[
https://issues.apache.org/jira/browse/DERBY-3083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543631
]
Daniel John Debrunner commented on DERBY-3083:
----------------------------------------------
I hope the default policy for the network server is not granting permissions to
derbytools, derbyclient or derbytesting. The original spec had carefully
limited permissions intended to support running the network server.
The use of properties for the jar files names in the policy files increases a
security hole, now if any code can intercept the property setting then it
allows that code to grant the permissions intended for Derby to any jar on the
file system. By limiting the name to derbynet.jar (etc.) that hole is reduced.
To support maven maybe the name could be
${derby.install.url}derbynet${version}.jar
> Network server demands a file called "derbynet.jar" in classpath
> ----------------------------------------------------------------
>
> Key: DERBY-3083
> URL: https://issues.apache.org/jira/browse/DERBY-3083
> Project: Derby
> Issue Type: Bug
> Components: Tools
> Affects Versions: 10.3.1.4
> Reporter: Aaron Digulla
> Attachments: derby-716-10-datatypesCollation-aa.diff
>
>
> The network server will not start if the derbynet jar is added under a
> different name than "derbynet.jar" to the classpath. This makes it impossible
> to use it in maven projects where the jar is renamed to
> "derbynet-10.3.1.4.jar".
> This did work with 10.2.2.0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
