[jira] [Commented] (DERBY-6717) Policies with multiple SystemPermissions are not handled well

Wed, 27 Aug 2014 04:52:08 -0700 

    [ 
https://issues.apache.org/jira/browse/DERBY-6717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14112168#comment-14112168
 ] 

Knut Anders Hatlen commented on DERBY-6717:
-------------------------------------------

SystemPermission extends BasicPermission, which by default ignores the action 
string. In particular, SystemPermission does not override 
BasicPermission.newPermissionCollection(). BasicPermission's implementation of 
newPermissionCollection() only considers the name of the permission.

In our example, where the policy contains

permission org.apache.derby.security.SystemPermission "engine", 
"usederbyinternals";
permission org.apache.derby.security.SystemPermission "engine", "monitor";

both permission objects have the same name ("engine"), so the collection 
instance returned by BasicPermission.newPermissionCollection() will consider 
them the same, and it will only hold keep one of them.

I believe SystemPermission should override newPermissionCollection(). It should 
either return a custom PermissionCollection instance with logic specific to 
SystemPermissions, or null if no custom logic is needed. Probably null would do 
for now. (Custom logic could for example be wildcard handling.)

> Policies with multiple SystemPermissions are not handled well
> -------------------------------------------------------------
>
>                 Key: DERBY-6717
>                 URL: https://issues.apache.org/jira/browse/DERBY-6717
>             Project: Derby
>          Issue Type: Bug
>          Components: Services
>    Affects Versions: 10.11.1.1
>            Reporter: Knut Anders Hatlen
>
> Rick noted in DERBY-6648 that if you wanted to grant both 
> SystemPermission("engine", "monitor") and SystemPermission("engine", 
> "usederbyinternals") to a code base, the following would work:
> permission org.apache.derby.security.SystemPermission "engine", 
> "monitor,usederbyinternals";
> However, the following does not work:
> permission org.apache.derby.security.SystemPermission "engine", 
> "usederbyinternals";
> permission org.apache.derby.security.SystemPermission "engine", "monitor";



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to