Dag H. Wanvik wrote:
In the final analysis it comes down to what annoys the Derby user
more, a potentially unsafe system or the hassle of dealing with
security. No free lunch...
An aggravating factor on the "hassle" is, in my experience, the
insufficient tools available for debugging security issues in general
and writing/adjusting policy files in particular:
- Often, the Java security runtime swallows exceptions (except for
grave syntax errors in policy files) silently denying permissions
then.
- The user really has to know about the 'java.security.debug' property
and its verbose values (even then, one still gets swamped by a huge
amount of output).
- Other people/projects have come up with some security debug/helper
classes, which, when run with, dynamically approve all permission
requests and generate a "narrow" policy file on the fly reflecting
just the requested grants, e.g.
http://java.sun.com/products/jini/2.1/doc/api/com/sun/jini/tool/DebugDynamicPolicyProvider.html
http://archives.java.sun.com/cgi-bin/wa?A2=ind9907&L=rmi-users&P=21357
Without better tools, I feel that the Java security system is for
experts only and I wonder how many run without just for that reason.
My $0.02,
Martin
