[jira] Commented: (OPENJPA-244) Java 2 Security enablement

Mon, 02 Jul 2007 10:54:25 -0700 

    [ 
https://issues.apache.org/jira/browse/OPENJPA-244?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12509632
 ] 

Craig Russell commented on OPENJPA-244:
---------------------------------------

>> 3. In 
>> openjpa-lib/src/main/java/org/apache/openjpa/lib/util/MultiClassLoader.java 
>> you might have missed this case: 
>> @@ -238,12 +246,18 @@ 
>>             if (loader == THREAD_LOADER) 
>>                 loader = Thread.currentThread().getContextClassLoader(); 
  
>Good eye.. Done. 

>> 5. In 
>> openjpa-xmlstore/src/main/java/org/apache/openjpa/xmlstore/XMLFileHandler.java
>>  don't you need to have a doPrivileged around f.length() ? The javadoc would 
>> suggest so. 

> You are correct. Somehow I don't get any security exception even without the 
> doPriv wrapping. I have added a new lengthAction and "do the right thing" 
> now. 

My only concern now is that without the above changes, your tests ran 
correctly. Do you have a test bench where the caller is not privileged and the 
OpenJPA is privileged? One suspicious change is in the security permissions 
file: 
+// ================================================================
+// The following permissions are needed to invoke the 'test' target in OpenJPA 
maven build.
+grant {
+  permission java.security.AllPermission;
+};
+

This would appear to grant everyone AllPermissions, which might explain why the 
tests all work. Can this be restricted to granting permission to just the test 
framework (javax.junit) and see what happens?



> Java 2 Security enablement
> --------------------------
>
>                 Key: OPENJPA-244
>                 URL: https://issues.apache.org/jira/browse/OPENJPA-244
>             Project: OpenJPA
>          Issue Type: Bug
>    Affects Versions: 0.9.8
>            Reporter: Kevin Sutter
>         Attachments: OPENJPA-244.patch
>
>
> Via some testing with the WebSphere Application Server, it's been discovered 
> that we're missing some doPriv blocks through out the OpenJPA code base.  
> This JIRA report will be used to resolve these issues.  More specific 
> examples will be posted later.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to