[
https://issues.apache.org/jira/browse/OPENJPA-244?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12502647
]
Albert Lee commented on OPENJPA-244:
------------------------------------
The getLineSeparator() will not compromise security because this function only
return specifically the line.separator String and nothing else, hence there is
no side effect. This method may cache the value for performance and better code
readability and maintenance.
In the original proposal, application can call one of the J2DoPrivHelper public
methods which may grant user resource privileges on behalf of the caller, which
is not good. If there is a resource requires privilege, the
AccessController.doPrivileged() must be in-line in the openjpa code base, but
the "new Privilege(Exception)Action" can be common or factor out. Even if the
doPrivilege() is inlined, one must also be careful not to allow any public
method to be accessed by the application with user specified resource that
eventually grant privilege to access the resource.
>>> Additionally, from a performance standpoint, it seems like we should make
>>> the J2DoPrivHelper methods non-static, create an interface, and provide
>>> access to the instance via the OpenJPAConfiguration object. This will allow
>>> us to have an impl that doesn't do security checks at all and a separate
>>> impl that does the security checks.
>Sounds good.
After some thought on this topics, I just realized that use of interface will
not work. The same reason as just described. The interface can only get the
PrivilegedAction because the doPriv must be in-lined. E.g.
The use cases are:
private static final String SEP = J2DoPrivHelper.getLineSeparator();
ClassLoader loader = (ClassLoader) (System.getSecurityManager() == null)
? clazz.getClassLoader()
: AccessController.doPrivileged(
J2DoPrivHelper.getClassLoaderAction( clazz ) );
try
{
method = ( System.getSecurityManager() == null )
? clazz.getDeclaredMethod(name,parameterType)
: (Method) AccessController.doPrivileged(
J2DoPrivHelper.getDeclaredMethodAction( clazz, name, parameterType) );
} catch( PrivilegedActionException pae )
{
throws (NoSuchMethodException)pae.getException()
}
> Java 2 Security enablement
> --------------------------
>
> Key: OPENJPA-244
> URL: https://issues.apache.org/jira/browse/OPENJPA-244
> Project: OpenJPA
> Issue Type: Bug
> Affects Versions: 0.9.8
> Reporter: Kevin Sutter
> Attachments: J2DoPrivHelper.java
>
>
> Via some testing with the WebSphere Application Server, it's been discovered
> that we're missing some doPriv blocks through out the OpenJPA code base.
> This JIRA report will be used to resolve these issues. More specific
> examples will be posted later.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
