db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rhille...@apache.org
Subject svn commit: r592758 - in /db/derby/code/trunk/java: drda/org/apache/derby/drda/ testing/org/apache/derbyTesting/functionTests/tests/derbynet/ tools/org/apache/derby/impl/tools/sysinfo/
Date Wed, 07 Nov 2007 14:26:13 GMT
Author: rhillegas
Date: Wed Nov  7 06:26:12 2007
New Revision: 592758

URL: http://svn.apache.org/viewvc?rev=592758&view=rev
Log:
DERBY-3086: More permissions and privilege blocks so that the server tracing and sysinfo will
continue to work when the server automatically installs a security manager.

Modified:
    db/derby/code/trunk/java/drda/org/apache/derby/drda/NetworkServerControl.java
    db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy
    db/derby/code/trunk/java/drda/org/apache/derby/drda/template.policy
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/SecureServerTest.java
    db/derby/code/trunk/java/tools/org/apache/derby/impl/tools/sysinfo/Main.java

Modified: db/derby/code/trunk/java/drda/org/apache/derby/drda/NetworkServerControl.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/drda/org/apache/derby/drda/NetworkServerControl.java?rev=592758&r1=592757&r2=592758&view=diff
==============================================================================
--- db/derby/code/trunk/java/drda/org/apache/derby/drda/NetworkServerControl.java (original)
+++ db/derby/code/trunk/java/drda/org/apache/derby/drda/NetworkServerControl.java Wed Nov
 7 06:26:12 2007
@@ -586,6 +586,14 @@
         { System.setProperty( Property.SYSTEM_HOME_PROPERTY, PropertyUtil.getSystemProperty(
"user.dir" ) ); }
 
         //
+        // Make sure the following property is set so that it can be substituted into the
+        // policy file. That will let us grant write permission on the server's
+        // trace file.
+        //
+        if ( PropertyUtil.getSystemProperty( Property.DRDA_PROP_TRACEDIRECTORY ) == null
)
+        { System.setProperty( Property.DRDA_PROP_TRACEDIRECTORY, PropertyUtil.getSystemProperty(
Property.SYSTEM_HOME_PROPERTY ) ); }
+
+        //
         // Forcibly set the following property so that it will be correctly
         // substituted into the default policy file. This is the hostname for
         // SocketPermissions. This is an internal property which customers

Modified: db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy?rev=592758&r1=592757&r2=592758&view=diff
==============================================================================
--- db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy (original)
+++ db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy Wed Nov  7 06:26:12
2007
@@ -21,6 +21,21 @@
 // You may want to restrict this access to specific directories.
 //
   permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
+
+//
+// Needed by sysinfo. The file permission is needed to
+// check the existence of jars on the classpath. You can
+// limit this permission to just the locations which hold
+// your jar files. This block is reproduced for all codebases
+// which include the sysinfo classes--the policy file syntax
+// does not let you grant permissions to several codebases
+// all at once.
+//
+  permission java.util.PropertyPermission "user.*", "read";
+  permission java.util.PropertyPermission "java.home", "read";
+  permission java.util.PropertyPermission "java.class.path", "read";
+  permission java.lang.RuntimePermission "getProtectionDomain";
+  permission java.io.FilePermission "<<ALL FILES>>", "read";
 };
 
 grant codeBase "${derby.install.url}derbynet.jar"
@@ -39,5 +54,81 @@
 
   permission java.net.SocketPermission "*", "accept"; 
 
+//
+// Needed for server tracing.
+//
+  permission java.io.FilePermission "${derby.drda.traceDirectory}${/}-", "read,write,delete";
+
+//
+// Needed by sysinfo. The file permission is needed to
+// check the existence of jars on the classpath. You can
+// limit this permission to just the locations which hold
+// your jar files. This block is reproduced for all codebases
+// which include the sysinfo classes--the policy file syntax
+// does not let you grant permissions to several codebases
+// all at once.
+//
+  permission java.util.PropertyPermission "user.*", "read";
+  permission java.util.PropertyPermission "java.home", "read";
+  permission java.util.PropertyPermission "java.class.path", "read";
+  permission java.lang.RuntimePermission "getProtectionDomain";
+  permission java.io.FilePermission "<<ALL FILES>>", "read";
+};
+
+
+grant codeBase "${derby.install.url}derbytools.jar"
+{
+//
+// Needed by sysinfo. The file permission is needed to
+// check the existence of jars on the classpath. You can
+// limit this permission to just the locations which hold
+// your jar files. This block is reproduced in the 3 codebases
+// which include the sysinfo classes--the policy file syntax
+// does not let you grant permissions to several codebases
+// all at once.
+//
+  permission java.util.PropertyPermission "user.*", "read";
+  permission java.util.PropertyPermission "java.home", "read";
+  permission java.util.PropertyPermission "java.class.path", "read";
+  permission java.lang.RuntimePermission "getProtectionDomain";
+  permission java.io.FilePermission "<<ALL FILES>>", "read";
+};
+
+grant codeBase "${derby.install.url}derbyclient.jar"
+{
+//
+// Needed by sysinfo. The file permission is needed to
+// check the existence of jars on the classpath. You can
+// limit this permission to just the locations which hold
+// your jar files. This block is reproduced in the 3 codebases
+// which include the sysinfo classes--the policy file syntax
+// does not let you grant permissions to several codebases
+// all at once.
+//
+  permission java.util.PropertyPermission "user.*", "read";
+  permission java.util.PropertyPermission "java.home", "read";
+  permission java.util.PropertyPermission "java.class.path", "read";
+  permission java.lang.RuntimePermission "getProtectionDomain";
+  permission java.io.FilePermission "<<ALL FILES>>", "read";
 };
+
+grant codeBase "${derby.install.url}derbytesting.jar"
+{
+//
+// Needed by sysinfo. The file permission is needed to
+// check the existence of jars on the classpath. You can
+// limit this permission to just the locations which hold
+// your jar files. This block is reproduced in the 3 codebases
+// which include the sysinfo classes--the policy file syntax
+// does not let you grant permissions to several codebases
+// all at once.
+//
+  permission java.util.PropertyPermission "user.*", "read";
+  permission java.util.PropertyPermission "java.home", "read";
+  permission java.util.PropertyPermission "java.class.path", "read";
+  permission java.lang.RuntimePermission "getProtectionDomain";
+  permission java.io.FilePermission "<<ALL FILES>>", "read";
+};
+
+
 

