[ http://issues.apache.org/jira/browse/DERBY-622?page=all ]
Andrew McIntyre resolved DERBY-622.
-----------------------------------
Resolution: Fixed
I am closing this issue as fixed. During testing, it became apparent that there
were a couple of places in sysinfo that needed privileged blocks, and these
were fixed by a patch by Myrna, which I committed with revision 390000.
However, there is now a sysinfo.policy file which grants the permissions that
the description of this issue complained should not be necessary. From the
description of this issue:
...
permission java.io.FilePermission "${csinfo.codedir}${/}*", "read"
But according to the Java security specs:
'Note: code can always read a file from the same directory it's in (or a
subdirectory of that directory); it does not need explicit permission to do
so.'
...
This is true for classes in a directory, but for jars, FilePermission to read
other jars must be granted explicitly, which is why:
grant codeBase "${derbyTesting.codejar}/derbytools.jar" {
permission java.io.FilePermission "${derbyTesting.codedir}${/}*", "read";
};
is granted, so that derbytools.jar can read from any other jar file (like the
locale jar files) in the directory which it is in. Similar permissions are
granted to derby.jar and derbynet.jar, depending on which jar file is first in
the classpath, and thus, from which the sysinfo classes are loaded first.
The only remaining comment I have is that, in light of the above with regard to
the security spec, and the comments attached to this issue, these lines in
derbynet/sysinfo.policy seem superfluous:
grant codeBase "${derbyTesting.codeclasses}" {
// the following two lines shouldn't be needed
permission java.io.FilePermission "${derbyTesting.codedir}", "read";
permission java.io.FilePermission "${derbyTesting.codeclasses}${/}*", "read";
};
These lines were granted as part of DERBY-955, in particular see this mail:
http://www.nabble.com/Re%3A--jira--Updated%3A-%28DERBY-955%29-Get-derbyall-on-jdk1.6-p3977396.html
and the followups. I have tested derbynet/sysinfo.properties and
derbynet/sysinfo_withproperties with JDK 1.5 on Mac OS X without the above
lines and the tests passed. So, it might be desirable to revisit granting these
permissions to the sysinfo tests.
> sysinfo incorrectly requires permission on Derby jar files
> ----------------------------------------------------------
>
> Key: DERBY-622
> URL: http://issues.apache.org/jira/browse/DERBY-622
> Project: Derby
> Issue Type: Bug
> Components: Security, Tools
> Affects Versions: 10.2.0.0
> Reporter: Daniel John Debrunner
> Priority: Minor
> Fix For: 10.2.0.0
>
> Attachments: DERBY-622_step1.diff
>
>
> Running the test derbynet/sysinfo.java requires this permission in
> derby_tests.policy, in order to read the jar files.
> permission java.io.FilePermission "${csinfo.codedir}${/}*", "read"
> But according to the Java security specs:
> 'Note: code can always read a file from the same directory it's in (or a
> subdirectory of that directory); it does not need explicit permission to do
> so.'
> Probably means a privileged block is required when accessing the contents of
> the jar files in sysinfo
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
