jbossjta-properties.xml. No nested transaction checking was performed, despite this being unsupported. This update adds a
NotSupportedExceptionto be thrown when clients attempt to start a nested transaction.
- JBPAPP-3328: Farming's
AddContentStreamActionattempted to close this
InputStreamas part of cleanup processing, even though it was not responsible for opening the stream. This caused failures in
ClusteredDeploymentRepoAddContentTestCase, which is responsible for the stream.
AddContentStreamActionno longer attempts to close the input stream.
ClusteredDeploymentRepositoryfailed when an exploded deployment was removed because the logic that iterated over the contents of the deployment removed items incorrectly. This meant that when an exploded deployment was placed in the
farmdirectory and later removed, a
ClusteredDeploymentRepositoryfailed. Items are now removed correctly via
- JBPAPP-3234: Setting
truevia XML would not disable scanning if set to
false, and caused a
NullPointerExceptionif set to
true. Both issues have been resolved.
- JBPAPP-3213: Deploying EJB3 methods with zero parameters led to
NullPointerExceptions. This fix ensures that the deployment will not fail on these grounds.
- JBPAPP-3180: Hibernate integration code for unsupported second-level caches and connection pools were not included in JBoss Enterprise Application Platform 5.0. The following JARs have been included in
common/libto provide integration for this module:
- JBPAPP-3029: The
jboss_init_redhat.shscript is used to start and stop a server instance under a given user name. When using a non-loopback bind address, calling
jboss_init_redhat.sh stopresulted in a
CommunicationExceptionbecause of a missing hostname parameter for the remote server the script attempts to contact.
- JBPAPP-2866: The JGroups protocol stack included an incorrect diagnostic address,
188.8.131.52. The address has been corrected to
- JBPAPP-2818: The
main/src/bin/run.shdid not allow users to override
$JBOSS_HOME/bin/run.confwith a profile-specific
$JBOSS_HOME/server/$PROFILE/run.conf. This update allows the use of a custom
run.conf, if specified.
- JBPAPP-3220: When cookies were disabled for the current context, a session cookie from the parent context overwrote the session ID encoded in a URL. The fix for this issue specifies that when cookies are disabled for the current context, the parent context's session cookie should not be sought, and prevents the session ID in the URL from being overwritten.
- JBPAPP-2929: With buddy replication, when multiple concurrent requests are made with the same session ID after failover, the requests may abort with an
org.jboss.cache.lock.UpgradeExceptionwhile attempting to migrate the cache data to the local node. This no longer occurs, and multiple concurrent web requests made after failover with buddy replication enabled now works correctly.
- JBPAPP-3954: When a Seam
ManagedDrivenBeancomponent calls a stateless session bean component in a Seam-managed persistence context, an
IllegalStateException("No event context active") may occur. The component now checks if
- JBPAPP-3541: Seam could not be compiled from source because its
root.pom.xmlreferenced an incorrect version of
javax.transaction:jta:jar. The JAR referenced has been corrected to the correct version
jboss-seam-resteasy.jarwas not included in the Seam distribution in JBoss Enterprise Application Platform 5.0. This JAR, and relevant documentation, have been added.
- JBPAPP-3334: The
org.jboss.seam.bpm.JbpmELResolverwas passed into
resolveVariableinstead of the
propertyvariable. This meant that the method returned null where it should have returned the task instance.
propertyis now passed correctly.
com.sun.faces.config.ConfigureListenerwas missing from
web.xml. This meant that JavaServer Faces was not initialized when Seam bootstrapped its application scope components, so the JavaServer Faces application context was not available. This class has been added to
web.xmland JavaServer Faces now initializes correctly.
- JBPAPP-3048: The Seam booking example and its derivatives contained outdated page footers. These have been updated for Seam 2.2.
- JBPAPP-3001: Bash script
seam/seam.shhas executable permission only on some Linux systems. This is caused by a different zip util implementation included in the distribution. This has been fixed on Fedora 12 and Red Hat Enterprise Linux 4 and executable permissions are now assigned to
seam/seam.shcorrectly. The fix is not available for the zip util used on other operating systems such as Ubuntu.
- JBPAPP-2733: When the Seam examples were tested with the TestNG plugin in JBDS, a java.lang.AssertionError was thrown. To avoid this error it is important to test the examples according to the following instructions:
- From the example's home directory (e.g.
bookingfor the booking example), run
- In Eclipse, click on
Java Project from Existing Ant Buildfilefrom the New Project Wizard, and click
- Select the example's
build.xmlfile as the base for the new Java project.
- From the
Run Asmenu, choose
TestNG Test. You can cancel the processing of the test run at any time.
- Go to
Run configurationsand edit the created TestNG runner.
- If JDK 1.6 is used as runtime, add the following JVM argument on the
- Go to the
Classpathtab and remove all
- Add the JARs and folders specified by http://seamframework.org/Community/GettingStartedDevelopingTheSeamFramework#H-RunningIntegrationTestsFromTheTestNGEclipsePlugin.
- JBPAPP-3384: Hibernate collection mapping encountered exceptions if
@MapKeywas used without an explicit
@Typeannotation. Without an explicit
@Typeannotation, Hibernate assumed that the property key type was
Serializableand attempted to deserialize an object stream from the database column value. With this update, if
@MapKeyis not given an explicit
@Type, Hibernate uses the original property type instead of the serializable type.
- JBPAPP-3371: The
roundfunction is meant to return values of the same type as the first argument provided (integer, double, or decimal). Previously, it rounded all values regardless of type. All values should now return as the correct type.
