[
https://issues.apache.org/jira/browse/OWB-1027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14208674#comment-14208674
]
Romain Manni-Bucau commented on OWB-1027:
-----------------------------------------
We dont use security service that much and security manager will not protect
against much things. Said otherwise if it protects then your server is really
in danger elsewhere IMHO.
That said if you provide a patch respecting:
- dont add a dependency for it
- dont prevent debugging changing bytecode lines and method entry points
- keep it localized in SecurityService or whatever
Then it is ok.
More I think to it more I think it should just be a particular SecurityService.
Now gain of doing it is not obvious since it is done and it adds another
indirection.
Do I miss sthg?
> Use Apache Commons Weaver's privilizer module for privileged action code in
> OWB
> -------------------------------------------------------------------------------
>
> Key: OWB-1027
> URL: https://issues.apache.org/jira/browse/OWB-1027
> Project: OpenWebBeans
> Issue Type: Task
> Affects Versions: 1.5.0
> Reporter: Matt Benson
>
> See
> [http://commons.apache.org/proper/commons-weaver/commons-weaver-modules-parent/commons-weaver-privilizer-parent/index.html];
> this code was intended for helping Apache JEE components use the
> {{SecurityManager}} in such a fashion as to make the invocation of privileged
> actions as transparent as possible.
> A concern is that to make full use of the privilizer module's potential,
> OWB's {{SecurityService}} notion would IMO best be removed entirely to
> minimize the surface area of publicly accessible code that makes privileged
> calls. Since this interface and its implementations, as well as the
> {{deprecated SecurityUtil}} class, are {{public}}, this constitutes a break
> in API compatibility and forces the community to think about if, when, and
> how to upgrade OWB to v2.x .
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
