Taking a quick look at Stripes (reflection) and Hibernate (SQL),
neither of them have doPrivileged() blocks anywhere in the code.
Does it mean that nobody can use them in standard J2EE
containers? I'd wager not.
Janne, looks like our responses crossed in the mail.
I'd wager yes, people are . Here's an example of somebody who had
problems getting Hibernate on Tomcat when the security manager was
running:
http://www.petrovic.org/blog/?p=134
Looks like my attempt to produce legible English at 1 am failed :)
You are probably right about that. But then, only a runtime
analysis would be able to tell us which ones are problematic, and
where the dependencies lie.
Urgh. And then we would need to change all the libraries and
contribute the patches back to those guys...
Now THAT is almost certainly true. That's why I've postponed this
exercise; compared with getting 2.6 done, it's lower priority. It
*is* a blocker for running JSPWiki in OAS out-of-the-box. We just
need to be comfortable telling every OAS user who asks, "it won't
work until you turn off your security manager."
Is there no way to give a blanket permission to JSPWiki work and
repository directories, and limit runtime.exec()? That would cut out
a very big majority of all attack vectors.
PS. Henry Kissinger was a US Secretary of State. Sounds like you
don't want me to dust off the policy-maker project just yet...
Sorry, U.S. History is not my strong subject :-). I'm just trying
to perform some cost-benefit analysis here. My vote would be -1 on
making this any sort of a priority...
(Looks like again all the bugs blocking the release are IE-related...)
/Janne