- JBPAPP-3191: The
hibernate-ehcache.jarwas missing from JBoss Enterprise Application Platform 5.0. This meant that applications that used ehcache as the Hibernate second-level cache provider failed with a
NoClassFoundException. A signed version of
hibernate-ehcache.jaris available from CSP: https://support.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=1037. This JAR should be placed into the following directories:
- JBPAPP-3173: Using Javassist as the bytecode provider to instrument your domain model caused errors if an entity extended a parent class with an abstract method. Hibernate code used
whilestatement, which caused the statement to skip all other attributes that should have been used. This has been corrected.
- JBPAPP-3098: When a filter with a collection type parameter was used, and the number of parameters in that collection changed during the lifetime of the
SessionFactory, the SQL would not be updated to reflect the change in the number of parameters. This typically resulted in the following error:
java.sql.SQLException: Parameter index out of bounds. 2 is not between valid values of 1 and 1This occurred only with HQL, not Criteria, and has now been corrected.
- JBPAPP-3089: A long IN list could result in stack overflow during parsing. A query element like
where x in (:x)or a manually-constructed
where x in (1,2,3,...)could generate a stack overflow if the number of elements referenced by
xexceeded a number dependent on available stack space. For Java Virtual Machines, the limit is between 9000 and 10000, assuming a relatively empty stack at the point of query execution.The stack overflow occurred in
org.hibernate.hql.ast.util.NodeTraverserbecause it used a recursive algorithm to walk a parse tree. A long IN list generated a very deep sub-tree, so a sufficiently long list caused the stack overflow when
NodeTraverser's internal method
visitDepthFirstcalls itself too many times. This recursive algorithm has been replaced with an iterative tree-walking implementation to fix this issue.
- JBPAPP-2957: The
CollectionRegionAccessStrategyshould remove objects from the cache immediately, without regard for transaction isolation. The Hibernate/JBoss Cache integration did not handle this correctly, as the JBoss Cache
removeNodecalls it made did not deal with transactional issues. This usually results in a
IllegalStateExceptionor a JBoss Cache
CacheExceptionwhen a transaction that had made a bulk update was committed, or when using the Hibernate
SessionFactoryevict methods.To fix this issue, any ongoing transaction in
evictAll()will now be suspended before invoking JBoss Cache's
removeNode. To cater for transactional issues, state is now stored in the integration layer's Region to track where eviction has occurred but may not yet be reflected in JBoss Cache. JBoss Cache is used as a notification bus to propagate the eviction to other nodes. Eviction occurs locally, and fails immediately where lock conflicts occur. State is also checked in the
- JBPAPP-2922: Hibernate warns that the cglib BytecodeProvider impl is considered deprecated and is not recommended for use. cglib is not deprecated, so this warning can be safely ignored.
- JBPAPP-2900: MySQL uses the
TEMPORARYkeyword to bypass implicit transaction commits. Previously, Hibernate used
<CREATE TEMPORARY TABLE>with
<DROP TABLE>. Omitting the
TEMPORARYkeyword caused an implicit commit, and immediate failure within an XA Transaction.
<DROP TEMPORARY TABLE>is now supported and this issue no longer presents.
- JBPAPP-2892: When Enterprise JavaBean 3.0 entities were used with optimistic caching,
A.newerThan ( A ). This caused a
DataVersioningExceptionwhen JBoss Cache attempted to remove the entry. The method has been corrected so that it returns
false. Note that the recommended approach is to use Multiversion Concurrency Control (
mvcc-entity) instead of optimistic caching.
- JBPAPP-2858: Native queries were automatically paginated in
getSingleResult(), which caused
getSingleResult()to fail for some databases and queries. This behaviour has been changed so that Hibernate no longer alters
setMaxResultfor native queries in
- JBPAPP-2277: Hibernate uses
ClassLoader.loadClass()was used in
SerializationHelper$CustomObjectInputStream, but is no longer supported by default as of JDK 6 (see http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6500212 for further information). Attempting to load an array using this method resulted in a
Class.forName(className,false,myClassLoader)to resolve classes.
- JBPAPP-2082: Associations marked as mappedBy must not define database mappings like @JoinTable or @JoinColumn. This fix adds an
AnnotationsException, which is thrown when Hibernate receives this invalid mapping.
EntityNotFoundExceptionis incorrectly thrown upon an optimistic locking failure when one
EntityManagertries to delete an entity that has been updated by a different
hibernate.jdbc.batch_versioned_datais set to
false(the default value).
OptimisticLockExceptionis now thrown instead.
true. This was done because, by default, Sybase ASE 15 string comparisons are case-insensitive. Since Sybase can be configured to be either case-sensitive or case-insensitive, if the Sybase database is configured for case-sensitive comparisions, the previous setting (
false) was incorrect.
- JBPAPP-3380: RESTEasy integration information has been added to the Seam Reference Guide.
- JBPAPP-3863: The Administration and Configuration Guide indicated that the JDBC
blocking-timeout-millisproperty's default value is 5000 milliseconds. This incorrect value has been replaced with the true default value, 30000 milliseconds.
- JBPAPP-2948: The
deploy/jmx-remoting.sarservice instantiates a JSR-160 adapter for standardized remote access to the JBoss MBeanServer. This service is used with tools such as the JConsole. At present, this service does not support secure access. In production environments where the server binds to a specific address other than
localhostthis presents a potential security risk, so the adapter has been moved from the
docs/examples/jmx. We do not recommend enabling it for production usage. If during development you wish to re-enable the adapter, copy it back to the
deploydirectory.The adapter has been moved to
/docs/examples. If you wish to re-enable it, move it back to the
- JBPAPP-2802: The JBoss Cache documentation did not indicate that Non-Blocking State Transfer was unsupported. Unsupported information about Non-Blocking State Transfer has now been removed from the JBoss Cache documentation associated with JBoss Enterprise Application Platform.