Taking a quick look at Stripes (reflection) and Hibernate (SQL),
neither of them have doPrivileged() blocks anywhere in the code.
Does it mean that nobody can use them in standard J2EE containers?
I'd wager not.
Janne, looks like our responses crossed in the mail.
I'd wager yes, people are . Here's an example of somebody who had
problems getting Hibernate on Tomcat when the security manager was
running:
http://www.petrovic.org/blog/?p=134
Also, don't we have to give the same permissions to *all* of the sub-
libraries? Wouldn't it effectively nullify any benefit from
security of the internal app, if it can access anything through
external libraries?
Not necessarily... it depends on the sequence of callers in the call
stack.
Stripes does not have a single doPrivileged() code block in it. I
did a full search.
Neither does log4j, and my guess is that most of the libraries that
we use, don't have them either.
You are probably right about that. But then, only a runtime analysis
would be able to tell us which ones are problematic, and where the
dependencies lie.
I'm really no security expert, but it sounds to me that the gain vs
effort ratio in this effort would not be very high. Especially
since most of the attacks so far seem to be XSS vectors, which
really don't touch the JVM at all.
Now THAT is almost certainly true. That's why I've postponed this
exercise; compared with getting 2.6 done, it's lower priority. It *is*
a blocker for running JSPWiki in OAS out-of-the-box. We just need to
be comfortable telling every OAS user who asks, "it won't work until
you turn off your security manager."
PS. Henry Kissinger was a US Secretary of State. Sounds like you don't
want me to dust off the policy-maker project just yet...
A.
