Author: struberg
Date: Tue Mar 22 10:08:34 2011
New Revision: 1084121
URL: http://svn.apache.org/viewvc?rev=1084121&view=rev
Log:
OWB-545 better security for ManagedSecurityService
Modified:
openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/security/ManagedSecurityService.java
Modified:
openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/security/ManagedSecurityService.java
URL:
http://svn.apache.org/viewvc/openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/security/ManagedSecurityService.java?rev=1084121&r1=1084120&r2=1084121&view=diff
==============================================================================
---
openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/security/ManagedSecurityService.java
(original)
+++
openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/security/ManagedSecurityService.java
Tue Mar 22 10:08:34 2011
@@ -35,7 +35,11 @@ import java.util.Properties;
/**
* This version of the {@link SecurityService} uses the
java.lang.SecurityManager
- * to check low level access to the underlying functions via a doPriviliged
block.
+ * to check low level access to the underlying functions via doPriviliged
blocks.
+ *
+ * The most secure way is to just copy the source over to your own class and
configure
+ * it in openwebbeans.properties. This way you can add whatever security
features
+ * you like to use.
*/
public class ManagedSecurityService implements SecurityService
{
@@ -57,11 +61,33 @@ public class ManagedSecurityService impl
{
// we need to make sure that only WebBeansContext gets used to create
us!
StackTraceElement[] stackTrace =
Thread.currentThread().getStackTrace();
- String declaringClass = stackTrace[6].getClassName();
- if (!declaringClass.equals(WebBeansContext.class.getName()))
+
+ // in the Sun Java VM-1.6 the parent ct is alwasys entry [6]
+ // but we cannot rely on that because it might differ for
+ // other VMs.
+ boolean isCalledFromWebBeansContext = false;
+ for (int i = 3; i < 20; i++)
+ {
+ String declaringClass = stackTrace[i].getClassName();
+ String methodName = stackTrace[i].getMethodName();
+ if (declaringClass.equals(WebBeansContext.class.getName()) &&
+ methodName.equals("<init>"))
+ {
+ isCalledFromWebBeansContext = true;
+ break;
+ }
+ }
+ if (!isCalledFromWebBeansContext)
{
throw new SecurityException("ManagedSecurityService must directly
get created by WebBeansContext!");
}
+
+ // we also need to make sure that this very class didn't get subclassed
+ // to prevent man in the middle attacks
+ if (this.getClass() != ManagedSecurityService.class)
+ {
+ throw new SecurityException("ManagedSecurityService must not get
subclassed!");
+ }
}
@Override
