Guest Posted January 28, 2011 Share Posted January 28, 2011 Yeah the below worked for me, it was a sub select that causet he problem. However I think having this switched off will help, as I need stored procedures for storing certain information, based on specific reports.webapps/jasperserver/WEB-INF/classes/esapi/security-config.propertiessecurity.validation.sql.on=false[/code] Link to comment Share on other sites More sharing options...
kcd Posted January 18, 2012 Author Share Posted January 18, 2012 HeyI think I can interpret the problem but not sure where to start for a solution.The problem is for all reports having upgrade from 4.2.1 to 4.5.0. The UI says "An error has occurred. Please contact your system administrator. (6632)" and the stack trace is below.Key cause appears to be: Caused by: org.owasp.esapi.errors.ValidationException: SQL_Query_Executor_context: Invalid input. Please conform to regex ^\s*((?i)select)\s+[^;]+$ with a maximum length of 50000Because all my queries are in the formCALL Up_Reporting_GetSomethingUseful($P{StartDate}, $P{EndDate}); So I think I need to disable org.owasp.esapi query validation but I cannot find any documentation about this sort of configuration. Where do I start?Code:2012-01-18 15:50:03,354 ERROR ManagementServiceImpl,http-9123-3:1259 - caught Throwable exception: An error has occurred. Please contact your system administrator. (6632)com.jaspersoft.jasperserver.api.JSSecurityException: An error has occurred. Please contact your system administrator. (6632) at com.jaspersoft.jasperserver.api.security.validators.ValidatorImpl.validateSQL(ValidatorImpl.java:394) at com.jaspersoft.jasperserver.api.engine.jasperreports.util.JRTimezoneJdbcQueryExecuter.createDatasource(JRTimezoneJdbcQueryExecuter.java:166) at net.sf.jasperreports.engine.fill.JRFillDataset.createQueryDatasource(JRFillDataset.java:731) at net.sf.jasperreports.engine.fill.JRFillDataset.initDatasource(JRFillDataset.java:629) at net.sf.jasperreports.engine.fill.JRBaseFiller.setParameters(JRBaseFiller.java:1159) at net.sf.jasperreports.engine.fill.JRBaseFiller.fill(JRBaseFiller.java:802) at net.sf.jasperreports.engine.fill.JRFiller.fillReport(JRFiller.java:118) at net.sf.jasperreports.engine.JasperFillManager.fillReport(JasperFillManager.java:435) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.EngineServiceImpl.fillReport(EngineServiceImpl.java:773) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.EngineServiceImpl.fillReport(EngineServiceImpl.java:731) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.EngineServiceImpl.fillReport(EngineServiceImpl.java:389) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.EngineServiceImpl.executeReport(EngineServiceImpl.java:890) at com.jaspersoft.jasperserver.api.engine.jasperreports.domain.impl.ReportUnitRequest.execute(ReportUnitRequest.java:57) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.EngineServiceImpl.execute(EngineServiceImpl.java:320) at com.jaspersoft.jasperserver.ws.axis2.ManagementServiceImpl.runReport(ManagementServiceImpl.java:1167) at com.jaspersoft.jasperserver.ws.axis2.ManagementService.runReport(ManagementService.java:240) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:397) at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:186) at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:399) at org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109) at org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:411) at org.springframework.security.ui.ExceptionTranslationFilter.doFilterHttp(ExceptionTranslationFilter.java:101) at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:411) at org.springframework.security.providers.anonymous.AnonymousProcessingFilter.doFilterHttp(AnonymousProcessingFilter.java:105) at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:411) at com.jaspersoft.jasperserver.api.metadata.user.service.impl.MetadataAuthenticationProcessingFilter.doFilter(MetadataAuthenticationProcessingFilter.java:139) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:411) at com.jaspersoft.jasperserver.api.metadata.user.service.impl.PasswordExpirationProcessingFilter.doFilter(PasswordExpirationProcessingFilter.java:85) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:411) at org.springframework.security.ui.basicauth.BasicProcessingFilter.doFilterHttp(BasicProcessingFilter.java:174) at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:411) at com.jaspersoft.jasperserver.api.metadata.user.service.impl.JIPortletAuthenticationProcessingFilter.doFilter(JIPortletAuthenticationProcessingFilter.java:81) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:411) at com.jaspersoft.jasperserver.api.logging.filter.BasicLoggingFilter.doFilter(BasicLoggingFilter.java:53) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:411) at org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235) at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:411) at org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:188) at org.springframework.security.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:99) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.jaspersoft.jasperserver.war.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:67) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454) at java.lang.Thread.run(Thread.java:636)Caused by: org.owasp.esapi.errors.ValidationException: SQL_Query_Executor_context: Invalid input. Please conform to regex ^\s*((?i)select)\s+[^;]+$ with a maximum length of 50000 at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:144) at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:160) at org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:284) at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:213) at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:185) at com.jaspersoft.jasperserver.api.security.validators.ValidatorImpl.validateSQL(ValidatorImpl.java:388) ... 77 morecom.jaspersoft.jasperserver.api.JSSecurityException: An error has occurred. Please contact your system administrator. (6632) Link to comment Share on other sites More sharing options...
