Knut Anders Hatlen created DERBY-6626:
-----------------------------------------
Summary: Check type of user-supplied modules before creating
instances
Key: DERBY-6626
URL: https://issues.apache.org/jira/browse/DERBY-6626
Project: Derby
Issue Type: Improvement
Components: Miscellaneous
Affects Versions: 10.11.0.0
Reporter: Knut Anders Hatlen
Derby allows users to specify names of classes to use for various pluggable
modules.
In some cases, it verifies that the class implements the expected interface
before it creates an instance of the class. For example in
SpecificAuthenticactionServiceImpl:
{code}
Class sasClass =
Class.forName(specificAuthenticationScheme);
if
(!UserAuthenticator.class.isAssignableFrom(sasClass)) {
throw
StandardException.newException(SQLState.AUTHENTICATION_NOT_IMPLEMENTED,
specificAuthenticationScheme,
"org.apache.derby.authentication.UserAuthenticator");
}
UserAuthenticator aScheme = (UserAuthenticator)
sasClass.newInstance();
{code}
In other cases, it creates an instance without checking, and instead fails with
a ClassCastException or some other exception when trying to use the instance of
the incorrect type. Examples: Java5SystemProcedures SYSCS_REGISTER_TOOL(),
JCECipherFactory, SequenceUpdater.makePreallocator().
I think it would be good to have similar checks in these other cases too.
That'll give clearer error messages which explain what the problem is, and it
will be safer because it limits which constructors the users can force the
Derby engine to invoke.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
