[jira] Commented: (HADOOP-5740) Hadoop JSP pages don't work under a security manager

Tue, 28 Apr 2009 08:57:54 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-5740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12703691#action_12703691
 ] 

Shevek commented on HADOOP-5740:
--------------------------------

bq. Is it ok to return a new empty permission collection on the 
getPermissions(CodeSource) call? It won't impact hadoop's own code.

In general, this will cause a SecurityManager to fail any permissions check 
involving code in a ProtectionDomain which was instantiated over that 
CodeSource. A CodeSource is (approximately) a URI, and a ProtectionDomain is 
effectively a Set of classes loaded from that URI with a common set of 
permissions.

Forgive my lack of deep understanding of this specific instance of the 
application of the security manager, but in general, if ANY frame on the stack 
(AccessControlContext being a list of ProtectionDomains) has a 
PermssionCollection which does not contain the required permission, then the 
security check will fail. You might better relay or delegate the call and make 
a writable copy of the returned value from the underlying policy, otherwise you 
will break a great number of things very badly for anybody who does require a 
SecurityManager.

With a little more understanding of the instance, I could be much more helpful. 
I am sorry that time forbids random speculative interest, but if you are stuck, 
I will gladly look further into it.

> Hadoop JSP pages don't work under a security manager
> ----------------------------------------------------
>
>                 Key: HADOOP-5740
>                 URL: https://issues.apache.org/jira/browse/HADOOP-5740
>             Project: Hadoop Core
>          Issue Type: Bug
>          Components: fs, mapred
>    Affects Versions: 0.21.0
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Minor
>         Attachments: hadoop-5740.patch
>
>
> When you run Hadoop under a security manager that says "yes" to all security 
> checks, you get stack traces when Jetty tries to initialise the JSP engine. 
> Which implies you can't use Jasper under a security manager

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to