glen_l Posted January 30, 2012 Share Posted January 30, 2012 Have you managed to solve this? I'm having the same issue. I'm trying to use a long query using a "with clause" defining 2 tables. iReports produces the report without issue but when I publiush it the server errors with the same regex parsing problem. there's nothing wrong with the query and I don't really need Jasper to compare it to a regular expression for me, what can we do? Link to comment Share on other sites More sharing options...
kcd Posted January 30, 2012 Author Share Posted January 30, 2012 Instead of sifting through the source code I have opted to run with the previous version. It is a shame because we really want to deploy jasperreport server on MySQL 5.5 which is what we use for our production databases.I opened a bug ticket. See http://jasperforge.org/projects/jasperreports/tracker/view.php?id=5616 Link to comment Share on other sites More sharing options...
jholden699 Posted February 9, 2012 Share Posted February 9, 2012 We experienced this issue too. Our DB that we query against is SQL server, and the workaround was simple (but should not be needed). We changed our stored procedure into a table-based function and can now do: select * from <function>(<param1>,<param2>) Hope this helps you too. Link to comment Share on other sites More sharing options...
Solution kcd Posted February 14, 2012 Author Solution Share Posted February 14, 2012 Solution found - there are security configuration options to amend or disable the validation.1 - The following regex fix should work for most cases.webapps/jasperserver/WEB-INF/classes/esapi/security-config.properties/validation.propertiesValidator.ValidSQL=^s*(?i)(withs+.*)?(select|call|exec(ute)?)s+[^;]+$2 - Alternatively turn it offwebapps/jasperserver/WEB-INF/classes/esapi/security-config.propertiessecurity.validation.sql.on=falsePost Edited by kcd at 02/14/2012 23:00Post Edited by kcd at 02/14/2012 23:01 Link to comment Share on other sites More sharing options...
ruudheemskerk Posted March 29, 2012 Share Posted March 29, 2012 Great ! Link to comment Share on other sites More sharing options...
nikil_sasi Posted March 30, 2012 Share Posted March 30, 2012 i am having 3 tables in a day , like 90 tables in a month. But the table structure are same for all table , only table name wil change for day by day like 30MAR12_A , 30MAR12_B , 30MAR12_C , 31MAR12_A ...suppose i have to take data for a day then i will be fetching 3 table of that day. Is it possible to integrate my table structure with iReport , how can i use iReport for my reporting purpose. Suppose i am taking 1month data then i have to fetch all these 90 tables. is there any better way - to fetch thismuch data from table. Because database structure is not possible to change , then how ?Could any one help me Link to comment Share on other sites More sharing options...
cpaterson Posted May 1, 2013 Share Posted May 1, 2013 This worked for me, but I also had to turn off the the input validation as well security.validation.input.on=false I'm not sure if these changes are recommended, but it got my reports working Link to comment Share on other sites More sharing options...
gillett.bob Posted May 10, 2013 Share Posted May 10, 2013 HiI tried the Regexp entered above but it did not work with sql starting with a 'with' statement. In the end I modified the regexp supplied by JS to:Validator.ValidSQL=(?is)^\s*(select|with)\s+[^;]+;?\s*$which seems to work fine with the SQL security validation on.Now I am not a regexp wizard so if this is bad someone please tell me!Bob Link to comment Share on other sites More sharing options...
kkriplani Posted January 29, 2016 Share Posted January 29, 2016 Implementing the 2nd solution worked like a charm. Thanks. KKriplani Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now