[
https://issues.apache.org/jira/browse/JSPWIKI-129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12594585#action_12594585
]
Andrew Jaquith commented on JSPWIKI-129:
----------------------------------------
Posslbly... I've had to put this aside for a while. Can take a whack at it next
week on my transatlantic flight. It's a pretty tough problem to work through,
though...
> JSPWIki cannot run under a security manager
> -------------------------------------------
>
> Key: JSPWIKI-129
> URL: https://issues.apache.org/jira/browse/JSPWIKI-129
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication&Authorization
> Affects Versions: 2.4.104, 2.6.0, 2.6.1
> Environment: All
> Reporter: Andrew Jaquith
> Assignee: Andrew Jaquith
> Fix For: 2.8
>
>
> JSPWiki cannot be used when running a security manager. Containers that run
> by default with a security manager include Oracle Application Server and
> Tomcat when run with the '-server' option.
> In all cases, the root cause is the same: the security policy for the
> container needs to include the Permissions needed to execute JSPWiki.
> However, full enumeration of the Permissions needed is complicated
> significantly by the fact that JSPWiki does not compartmentalized privileged
> calls the way it should. For example, any code in JSPWiki that accesses files
> should be enclosed by AccessController.doPrivileged() blocks.
> The result of our current approach (or rather, lack of privileged code
> compartmentalization) means that an effective policy cannot be written.
> This bug is to remind ARJ that he needs to work on this. He is currently
> writing some diagnostic tools that will make this process easier. However,
> it's going to take a while...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
