Issue Details (XML | Word | Printable)

Key: GLASSFISH-20055
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: arunkumar_s
Reporter: arunkumar_s
Votes: 0
Watchers: 0

If you were logged in you would be able to see more operations.

[Batch RI] Batch Job servlets/ejb applications able to stop/restart/abandon other batch job executions

Created: 26/Mar/13 12:46 PM   Updated: 02/Apr/13 08:35 PM   Resolved: 02/Apr/13 08:35 PM
Component/s: batch
Affects Version/s: 4.0_b81
Fix Version/s: 4.0_b82_EE7MS7

Time Tracking:
Not Specified

Participants: arunkumar_s, Mahesh Kannan and ScottKurz

 Description  « Hide

Tested with latest nightly build 82

asadmin list-batch-jobs -l list all the batch jobs available

Try to stop/restart/abandon a batch execution by providing execution id from other servlet/ejb apps

Issue --> list batch jobs from an servlet/ejb displays only the current application batch jobs, the same thing should be applied to stop/restart/abandon batch jobs

Mahesh Kannan added a comment - 27/Mar/13 04:37 AM

The jobOperator.getJobNames() uses BatchSecurityHelper to find out if the caller is an Admin. If not it calls BatchSecurityHelper.getCurrentTag() to determine the current app.

I guess these other APIs in JobOperator (stop/restart/abandon) must also make use of BatchSecurityHelper to prevent this use case.

ScottKurz added a comment - 27/Mar/13 04:47 AM

Yes, it looks like we have some gaps here. Not sure if we'll fix tomorrow, but by end of week.

ScottKurz added a comment - 29/Mar/13 01:19 AM

This should be fixed in the 1.0-b22 drop.