[
https://issues.apache.org/jira/browse/DERBY-6630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14038844#comment-14038844
]
Rick Hillegas commented on DERBY-6630:
--------------------------------------
The following code in this file should be protected from execution by the
application:
{noformat}
org.apache.derby.impl.services.jce.JCECipherFactory init
java.security.AccessController.doPrivileged line 552
org.apache.derby.impl.services.jce.JCECipherFactory privAccessFile
java.security.AccessController.doPrivileged line 1040
org.apache.derby.impl.services.jce.JCECipherFactory privAccessGetInputStream
java.security.AccessController.doPrivileged line 1063
org.apache.derby.impl.services.jce.JCECipherFactory run
java.lang.Class.newInstance line 861
{noformat}
> Applications can use JCECipherFactory to elevate their privileges to those
> granted to Derby
> -------------------------------------------------------------------------------------------
>
> Key: DERBY-6630
> URL: https://issues.apache.org/jira/browse/DERBY-6630
> Project: Derby
> Issue Type: Bug
> Components: Services
> Affects Versions: 10.11.0.0
> Reporter: Rick Hillegas
>
> JCECipherFactory.run() performs security-sensitive operations. It is executed
> in a privilege block by the init() method, which is, in turn, executed by the
> public constructor. The class and its corresponding factory are public, which
> means that any code running in the same JVM can run this security-sensitive
> code with the privileges granted to Derby.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
