This Java action code was working, then it stopped after a recent Mendix upgrade (not sure which one): ``` // This file was generated by Mendix Studio Pro. // // WARNING: Only the following code will be retained when actions are regenerated: // - the import list // - the code between BEGIN USER CODE and END USER CODE // - the code between BEGIN EXTRA CODE and END EXTRA CODE // Other code you write will be lost the next time you deploy the project. // Special characters, e.g., é, ö, à, etc. are supported in comments. package commonutilities.actions; import java.util.UUID; import javax.servlet.http.HttpServletResponse; import com.mendix.core.Core; import com.mendix.systemwideinterfaces.core.IContext; import com.mendix.systemwideinterfaces.core.ISession; import com.mendix.systemwideinterfaces.core.IUser; import com.mendix.webui.CustomJavaAction; /** * Force login as another user using only their username. This is intended only as an admin function, or possibly if the user requests to remember them on their own machine. */ public class Impersonate extends CustomJavaAction<java.lang.Boolean> { private java.lang.String username; public Impersonate(IContext context, java.lang.String username) { super(context); this.username = username; } @java.lang.Override public java.lang.Boolean executeAction() throws Exception { // BEGIN USER CODE IUser user = Core.getUser(getContext(), username); var rResponse = this.context().getRuntimeResponse(); var response = rResponse.isPresent() ? rResponse.get() : null; //unknown user? if (user == null) { return false; } else { //known user UUID currentSessionId = this.getContext().getSession().getId(); ISession session = Core.initializeSession(user, currentSessionId.toString()); // session initialized, make sure the user (browser) knows about it through cookies if (session != null) { if (response != null) { /** create cookies and redirect: String key, String value, String path, String domain, int expiry */ response.addCookie("XASSESSIONID", session.getId().toString(), "/", "", -1); response.addCookie("XASID", "0."+String.valueOf(Core.getXASId()),"/", "", -1); Core.getLogger("LoginHelper").info("User '" +username + "' has been authenticated."); // redirect the user to the index.html, now with session cookie response.setStatus(HttpServletResponse.SC_SEE_OTHER); response.addHeader("location", ".."); } return true; } else { return false; } } // END USER CODE } /** * Returns a string representation of this action */ @java.lang.Override public java.lang.String toString() { return "Impersonate"; } // BEGIN EXTRA CODE // END EXTRA CODE } ``` (I did not create the original code, it was here: https://community.mendix.com/link/questions/7637) I just took a username and assume their identity for testing and support purposes. Again, this WAS working, then Mendix changed something and broke it, and I’m not sure what. Any ideas? The error I’m getting now (from a project that was working and had NO changes) is this: com.mendix.modules.microflowengine.MicroflowException: com.mendix.systemwideinterfaces.MendixRuntimeException: com.mendix.core.objectmanagement.SecurityRuntimeException: Write access denied for member 'FailedLogins' of object 'Administration.Account' at Configurations.ImpersonateAccount (JavaAction : 'Impersonate') Advanced stacktrace: at com.mendix.modules.microflowengine.MicroflowUtil.processException(MicroflowUtil.java:152) Caused by: com.mendix.core.CoreRuntimeException: com.mendix.systemwideinterfaces.MendixRuntimeException: com.mendix.core.objectmanagement.SecurityRuntimeException: Write access denied for member 'FailedLogins' of object 'Administration.Account' at com.mendix.basis.actionmanagement.ActionManagerBase.executeSync(ActionManagerBase.java:156) Caused by: com.mendix.systemwideinterfaces.MendixRuntimeException: com.mendix.core.objectmanagement.SecurityRuntimeException: Write access denied for member 'FailedLogins' of object 'Administration.Account' at com.mendix.util.classloading.Runner.doRunUsingClassLoaderOf(Runner.java:36) Caused by: com.mendix.core.objectmanagement.SecurityRuntimeException: Write access denied for member 'FailedLogins' of object 'Administration.Account' at com.mendix.basis.objectmanagement.MendixObjectMemberImpl.checkWriteAccess(MendixObjectMemberImpl.java:155) at com.mendix.basis.objectmanagement.MendixObjectMemberImpl.setValue(MendixObjectMemberImpl.java:233) at com.mendix.basis.objectmanagement.MendixObjectImpl.setValue(MendixObjectImpl.java:196) at com.mendix.basis.objectmanagement.MendixObjectImpl.setValue(MendixObjectImpl.java:185) at com.mendix.basis.session.User.setFailedLogins(User.java:241) at com.mendix.basis.session.User.loginSuccessful(User.java:310) at com.mendix.basis.session.SessionManagerBase.initializeSession(SessionManagerBase.java:58) at com.mendix.basis.component.InternalCoreBase.initializeSession(InternalCoreBase.java:640) at com.mendix.basis.component.InternalCoreBase.initializeSession(InternalCoreBase.java:101) at com.mendix.core.Core.initializeSession(Core.java:1554)
asked
James Wilkins
1 answers
0
I am hoping that this is the result of an improvement in Mendix.System or in Java 11. An improvement that better protects all our code against session hijacking. This code should never have been allowed to work in the first place.
Upon going from version 7 to 8 Mendix started using Java 11 instead of 8. So very likely your code does still work fine in any Mendix app of version 7.23 or older and fails in any app of version 8.0 or higher.