[
https://issues.apache.org/jira/browse/DERBY-6598?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14017142#comment-14017142
]
Kim Haase commented on DERBY-6598:
----------------------------------
Actually, is the security policy even relevant here? We're talking about
fine-grained user authorization (GRANT statement). Should jar file access also
be an issue or is that not relevant when the jar files are stored in the
database?
> Document permissions recommendations for JAR procedures
> -------------------------------------------------------
>
> Key: DERBY-6598
> URL: https://issues.apache.org/jira/browse/DERBY-6598
> Project: Derby
> Issue Type: Bug
> Components: Documentation
> Affects Versions: 10.11.0.0
> Reporter: Kim Haase
> Assignee: Kim Haase
>
> It's been recommended that we should make the documentation of the
> SQLJ.INSTALL_JAR procedure (and SQLJ.REPLACE_JAR) state more explicitly that
> the privilege should only be granted to trusted users. For example:
> "Since this procedure can be used to install arbitrary code that runs in the
> same Java Virtual Machine as the Derby database engine, the execution
> privilege should only be granted to trusted users."
> This needs to go into the Reference Manual topics on these procedures as well
> as other locations where they are discussed.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
