[
https://issues.apache.org/jira/browse/OPENJPA-244?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12502515
]
Patrick Linskey commented on OPENJPA-244:
-----------------------------------------
> > Given that you demonstrate in point 2 above that it is legit to cache the
> > return values of the security-wrapping calls, can we achieve better
> > encapsulation? For example, why not just have a
> > J2DoPrivHelper.getDeclaredMethod()
> > call that does the right thing internally?
>
> If I hear you right, the sugguestion is to have all the doPriv processing in
> the
> J2DoPrivHelper.getDeclaredMethod(). This was the original proposal and
> Mitesh
> has pointed out that this is a security leak. See previous comment.
... but it looks like your most recent proposal shares this leak, since it has
methods like getLineSeparator(). We should either make all of the methods
secure and consider it a goal to not allow that leak, or make all of the helper
methods behave the same, no?
-Patrick
> Java 2 Security enablement
> --------------------------
>
> Key: OPENJPA-244
> URL: https://issues.apache.org/jira/browse/OPENJPA-244
> Project: OpenJPA
> Issue Type: Bug
> Affects Versions: 0.9.8
> Reporter: Kevin Sutter
> Attachments: J2DoPrivHelper.java
>
>
> Via some testing with the WebSphere Application Server, it's been discovered
> that we're missing some doPriv blocks through out the OpenJPA code base.
> This JIRA report will be used to resolve these issues. More specific
> examples will be posted later.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
