Return-Path: Delivered-To: apmail-db-derby-commits-archive@www.apache.org Received: (qmail 87742 invoked from network); 13 Mar 2008 17:50:52 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 13 Mar 2008 17:50:52 -0000 Received: (qmail 75785 invoked by uid 500); 13 Mar 2008 17:50:49 -0000 Delivered-To: apmail-db-derby-commits-archive@db.apache.org Received: (qmail 75760 invoked by uid 500); 13 Mar 2008 17:50:49 -0000 Mailing-List: contact derby-commits-help@db.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: "Derby Development" List-Id: Delivered-To: mailing list derby-commits@db.apache.org Received: (qmail 75748 invoked by uid 99); 13 Mar 2008 17:50:49 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Mar 2008 10:50:49 -0700 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Mar 2008 17:50:08 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id B5D561A9832; Thu, 13 Mar 2008 10:50:27 -0700 (PDT) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r636813 - in /db/derby/code/trunk: java/drda/org/apache/derby/drda/ java/drda/org/apache/derby/impl/drda/ java/engine/org/apache/derby/iapi/services/info/ java/engine/org/apache/derby/impl/services/jmx/ java/engine/org/apache/derby/mbeans/ ... Date: Thu, 13 Mar 2008 17:50:25 -0000 To: derby-commits@db.apache.org From: djd@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20080313175027.B5D561A9832@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: djd Date: Thu Mar 13 10:50:16 2008 New Revision: 636813 URL: http://svn.apache.org/viewvc?rev=636813&view=rev Log: DERBY-3506 Add requirement for SystemPermission("engine"|"server", "monitor") for getting attributes of the VersionMBean. Add various javadoc improvements related to the change. Modified: db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java db/derby/code/trunk/java/engine/org/apache/derby/iapi/services/info/Version.java db/derby/code/trunk/java/engine/org/apache/derby/impl/services/jmx/JMXManagementService.java db/derby/code/trunk/java/engine/org/apache/derby/mbeans/ManagementMBean.java db/derby/code/trunk/java/engine/org/apache/derby/mbeans/VersionMBean.java db/derby/code/trunk/java/engine/org/apache/derby/mbeans/package.html db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy db/derby/code/trunk/tools/javadoc/publishedapi.ant Modified: db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy?rev=636813&r1=636812&r2=636813&view=diff ============================================================================== --- db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy (original) +++ db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy Thu Mar 13 10:50:16 2008 @@ -63,6 +63,8 @@ // a whole set of fine-grained permissions to allow specific // users access to MBeans and actions they perform. permission org.apache.derby.security.SystemPermission "jmx", "control"; + permission org.apache.derby.security.SystemPermission "engine", "monitor"; + permission org.apache.derby.security.SystemPermission "server", "monitor"; }; Modified: db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java?rev=636813&r1=636812&r2=636813&view=diff ============================================================================== --- db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java (original) +++ db/derby/code/trunk/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java Thu Mar 13 10:50:16 2008 @@ -779,7 +779,7 @@ final Object versionMBean = mgmtService.registerMBean( new Version( getNetProductVersionHolder(), - null /*SystemPermission.SERVER*/), + SystemPermission.SERVER), VersionMBean.class, "type=Version,jar=derbynet.jar"); final Object networkServerMBean = mgmtService.registerMBean( Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/services/info/Version.java URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/services/info/Version.java?rev=636813&r1=636812&r2=636813&view=diff ============================================================================== --- db/derby/code/trunk/java/engine/org/apache/derby/iapi/services/info/Version.java (original) +++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/services/info/Version.java Thu Mar 13 10:50:16 2008 @@ -21,7 +21,11 @@ package org.apache.derby.iapi.services.info; +import java.security.AccessControlException; +import java.security.AccessController; + import org.apache.derby.mbeans.VersionMBean; +import org.apache.derby.security.SystemPermission; /** * This implementation of VersionMBean instruments a @@ -35,7 +39,7 @@ private final ProductVersionHolder versionInfo; /** - * Permission name for the object the version + * Permission target name for the object the version * information applies to. */ private final String permissionName; @@ -49,9 +53,22 @@ ** Security checks(non-Javadoc) */ + /** + * Ensure caller has permission to monitor Derby. + */ private void checkMonitor() { - // TODO: Add actual check - //new SystemPermission(permissionName, SystemPermission.MONITOR); + + try { + if (System.getSecurityManager() != null) + AccessController.checkPermission( + new SystemPermission(permissionName, + SystemPermission.MONITOR)); + } catch (AccessControlException e) { + // Need to throw a simplified version as AccessControlException + // will have a reference to Derby's SystemPermission which most likely + // will not be available on the client. + throw new SecurityException(e.getMessage()); + } } // ------------------------- MBEAN ATTRIBUTES ---------------------------- Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/services/jmx/JMXManagementService.java URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/services/jmx/JMXManagementService.java?rev=636813&r1=636812&r2=636813&view=diff ============================================================================== --- db/derby/code/trunk/java/engine/org/apache/derby/impl/services/jmx/JMXManagementService.java (original) +++ db/derby/code/trunk/java/engine/org/apache/derby/impl/services/jmx/JMXManagementService.java Thu Mar 13 10:50:16 2008 @@ -121,7 +121,7 @@ registerMBean( new Version( Monitor.getMonitor().getEngineVersion(), - null /* SystemPermission.ENGINE */), + SystemPermission.ENGINE), VersionMBean.class, "type=Version,jar=derby.jar"); } Modified: db/derby/code/trunk/java/engine/org/apache/derby/mbeans/ManagementMBean.java URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/mbeans/ManagementMBean.java?rev=636813&r1=636812&r2=636813&view=diff ============================================================================== --- db/derby/code/trunk/java/engine/org/apache/derby/mbeans/ManagementMBean.java (original) +++ db/derby/code/trunk/java/engine/org/apache/derby/mbeans/ManagementMBean.java Thu Mar 13 10:50:16 2008 @@ -23,10 +23,9 @@ /** * JMX MBean inteface to control visibility of Derby's MBeans. - * When Derby boots it attempts to register an MBean - * implementing ManagementMBean if derby.system.jmx is true. + * When Derby boots it attempts to register its MBeans. * It may fail due to lack of valid permissions. - * If Derby does not register its ManagementMBean then an + * If Derby does not register its MBeans then an * application may register the Management implementation * of ManagementMBean itself and use it to start Derby's * JMX management. @@ -65,7 +64,7 @@ * MBeans relevant to its current state. If Derby is not * booted then no action is taken. *

