[jira] [Commented] (BVAL-92) Security holes in org.apache.bval.util.PrivilegedActions

Mon, 28 Mar 2011 00:02:55 -0700 

    [ 
https://issues.apache.org/jira/browse/BVAL-92?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13011932#comment-13011932
 ] 

Mark Struberg commented on BVAL-92:
-----------------------------------

In OpenWebBeans we have implemented such areas as a SPI with 2 implementations: 
ManagedSecurityService (which does doPrivileged) and SimpleSecurityService 
(actually without security).
The reason is that 2 out of 1000 projects do really use the SecurityManager, 
all others don't ;) The performance difference is unbelievable! Under load 
doPrivileged calls will easily create a few million temporary instances per 
second and consuming up to 200MB temp object space which needs to be garbage 
collected.

About the security: Our ManagedSecurityService is only accessible via an 
internal singleton accessor and the constructor asserts (via 
Thread.currentThread().getStackTrace() ) that we really only got created via 
this singleton accessor.

Btw: we should simply not export those classes in our OSGi bundle descriptor.

> Security holes in org.apache.bval.util.PrivilegedActions
> --------------------------------------------------------
>
>                 Key: BVAL-92
>                 URL: https://issues.apache.org/jira/browse/BVAL-92
>             Project: BeanValidation
>          Issue Type: Bug
>    Affects Versions: 0.2-incubating, 0.3-incubating, 0.4-incubating
>            Reporter: Jörg Waßmer
>            Priority: Critical
>         Attachments: apache-bval-20110327092101-jw.diff, 
> apache-bval-20110327231539-jw.diff
>
>
> PrivilegedActions is public. It offers several method, e.g. getClassLoader() 
> which are executed surrounded by privileged actions. Thus any caller can get 
> e.g. a classloader, even if the caller has not the required permissions.
> PrivilegedActions should offer only factory methods creating the privileged 
> actions. Then the callers should call AccessController.doPrivileged() for 
> themselves, such that the actions will be executed in the caller's security 
> domain, instead of the domain of the BeanValidation API.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to