[
https://issues.apache.org/jira/browse/DERBY-6617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Knut Anders Hatlen updated DERBY-6617:
--------------------------------------
Attachment: fix-test.diff
With the attached [^fix-test.diff] patch, I'm able to run
MissingPermissionsTest in my environment. The patch makes these changes:
- Remove the logic for locating derby.jar from the classpath.
SecurityManagerSetup already has code for this and sets various system
properties with paths for the jar files. Pass on these system properties to the
forked JVM instead.
- Add more permissions to the specialized policy files (copied from
derby_tests.policy) so that the test is able to run from Ant.
- Remove extra "=" sign in the java.security.policy property that's passed to
the forked JVM.
- Remove redundant setting of classpath when forking JVM (execJavaCmd() already
sets the classpath).
> Silently swallowed SecurityExceptions may disable Derby features, including
> security features.
> ----------------------------------------------------------------------------------------------
>
> Key: DERBY-6617
> URL: https://issues.apache.org/jira/browse/DERBY-6617
> Project: Derby
> Issue Type: Bug
> Components: Services
> Affects Versions: 10.11.0.0
> Reporter: Rick Hillegas
> Assignee: Dag H. Wanvik
> Attachments: derby-6617-1.diff, derby-6617-2.diff,
> derby-6617-2.status, derby-6617-3.diff, derby-6617-3.status,
> derby-6617-junit.diff, fix-test.diff
>
>
> When the Monitor tries to read Derby properties, it silently swallows
> SecurityExceptions. This means that the properties will be silently ignored
> if Derby has not been granted sufficient privileges. This means that if you
> make a mistake crafting your security policy, then you may disable
> authentication and authorization. You may not realize this until you have
> incurred a security breach. This swallowing occurs at the following code
> locations:
> {noformat}
> org.apache.derby.impl.services.monitor.BaseMonitor readApplicationProperties
> Catch java.lang.SecurityException 1 line 1360
> org.apache.derby.impl.services.monitor.BaseMonitor runWithState Catch
> java.lang.SecurityException 0 line 280
> org.apache.derby.impl.services.monitor.FileMonitor PBgetJVMProperty Catch
> java.lang.SecurityException 1 line 183
> org.apache.derby.impl.services.monitor.FileMonitor PBinitialize Catch
> java.lang.SecurityException 1 line 120
> {noformat}
> SecurityExceptions are swallowed at other locations in the Monitor. The
> implications of these swallowings should be understood and, at a minimum,
> security problems should be fixed:
> {noformat}
> org.apache.derby.impl.services.monitor.FileMonitor PBinitialize Catch
> java.lang.SecurityException 1 line 157
> org.apache.derby.impl.services.monitor.FileMonitor createDaemonGroup Catch
> java.lang.SecurityException 1 line 89
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
