[
https://issues.apache.org/jira/browse/FELIX-1169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12711806#action_12711806
]
Richard S. Hall commented on FELIX-1169:
----------------------------------------
I am not sure if that makes sense. To whom would this exception be thrown?
Since service events are synchronous, then it would be thrown to the entity
causing the event, which wouldn't make sense. Besides, a silent failure is
keeping in line with other places in the spec, where the point is to avoid
information being leaked.
> Service event callbacks fail silently when denied permission
> ------------------------------------------------------------
>
> Key: FELIX-1169
> URL: https://issues.apache.org/jira/browse/FELIX-1169
> Project: Felix
> Issue Type: Bug
> Components: Framework
> Affects Versions: felix-1.6.1
> Environment: Environments that have a SecurityManager installed, like
> the Google App Engine.
> Reporter: ted stockwell
> Priority: Minor
>
> The
> org.apache.felix.framework.util.EventDispatcher.invokeServiceListenerCallback
> method checks for permission before making callbacks to
> ServiceListener.serviceChanged.
> However, if no permission has been granted to listener for any of the service
> interfaces that are being listened to then this method fails silently (making
> the failure to get the callback hard to diagnose).
> This snippet of code in the EventDispatcher.invokeServiceListenerCallback
> method....
> Object sm = System.getSecurityManager();
> if ((acc != null) && (sm != null))
> {
> for (int i = 0;
> !hasPermission && (i < objectClass.length);
> i++)
> {
> try
> {
> ServicePermission perm =
> new ServicePermission(
> objectClass[i], ServicePermission.GET);
> ((SecurityManager) sm).checkPermission(perm, acc);
> hasPermission = true;
> }
> catch (Exception ex)
> {
> }
> }
> }
> else
> {
> hasPermission = true;
> }
> ....should probably be changed to throw a SecurityException if no permission
> is found.
> Like so....
> Object sm = System.getSecurityManager();
> if ((acc != null) && (sm != null))
> {
> for (int i = 0;
> !hasPermission && (i < objectClass.length);
> i++)
> {
> try
> {
> ServicePermission perm =
> new ServicePermission(
> objectClass[i], ServicePermission.GET);
> ((SecurityManager) sm).checkPermission(perm, acc);
> hasPermission = true;
> }
> catch (Exception ex)
> {
> }
> }
> if (!hasPermission)
> throw new SecurityException();
> }
> else
> {
> hasPermission = true;
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
