[
https://issues.apache.org/jira/browse/JSPWIKI-129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18036532#comment-18036532
]
Alex O'Ree commented on JSPWIKI-129:
------------------------------------
[~ajaquith] considering that the java security manager is now deprecated and
scheduled for JDK removal, is this still a valid issue to spend time on? Most
likely we'll remove all java security manager linked code in the near term
> JSPWIki cannot run under a security manager
> -------------------------------------------
>
> Key: JSPWIKI-129
> URL: https://issues.apache.org/jira/browse/JSPWIKI-129
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication & Authorization
> Affects Versions: 2.4.104, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.8, 2.8.1,
> 2.8.2, 2.8.3, 2.8.4
> Environment: All
> Reporter: Andrew R. Jaquith
> Assignee: Andrew R. Jaquith
> Priority: Major
>
> JSPWiki cannot be used when running a security manager. Containers that run
> by default with a security manager include Oracle Application Server and
> Tomcat when run with the '-server' option.
> In all cases, the root cause is the same: the security policy for the
> container needs to include the Permissions needed to execute JSPWiki.
> However, full enumeration of the Permissions needed is complicated
> significantly by the fact that JSPWiki does not compartmentalized privileged
> calls the way it should. For example, any code in JSPWiki that accesses files
> should be enclosed by AccessController.doPrivileged() blocks.
> The result of our current approach (or rather, lack of privileged code
> compartmentalization) means that an effective policy cannot be written.
> This bug is to remind ARJ that he needs to work on this. He is currently
> writing some diagnostic tools that will make this process easier. However,
> it's going to take a while...
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
