[
https://issues.apache.org/jira/browse/OPENJPA-244?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12501621
]
Craig Russell commented on OPENJPA-244:
---------------------------------------
What the example code does is to allow any untrusted code with access to the
J2DoPrivHelper class to get the value for the line separator.
While this doesn't sound like a big deal, it's still violating the security
model.
A solution is to code this in the trusted code:
private static final String SEP = (Properties) AccessController.doPrivileged(
J2DoPrivHelper.getLineSeparatorAction());
And then the helper class is responsible for:
public static PrivilegedAction getLineSeparatorAction() {
return new PrivilegedAction() {
public Object run ()
{
return System.getProperty("line.separator");
}
});
}
> Java 2 Security enablement
> --------------------------
>
> Key: OPENJPA-244
> URL: https://issues.apache.org/jira/browse/OPENJPA-244
> Project: OpenJPA
> Issue Type: Bug
> Affects Versions: 0.9.8
> Reporter: Kevin Sutter
> Attachments: J2DoPrivHelper.java
>
>
> Via some testing with the WebSphere Application Server, it's been discovered
> that we're missing some doPriv blocks through out the OpenJPA code base.
> This JIRA report will be used to resolve these issues. More specific
> examples will be posted later.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
