[jira] [Commented] (DERBY-6617) Silently swallowed SecurityExceptions may disable Derby features, including security features.

Rick Hillegas (JIRA) Mon, 14 Jul 2014 05:42:19 -0700

    [ 
https://issues.apache.org/jira/browse/DERBY-6617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14060602#comment-14060602
 ]


Rick Hillegas commented on DERBY-6617:
--------------------------------------

The fix to MissingPermissionsTest seems to have cleaned up the errors we were 
seeing in the upgrade tests. However, we're still seeing an error in 
MissingPermissionsTest on JDK 6. An assertion is being raised because the test 
is looking for specific verbiage in an error and that verbiage seems to have 
changed between JDK 6 and JDK 7:

{noformat}
There were 2 failures:
1) 
testMissingFilePermission(org.apache.derbyTesting.unitTests.junit.MissingPermissionsTest)junit.framework.AssertionFailedError
        at 
org.apache.derbyTesting.unitTests.junit.MissingPermissionsTest.testMissingFilePermission(MissingPermissionsTest.java:238)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at 
org.apache.derbyTesting.junit.BaseTestCase.runBare(BaseTestCase.java:118)
        at 
org.apache.derbyTesting.junit.BaseJDBCTestCase.runBareOverridable(BaseJDBCTestCase.java:440)
        at 
org.apache.derbyTesting.junit.BaseJDBCTestCase.runBare(BaseJDBCTestCase.java:457)
        at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
        at junit.extensions.TestSetup$1.protect(TestSetup.java:21)
        at junit.extensions.TestSetup.run(TestSetup.java:25)
        at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
        at junit.extensions.TestSetup$1.protect(TestSetup.java:21)
        at junit.extensions.TestSetup.run(TestSetup.java:25)
        at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
        at junit.extensions.TestSetup$1.protect(TestSetup.java:21)
        at junit.extensions.TestSetup.run(TestSetup.java:25)
        at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
        at junit.extensions.TestSetup$1.protect(TestSetup.java:21)
        at junit.extensions.TestSetup.run(TestSetup.java:25)
        at 
org.apache.derbyTesting.junit.BaseTestSetup.run(BaseTestSetup.java:57)
        at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
        at junit.extensions.TestSetup$1.protect(TestSetup.java:21)
        at junit.extensions.TestSetup.run(TestSetup.java:25)
        at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
        at junit.extensions.TestSetup$1.protect(TestSetup.java:21)
        at junit.extensions.TestSetup.run(TestSetup.java:25)
2) 
testMissingPropertiesPermission(org.apache.derbyTesting.unitTests.junit.MissingPermissionsTest)junit.framework.AssertionFailedError
        at 
org.apache.derbyTesting.unitTests.junit.MissingPermissionsTest.verifyMessagesInDerbyLog(MissingPermissionsTest.java:282)
        at 
org.apache.derbyTesting.unitTests.junit.MissingPermissionsTest.testMissingPropertiesPermission(MissingPermissionsTest.java:177)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at 
org.apache.derbyTesting.junit.BaseTestCase.runBare(BaseTestCase.java:118)
        at 
org.apache.derbyTesting.junit.BaseJDBCTestCase.runBareOverridable(BaseJDBCTestCase.java:440)
        at 
org.apache.derbyTesting.junit.BaseJDBCTestCase.runBare(BaseJDBCTestCase.java:457)
        at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
        at junit.extensions.TestSetup$1.protect(TestSetup.java:21)
        at junit.extensions.TestSetup.run(TestSetup.java:25)
        at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
        at junit.extensions.TestSetup$1.protect(TestSetup.java:21)
        at junit.extensions.TestSetup.run(TestSetup.java:25)
        at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
        at junit.extensions.TestSetup$1.protect(TestSetup.java:21)
        at junit.extensions.TestSetup.run(TestSetup.java:25)
        at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
        at junit.extensions.TestSetup$1.protect(TestSetup.java:21)
        at junit.extensions.TestSetup.run(TestSetup.java:25)
        at 
org.apache.derbyTesting.junit.BaseTestSetup.run(BaseTestSetup.java:57)
        at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
        at junit.extensions.TestSetup$1.protect(TestSetup.java:21)
        at junit.extensions.TestSetup.run(TestSetup.java:25)

FAILURES!!!
Tests run: 3,  Failures: 2,  Errors: 0
{noformat}


> Silently swallowed SecurityExceptions may disable Derby features, including 
> security features.
> ----------------------------------------------------------------------------------------------
>
>                 Key: DERBY-6617
>                 URL: https://issues.apache.org/jira/browse/DERBY-6617
>             Project: Derby
>          Issue Type: Bug
>          Components: Services
>    Affects Versions: 10.11.0.0
>            Reporter: Rick Hillegas
>            Assignee: Dag H. Wanvik
>         Attachments: derby-6617-1.diff, derby-6617-2.diff, 
> derby-6617-2.status, derby-6617-3.diff, derby-6617-3.status, 
> derby-6617-junit.diff, fix-test.diff
>
>
> When the Monitor tries to read Derby properties, it silently swallows 
> SecurityExceptions. This means that the properties will be silently ignored 
> if Derby has not been granted sufficient privileges. This means that if you 
> make a mistake crafting your security policy, then you may disable 
> authentication and authorization. You may not realize this until you have 
> incurred a security breach. This swallowing occurs at the following code 
> locations:
> {noformat}
> org.apache.derby.impl.services.monitor.BaseMonitor readApplicationProperties 
> Catch java.lang.SecurityException 1 line 1360
> org.apache.derby.impl.services.monitor.BaseMonitor runWithState Catch 
> java.lang.SecurityException 0 line 280
> org.apache.derby.impl.services.monitor.FileMonitor PBgetJVMProperty Catch 
> java.lang.SecurityException 1 line 183
> org.apache.derby.impl.services.monitor.FileMonitor PBinitialize Catch 
> java.lang.SecurityException 1 line 120
> {noformat}
> SecurityExceptions are swallowed at other locations in the Monitor. The 
> implications of these swallowings should be understood and, at a minimum, 
> security problems should be fixed:
> {noformat}
> org.apache.derby.impl.services.monitor.FileMonitor PBinitialize Catch 
> java.lang.SecurityException 1 line 157
> org.apache.derby.impl.services.monitor.FileMonitor createDaemonGroup Catch 
> java.lang.SecurityException 1 line 89
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (DERBY-6617) Silently swallowed SecurityExceptions may disable Derby features, including security features.

Reply via email to