- * Require SystemPermission("jmx", "control") if a security + * Require SystemPermission("jmx", "control") if a security * manager is installed. * * @see org.apache.derby.security.SystemPermission @@ -76,7 +75,7 @@ * Inform Derby to stop its JMX management by unregistering * its MBeans. If Derby is not booted then no action is taken. *

- * Require SystemPermission("jmx", "control") if a security + * Require SystemPermission("jmx", "control") if a security * manager is installed. * * @see org.apache.derby.security.SystemPermission Modified: db/derby/code/trunk/java/engine/org/apache/derby/mbeans/VersionMBean.java URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/mbeans/VersionMBean.java?rev=636813&r1=636812&r2=636813&view=diff ============================================================================== --- db/derby/code/trunk/java/engine/org/apache/derby/mbeans/VersionMBean.java (original) +++ db/derby/code/trunk/java/engine/org/apache/derby/mbeans/VersionMBean.java Thu Mar 13 10:50:16 2008 @@ -36,6 +36,15 @@ *

  • jar={derby.jar|derbynet.jar} *
  • system=runtime system identifier (see overview) * + *

    + * If a security manager is installed these permissions are required: + *

      + *
    • SystemPermission("server", "monitor") for version information + * specific to derbynet.jar + *
    • SystemPermission("engine", "monitor") for version information + * specific to derby.jar + *
    + * @see org.apache.derby.security.SystemPermission */ public interface VersionMBean { // attributes Modified: db/derby/code/trunk/java/engine/org/apache/derby/mbeans/package.html URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/mbeans/package.html?rev=636813&r1=636812&r2=636813&view=diff ============================================================================== --- db/derby/code/trunk/java/engine/org/apache/derby/mbeans/package.html (original) +++ db/derby/code/trunk/java/engine/org/apache/derby/mbeans/package.html Thu Mar 13 10:50:16 2008 @@ -16,9 +16,8 @@ -->

    JMX MBeans.

    -If derby.system.jmx is true then when Derby (the embedded engine) -is booted it will attempt to connect to the PlatformMBeanServer and register -a number of MBeans to monitor and manage Derby. +When Derby (the embedded engine) is booted it will attempt to connect +to the PlatformMBeanServer and register a number of MBeans to monitor and manage Derby.

    Derby registers its JMX MBeans in the org.apache.derby domain and always includes values for type and system in the MBean's ObjectName's key Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy?rev=636813&r1=636812&r2=636813&view=diff ============================================================================== --- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy (original) +++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy Thu Mar 13 10:50:16 2008 @@ -103,7 +103,8 @@ // a whole set of fine-grained permissions to allow specific // users access to MBeans and actions they perform. permission org.apache.derby.security.SystemPermission "jmx", "control"; - + permission org.apache.derby.security.SystemPermission "engine", "monitor"; + permission org.apache.derby.security.SystemPermission "server", "monitor"; // These permissions are needed when testing code instrumented with EMMA. // They will only be used if the emma.active system property property is set, @@ -212,7 +213,9 @@ // Test code needs this as well for the platform MBeanServer // tests where the testing code is in the stack frame. permission org.apache.derby.security.SystemPermission "jmx", "control"; - + permission org.apache.derby.security.SystemPermission "engine", "monitor"; + permission org.apache.derby.security.SystemPermission "server", "monitor"; + // These permissions are needed when testing code instrumented with EMMA. permission java.lang.RuntimePermission "${emma.active}writeFileDescriptor"; }; Modified: db/derby/code/trunk/tools/javadoc/publishedapi.ant URL: http://svn.apache.org/viewvc/db/derby/code/trunk/tools/javadoc/publishedapi.ant?rev=636813&r1=636812&r2=636813&view=diff ============================================================================== --- db/derby/code/trunk/tools/javadoc/publishedapi.ant (original) +++ db/derby/code/trunk/tools/javadoc/publishedapi.ant Thu Mar 13 10:50:16 2008 @@ -8,9 +8,6 @@ # Add new files to the appropriate package section; add new sections # for new packages. # -# IMPORTANT: if you are adding a new package, be sure to add it to -# the list of packages in the publishedapi target in -# the toplevel build.xml file. # # Please do not add whitespace in front of class names. # Blank lines and comments are allowed. @@ -45,5 +42,9 @@ org/apache/derby/mbeans/*.java org/apache/derby/mbeans/drda/*.java + +# package: org.apache.derby.security + +org/apache/derby/security/SystemPermission.java