[
https://issues.apache.org/jira/browse/DERBY-3476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Knut Anders Hatlen updated DERBY-3476:
--------------------------------------
Attachment: d3476-2a-database-permission.diff
[^d3476-2a-database-permission.diff] improves the serialization logic of the
DatabasePermission class. It changes the stored format of DatabasePermission.
This doesn't cause any compatibility issues, though, since the code paths that
use DatabasePermission haven't been enabled yet.
The patch makes the following changes:
- The pathType field is made transient. It is recomputed on deserialization
(also with the existing logic), so storing it is redundant.
- The url field is removed from the class. This field holds exactly the same
string as the name field of the parent class (Permission), so it's redundant.
Also, the existing deserialization logic only checks the validity of the url
field. The name field is not checked. So it is possible that a
DatabasePermission object is inconsistent (has an invalid name) if it's read
from a corrupted stream.
- The Permission.name field is validated on deserialization.
- A new field "actions" is added, which holds the value received in the actions
parameter of the constructor. This isn't strictly necessary currently, since
the constructor only accepts actions="create", so we always know its value.
Adding the field allows us to accept more values later without changing the
stored format, so it might avoid compatibility issues in the future. The new
field is validated on deserialization the same way as on construction.
- The logic to parse the actions string is refactored so that SystemPermission
and DatabasePermission can share the code.
I noticed that the handing of the actions string isn't exactly the same in
SystemPermission and DatabasePermission. SystemPermission ignores empty and
invalid actions, whereas DatabasePermission raises an IllegalArgumentException
if the constructor gets an empty actions string or one that contains an invalid
action. The patch preserves this difference in the deserialization logic.
All regression tests ran cleanly with the patch.
> Permissions and Principal objects added by this feature need to be final and
> have serialization identifiers
> -----------------------------------------------------------------------------------------------------------
>
> Key: DERBY-3476
> URL: https://issues.apache.org/jira/browse/DERBY-3476
> Project: Derby
> Issue Type: Sub-task
> Components: Services
> Reporter: Daniel John Debrunner
> Attachments: d3476-1a-system-permission.diff,
> d3476-2a-database-permission.diff
>
>
> Need serialization id to ensure the class is portable across releases.
> Need final to provide security.
> (assumes patch10 is committed from DERBY-2109)
--
This message was sent by Atlassian JIRA
(v6.2#6252)
