[
https://issues.apache.org/jira/browse/DERBY-6617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14053837#comment-14053837
]
Dag H. Wanvik edited comment on DERBY-6617 at 7/9/14 8:27 PM:
--------------------------------------------------------------
- The occurrence in PBInitialize line 157 is ok, I think, since the method
returns a false in that case which will fail the call to
FileMonitor#initialize, which again make BaseMonitor#runWithState return early
(line 248), aborting the boot. The "false" return is ignored in FileMonitor(),
but that is only used for Monitor#getMonitorLite.
[{color:blue} Update: it would still be hard to understand why the failure
occurred though.{color}]
[{color:green} Update: Derby fails to boot and throws a NullPointerException
iff PBInitialize returns false.{color}]
was (Author: dagw):
- The occurrence in PBInitialize line 157 is ok, I think, since the method
returns a false in that case which will fail the call to
FileMonitor#initialize, which again make BaseMonitor#runWithState return early
(line 248), aborting the boot. The "false" return is ignored in FileMonitor(),
but that is only used for Monitor#getMonitorLite.
[{color:blue} Update: it would still be hard to understand why the failure
occurred though.{color}]
> Silently swallowed SecurityExceptions may disable Derby features, including
> security features.
> ----------------------------------------------------------------------------------------------
>
> Key: DERBY-6617
> URL: https://issues.apache.org/jira/browse/DERBY-6617
> Project: Derby
> Issue Type: Bug
> Components: Services
> Affects Versions: 10.11.0.0
> Reporter: Rick Hillegas
> Attachments: derby-6617-1.diff, derby-6617-junit.diff
>
>
> When the Monitor tries to read Derby properties, it silently swallows
> SecurityExceptions. This means that the properties will be silently ignored
> if Derby has not been granted sufficient privileges. This means that if you
> make a mistake crafting your security policy, then you may disable
> authentication and authorization. You may not realize this until you have
> incurred a security breach. This swallowing occurs at the following code
> locations:
> {noformat}
> org.apache.derby.impl.services.monitor.BaseMonitor readApplicationProperties
> Catch java.lang.SecurityException 1 line 1360
> org.apache.derby.impl.services.monitor.BaseMonitor runWithState Catch
> java.lang.SecurityException 0 line 280
> org.apache.derby.impl.services.monitor.FileMonitor PBgetJVMProperty Catch
> java.lang.SecurityException 1 line 183
> org.apache.derby.impl.services.monitor.FileMonitor PBinitialize Catch
> java.lang.SecurityException 1 line 120
> {noformat}
> SecurityExceptions are swallowed at other locations in the Monitor. The
> implications of these swallowings should be understood and, at a minimum,
> security problems should be fixed:
> {noformat}
> org.apache.derby.impl.services.monitor.FileMonitor PBinitialize Catch
> java.lang.SecurityException 1 line 157
> org.apache.derby.impl.services.monitor.FileMonitor createDaemonGroup Catch
> java.lang.SecurityException 1 line 89
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
