[jira] Commented: (OPENJPA-244) Java 2 Security enablement

Thu, 07 Jun 2007 08:17:47 -0700 

    [ 
https://issues.apache.org/jira/browse/OPENJPA-244?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12502379
 ] 

Albert Lee commented on OPENJPA-244:
------------------------------------

Having specific function(s) in J2DoPrivHelp that required doPriv is to isolate 
common access function without security exposure and hopefully improve 
performance. Since there is no user parameters allowed by the helpers, even the 
getLineSeparator() is public, user is only allowed to get the lineSeparator 
string and no other resources security leak.

The wrapper method approach is to provide means to create the 
Privilege(Exception)Action object but the doPrivileged will still be in-lined 
in the openjpa code to avoid undesirable security exposure. 

Here is a new proposal:

1) The J2DoPrivHelper defines the common security safe functions and 
PrivilegedAction getters (example):
        
       public static final String getLineSeparator();
       public static final Object getOtherSpecificSecuritySafeResource();
       .......
 
       public static final PrivilegedAction getClassLoaderAction(final 
ClassLoader loader);
       public static final PrivilegedExceptionAction 
getDeclaredMethodAction(final Class clazz, final String name, final Class[] 
parameterTypes);
       .......

2)  J2DoPrivHelper usage:

       private static final String SEP = J2DoPrivHelper.getLineSeparator(); 

       ClassLoader loader = (ClassLoader) AccessController.doPrivileged( 
J2DoPrivHelper.getClassLoaderAction( clazz ) );

        try {
              
AccessController.doPrivileged(J2DoPrivHelper.getDeclaredMethodAction( clazz, 
name, args));
        } catch (PrivilegedActionException exception) {
               NoSuchMethodException ex = 
(NoSuchMethodException)exception.getException();
        } 

3) If there is any situation where testing security is enabled before the 
doPriv pattern is used, it will need to be in-lined in user code.

Please comment and indicate if this is an acceptable solution.

Thanks.
Albert Lee.

> Java 2 Security enablement
> --------------------------
>
>                 Key: OPENJPA-244
>                 URL: https://issues.apache.org/jira/browse/OPENJPA-244
>             Project: OpenJPA
>          Issue Type: Bug
>    Affects Versions: 0.9.8
>            Reporter: Kevin Sutter
>         Attachments: J2DoPrivHelper.java
>
>
> Via some testing with the WebSphere Application Server, it's been discovered 
> that we're missing some doPriv blocks through out the OpenJPA code base.  
> This JIRA report will be used to resolve these issues.  More specific 
> examples will be posted later.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to