On 02/05/07, Charles Oliver Nutter <[EMAIL PROTECTED]> wrote: [...] > I think it's safe to say we know practically nothing about security > policies in Java, so we're going to need outside help determining what > permissions JRuby wants and which ones it actually needs. Like the > security provider, I suspect many or most tricky permissions we can do > without.
After a hefty bit of debugging in JRuby+GoldSpike to diagnose my PrivilegedException issue, here's what seems to be going on: When LoadService tries to require something, it will first check the static method Ruby.isSecurityRestricted(), and if that method returns true no local file access will be attempted. The method simply checks for the presence of a System SecurityManager. This is on the coarse side, security-wise, unless I've missed something. Would you like me to try to elaborate on the security a bit? Perhaps call the Security Manager's checkRead(String file) method (if a Security Manager is set), instead of just rejecting the attempt altogether? It should be a simple enough change. Another solution might be to not use an absolute path to locate the files in the Rails web app - but I don't have any idea how or if that could be done (yet). Cheers, -- Steen _______________________________________________ Jruby-extras-devel mailing list [email protected] http://rubyforge.org/mailman/listinfo/jruby-extras-devel
