JSPWIki cannot run under a security manager
-------------------------------------------
Key: JSPWIKI-129
URL: https://issues.apache.org/jira/browse/JSPWIKI-129
Project: JSPWiki
Issue Type: Bug
Components: Authentication&Authorization
Affects Versions: 2.6.0, 2.4.104, 2.6.1
Environment: All
Reporter: Andrew Jaquith
Assignee: Andrew Jaquith
Fix For: 2.8
JSPWiki cannot be used when running a security manager. Containers that run by
default with a security manager include Oracle Application Server and Tomcat
when run with the '-server' option.
In all cases, the root cause is the same: the security policy for the container
needs to include the Permissions needed to execute JSPWiki. However, full
enumeration of the Permissions needed is complicated significantly by the fact
that JSPWiki does not compartmentalized privileged calls the way it should. For
example, any code in JSPWiki that accesses files should be enclosed by
AccessController.doPrivileged() blocks.
The result of our current approach (or rather, lack of privileged code
compartmentalization) means that an effective policy cannot be written.
This bug is to remind ARJ that he needs to work on this. He is currently
writing some diagnostic tools that will make this process easier. However, it's
going to take a while...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
