[
https://issues.apache.org/jira/browse/JSPWIKI-129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18037833#comment-18037833
]
Alex O'Ree commented on JSPWIKI-129:
------------------------------------
i may have found a solution for this
[https://pro-grade.sourceforge.net/]
it can basically start in a learning mode and dynamically write a policy file.
Then some quick and find and replace and we have a general purpose security
policy file for jspwiki
> JSPWIki cannot run under a security manager
> -------------------------------------------
>
> Key: JSPWIKI-129
> URL: https://issues.apache.org/jira/browse/JSPWIKI-129
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication & Authorization
> Affects Versions: 2.4.104, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.8, 2.8.1,
> 2.8.2, 2.8.3, 2.8.4
> Environment: All
> Reporter: Andrew R. Jaquith
> Assignee: Andrew R. Jaquith
> Priority: Major
>
> JSPWiki cannot be used when running a security manager. Containers that run
> by default with a security manager include Oracle Application Server and
> Tomcat when run with the '-server' option.
> In all cases, the root cause is the same: the security policy for the
> container needs to include the Permissions needed to execute JSPWiki.
> However, full enumeration of the Permissions needed is complicated
> significantly by the fact that JSPWiki does not compartmentalized privileged
> calls the way it should. For example, any code in JSPWiki that accesses files
> should be enclosed by AccessController.doPrivileged() blocks.
> The result of our current approach (or rather, lack of privileged code
> compartmentalization) means that an effective policy cannot be written.
> This bug is to remind ARJ that he needs to work on this. He is currently
> writing some diagnostic tools that will make this process easier. However,
> it's going to take a while...
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
