db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d..@apache.org
Subject svn commit: r636493 - in /db/derby/code/trunk/java: drda/org/apache/derby/drda/ engine/org/apache/derby/impl/services/jmx/ engine/org/apache/derby/mbeans/ testing/org/apache/derbyTesting/functionTests/util/
Date Wed, 12 Mar 2008 20:23:40 GMT
Author: djd
Date: Wed Mar 12 13:23:37 2008
New Revision: 636493

URL: http://svn.apache.org/viewvc?rev=636493&view=rev
Log:
DERBY-3462 Enforce requiring SystemPermission("jmx", "control") for starting and stopping
Derby's JMX management.

Modified:
    db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy
    db/derby/code/trunk/java/engine/org/apache/derby/impl/services/jmx/JMXManagementService.java
    db/derby/code/trunk/java/engine/org/apache/derby/mbeans/ManagementMBean.java
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy

Modified: db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy?rev=636493&r1=636492&r2=636493&view=diff
==============================================================================
--- db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy (original)
+++ db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy Wed Mar 12 13:23:37
2008
@@ -56,6 +56,13 @@
 // Trusts Derby code to be a source of MBeans and to register these in the MBean server.
 //
   permission javax.management.MBeanTrustPermission "register";
+  
+  // Gives permission for jmx to be used against Derby but
+  // only if JMX authentication is not being used.
+  // In that case the application would need to create
+  // a whole set of fine-grained permissions to allow specific
+  // users access to MBeans and actions they perform.
+  permission org.apache.derby.security.SystemPermission "jmx", "control";
 
 };
 

Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/services/jmx/JMXManagementService.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/services/jmx/JMXManagementService.java?rev=636493&r1=636492&r2=636493&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/services/jmx/JMXManagementService.java
(original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/services/jmx/JMXManagementService.java
Wed Mar 12 13:23:37 2008
@@ -376,13 +376,21 @@
         }
     }
     
+    /**
+     * Control permission (permissions are immutable).
+     */
     private final static SystemPermission CONTROL =
         new SystemPermission(
                 SystemPermission.JMX, SystemPermission.CONTROL);
 
+    /**
+     * Require SystemPermission("jmx", "control") to change
+     * the management state.
+     */
     private void checkJMXControl() {
         try {
-            // AccessController.checkPermission(CONTROL);
+            if (System.getSecurityManager() != null)
+                AccessController.checkPermission(CONTROL);
         } catch (AccessControlException e) {
             // Need to throw a simplified version as AccessControlException
             // will have a reference to Derby's SystemPermission which most likely

Modified: db/derby/code/trunk/java/engine/org/apache/derby/mbeans/ManagementMBean.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/mbeans/ManagementMBean.java?rev=636493&r1=636492&r2=636493&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/mbeans/ManagementMBean.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/mbeans/ManagementMBean.java Wed Mar 12
13:23:37 2008
@@ -55,6 +55,7 @@
      * The system identifier is a runtime value to disambiguate
      * multiple Derby systems in the same virtual machine but
      * different class loaders.
+     * 
      * @return Runtime identifier for the system, null if Derby is not running.
      */
     public String getSystemIdentifier();
@@ -63,12 +64,22 @@
      * Inform Derby to start its JMX management by registering
      * MBeans relevant to its current state. If Derby is not
      * booted then no action is taken.
+     * <P>
+     * Require SystemPermission("jmx", "control") if a security
+     * manager is installed.
+     * 
+     * @see org.apache.derby.security.SystemPermission
      */
     public void startManagement();
     
     /**
      * Inform Derby to stop its JMX management by unregistering
      * its MBeans. If Derby is not booted then no action is taken.
+     * <P>
+     * Require SystemPermission("jmx", "control") if a security
+     * manager is installed.
+     * 
+     * @see org.apache.derby.security.SystemPermission
      */
     public void stopManagement();
 }

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy?rev=636493&r1=636492&r2=636493&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy
(original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy
Wed Mar 12 13:23:37 2008
@@ -96,6 +96,13 @@
 // Trusts Derby code to be a source of MBeans and to register these in the MBean server.
 //
   permission javax.management.MBeanTrustPermission "register";
+
+  // Gives permission for jmx to be used against Derby but
+  // only if JMX authentication is not being used.
+  // In that case the application would need to create
+  // a whole set of fine-grained permissions to allow specific
+  // users access to MBeans and actions they perform.
+  permission org.apache.derby.security.SystemPermission "jmx", "control";
   
  
   // These permissions are needed when testing code instrumented with EMMA.
@@ -201,6 +208,10 @@
   permission javax.management.MBeanPermission "org.apache.derby.mbeans.*#-[org.apache.derby:*]",
"getMBeanInfo";
   permission javax.management.MBeanPermission "-#-[-]", "queryNames";
   permission javax.management.MBeanPermission "org.apache.derby.mbeans.*#-[org.apache.derby:*]",
"queryNames";
+  
+  // Test code needs this as well for the platform MBeanServer
+  // tests where the testing code is in the stack frame.
+  permission org.apache.derby.security.SystemPermission "jmx", "control";
 
   // These permissions are needed when testing code instrumented with EMMA.
   permission java.lang.RuntimePermission "${emma.active}writeFileDescriptor";
@@ -263,7 +274,8 @@
   permission javax.management.MBeanPermission "org.apache.derby.mbeans.*#-[org.apache.derby:*]",
"getMBeanInfo";
   permission javax.management.MBeanPermission "-#-[-]", "queryNames";
   permission javax.management.MBeanPermission "org.apache.derby.mbeans.*#-[org.apache.derby:*]",
"queryNames";
-
+  
+  permission org.apache.derby.security.SystemPermission "jmx", "control";
 };
 
 // JUnit jar file tries to read junit.properties in the user's



Mime
View raw message