Modified: db/derby/code/trunk/java/drda/org/apache/derby/drda/template.policy
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/drda/org/apache/derby/drda/template.policy?rev=592758&r1=592757&r2=592758&view=diff
==============================================================================
--- db/derby/code/trunk/java/drda/org/apache/derby/drda/template.policy (original)
+++ db/derby/code/trunk/java/drda/org/apache/derby/drda/template.policy Wed Nov  7 06:26:12
2007
@@ -33,6 +33,7 @@
 // You may want to restrict this access to specific directories.
 //
   permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
+
 };
 
 grant codeBase "${derby.install.url}derbynet.jar"
@@ -51,5 +52,36 @@
 
   permission java.net.SocketPermission "*", "accept"; 
 
+//
+// Needed for server tracing.
+//
+  permission java.io.FilePermission "${derby.drda.traceDirectory}${/}-", "read,write,delete";
+
+//
+// Needed by sysinfo. The file permission is needed to
+// check the existence of jars on the classpath. You can
+// limit this permission to just the locations which hold
+// your jar files.
+//
+// In this template file, this block of permissions is granted
+// to derbynet.jar under the assumption that derbynet.jar is
+// the first jar file in your classpath which contains the
+// sysinfo classes. If that is not the case, then you will want
+// to grant this block of permissions to the first jar file
+// in your classpath which contains the sysinfo classes.
+// Those classes are bundled into the following Derby
+// jar files:
+//
+//    derbynet.jar
+//    derby.jar
+//    derbyclient.jar
+//    derbytools.jar
+//    derbytesting.jar
+//
+  permission java.util.PropertyPermission "user.*", "read";
+  permission java.util.PropertyPermission "java.home", "read";
+  permission java.util.PropertyPermission "java.class.path", "read";
+  permission java.lang.RuntimePermission "getProtectionDomain";
+  permission java.io.FilePermission "<<ALL FILES>>", "read";
 };
 

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/SecureServerTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/SecureServerTest.java?rev=592758&r1=592757&r2=592758&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/SecureServerTest.java
(original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/SecureServerTest.java
Wed Nov  7 06:26:12 2007
@@ -25,6 +25,8 @@
 import java.io.PrintWriter;
 import java.io.StringWriter;
 import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.sql.Connection;
 import java.sql.DriverManager;
 import java.util.ArrayList;
@@ -355,6 +357,12 @@
         // wildcarded (DERBY-2811)
         //
         if ( _authenticationRequired && ( _wildCardHost != null ) ) { connectToServer();
}
+
+        //
+        // make sure that we can run sysinfo and turn on tracing (DERBY-3086)
+        //
+        runsysinfo();
+        enableTracing();
     }
 
     private void    connectToServer()
@@ -376,6 +384,26 @@
         conn.close();
     }
 
+    private void    runsysinfo()
+        throws Exception
+    {
+        String          sysinfoOutput = runServerCommand( "sysinfo" );
+
+        if ( sysinfoOutput.indexOf( "Security Exception:" ) > -1 )
+        { fail( "Security exceptions in sysinfo output:\n\n:" + sysinfoOutput ); }
+    }
+
+    private void    enableTracing()
+        throws Exception
+    {
+        String          traceOnOutput = runServerCommand( "trace on" );
+
+        println( "Output for trace on command:\n\n" + traceOnOutput );
+
+        if ( traceOnOutput.indexOf( "Trace turned on for all sessions." ) < 0 )
+        { fail( "Security exceptions in output of trace enabling command:\n\n:" + traceOnOutput
); }
+    }
+    
     ///////////////////////////////////////////////////////////////////////////////////
     //
     // Object OVERLOADS
@@ -402,12 +430,59 @@
     //
     ///////////////////////////////////////////////////////////////////////////////////
 
+    /**
+     * <p>
+     * Run a NetworkServerControl command.
+     * </p>
+     */
+    private String    runServerCommand( String commandSpecifics )
+        throws Exception
+    {
+        String          portNumber = Integer.toString( getTestConfiguration().getPort() );
+        StringBuffer    buffer = new StringBuffer();
+        String          classpath = getSystemProperty( "java.class.path" );
+
+        buffer.append( "java -classpath " );
+        buffer.append( classpath );
+        buffer.append( " org.apache.derby.drda.NetworkServerControl -p " + portNumber + "
" + commandSpecifics );
+
+        final   String  command = buffer.toString();
+
+        println( "Server command is " + command );
+
+        Process     serverProcess = (Process) AccessController.doPrivileged
+            (
+             new PrivilegedAction()
+             {
+                 public Object run()
+                 {
+                     Process    result = null;
+                     try {
+                        result = Runtime.getRuntime().exec( command );
+                     } catch (Exception ex) {
+                         ex.printStackTrace();
+                     }
+                     
+                     return result;
+                 }
+             }
+            );
+
+        InputStream is = serverProcess.getInputStream();
+        
+        return getProcessOutput( is, 10000 );
+    }
+
     private String  getServerOutput()
         throws Exception
     {
-        byte[]          inputBuffer = new byte[ 1000 ];
+        return getProcessOutput( _inputStreamHolder[ 0 ], 1000 );
+    }
 
-        InputStream is = _inputStreamHolder[ 0 ];
+    private String  getProcessOutput( InputStream is, int bufferLength )
+        throws Exception
+    {
+        byte[]          inputBuffer = new byte[ bufferLength ];
 
         int             bytesRead = is.read( inputBuffer );
 

Modified: db/derby/code/trunk/java/tools/org/apache/derby/impl/tools/sysinfo/Main.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/tools/org/apache/derby/impl/tools/sysinfo/Main.java?rev=592758&r1=592757&r2=592758&view=diff
==============================================================================
--- db/derby/code/trunk/java/tools/org/apache/derby/impl/tools/sysinfo/Main.java (original)
+++ db/derby/code/trunk/java/tools/org/apache/derby/impl/tools/sysinfo/Main.java Wed Nov 
7 06:26:12 2007
@@ -199,10 +199,17 @@
 
 	  localAW.println("JRE - JDBC: " + org.apache.derby.iapi.services.info.JVMInfo.derbyVMLevel());
 
-	  String classpath;
+	  String classpath = null;
 
-	  try {
-		  classpath = System.getProperty("java.class.path");
+      try {
+          classpath = (String) AccessController.doPrivileged( new PrivilegedAction()
+              {
+                  public Object run()
+                  {
+                      return System.getProperty("java.class.path");
+                  }
+              }
+              );
 	  }
 	  catch (SecurityException se) {
           localAW.println(
@@ -210,7 +217,7 @@
 		  classpath = null;
 	  }
 
-    ZipInfoProperties zip[]= Main.getAllInfo (classpath);
+      ZipInfoProperties zip[]= Main.getAllInfo (classpath);
 
     if (zip != null) {
 
@@ -289,15 +296,20 @@
     security exception.
    */
 
-  private static String getJavaProperty (String whichProperty) {
+  private static String getJavaProperty (final String whichProperty) {
 
-    String property;
-    String unavailable = Main.getTextMessage ("SIF01.H");
+    final   String unavailable = Main.getTextMessage ("SIF01.H");
 
     try {
-
-      property = System.getProperty (whichProperty, unavailable);
-      return property;
+        String  property = (String) AccessController.doPrivileged( new PrivilegedAction()
+            {
+                public  Object  run()
+                {
+                    return System.getProperty (whichProperty, unavailable);
+                }
+            }
+            );
+        return property;
     }
     catch (SecurityException se) {
 
@@ -889,26 +901,34 @@
      *  @param cpEntry the classpath element
      *  @return a ZipInfoProperties if an info properties file is found.
      */
-    private static ZipInfoProperties checkForInfo(String cpEntry)
+    private static ZipInfoProperties checkForInfo(final String cpEntry)
     {
-        File f = new File(cpEntry);
-        if ( ! f.exists())
-        {
-            return null;
-        }
+        return (ZipInfoProperties) AccessController.doPrivileged( new PrivilegedAction()
+            {
+                public Object run()
+                {
+                    File f = new File(cpEntry);
+                    if ( ! f.exists())
+                    {
+                        return null;
+                    }
 
-        if (f.isDirectory())
-        {
-            ZipInfoProperties zip = checkDirectory(cpEntry);
-            return zip;
-        }
+                    if (f.isDirectory())
+                    {
+                        ZipInfoProperties zip = checkDirectory(cpEntry);
+                        return zip;
+                    }
 
-        if (f.isFile())
-        {
-            ZipInfoProperties zip = checkFile(cpEntry);
-            return zip;
-        }
-        return null;
+                    if (f.isFile())
+                    {
+                        ZipInfoProperties zip = checkFile(cpEntry);
+                        return zip;
+                    }
+                    return null;
+                }
+            }
+            );
+        
     }
 
     /**



Mime
View raw message