db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Db-derby Wiki] Update of "AnalyzingSecurityManagerIssues" by MyrnavanLunteren
Date Wed, 06 Nov 2013 00:06:54 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Db-derby Wiki" for change notification.

The "AnalyzingSecurityManagerIssues" page has been changed by MyrnavanLunteren:
https://wiki.apache.org/db-derby/AnalyzingSecurityManagerIssues?action=diff&rev1=2&rev2=3

  == Introduction ==
  Java has the concept of Security Manager. You can read up on this here: http://docs.oracle.com/javase/7/docs/api/java/lang/SecurityManager.html,
and for more detail: http://docs.oracle.com/javase/7/docs/technotes/guides/security/ and http://www.oracle.com/technetwork/java/seccodeguide-139067.html
  
- In simple terms, running under [[SecurityManager|!SecurityManager]] involves the following
aspects:
+ In simple terms, running under !SecurityManager involves the following aspects:
  
   * Policy File
  
@@ -25, +25 @@

  
   * Privileged Block
  
-  . A section of code which, when running under SecurityManager, requires a  certain permission,
has to be wrapped in a 'Privileged Block'. For  instance, code that needs to check on a system
property, or read or  write to a file, would need this.
+  . A section of code which, when running under !SecurityManager, requires a  certain permission,
has to be wrapped in a 'Privileged Block'. For  instance, code that needs to check on a system
property, or read or  write to a file, would need this.
  
   . For examples of Privileged Block code, see: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/PrivilegedFileOpsForTests.java?revision=1537394&view=markup
or http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/junit/TimeZoneTestSetup.java?revision=1524579&view=markup.
However, this is in test code, but typically, you want to put Priviledged code in private
methods, for example: http://svn.apache.org/viewvc/db/derby/code/trunk/java/tools/org/apache/derby/impl/tools/sysinfo/Main.java?view=markup
  
-  * Running without SecurityManager
+  * Running without !SecurityManager
  
   . Unless you specify to run with security manager, you run java code without Security Manager.
  
   . Note that the Derby functional tests always run with security manager, as do many other
programs (such as tomcat).
  
-  * Running with SecurityManager
+  * Running with !SecurityManager
  
   . To run with Security Manager, you either set the Security Manager in  the program (find
examples on line if you want to do this), or you start  the java program with the following:
-Djava.security.Manager  -Djava.security.policy=[path to previously created policyfile]
  
-  * java.lang.SecurityException and java.security.AccessControlException
+  * java.lang.!SecurityException and java.security.!AccessControlException
  
-  . Code that should, but does not have permission, gets refused by the SecurityManager,
which usually means you will get a  java.security.AccessControlException('Access denied').
See for an  example of this https://issues.apache.org/jira/browse/DERBY-6349.
+  . Code that should, but does not have permission, gets refused by the !SecurityManager,
which usually means you will get a  java.security.!AccessControlException('Access denied').
See for an  example of this https://issues.apache.org/jira/browse/DERBY-6349.
  
  == Debugging a Security Issue ==
  Typically an indication that you are dealing with a security manager  issue is that you
get an "access denied" error.  There are three types  of Security Manager issues you might
encounter:
  
-  * security manager issues where the customer application is at fault
+  * security manager issues where a third part or user application is at fault
   * security manager issues where the java class library is at fault
   * security manager issues where the derby code is at fault.
  
  The first step to debugging a security manager issue is to determine  which class library
is at fault. First identify what java API call is  being made. For this you need the stack
trace from the Exception.
  
- If it's the customer application, you're done, you just need to tell  them.  If it's a Java
class Library, you need to create a test case,  with a program and a policy file. If it's
a Derby problem, you need to  add a privileged block and/or adjust the policy files.
+ If the code is in a Derby user's application or in other third party software, you're done,
just point them to the stack trace.  If it's a Java class Library, you need to create a test
case, with a program and a policy file and report to the vendor. If it's a Derby problem,
you need to  add a privileged block and/or adjust the policy files.
  
  === Example 1: Java Class Library ===
  ==== Step 1: Analyze the Stack Trace: ====
@@ -79, +79 @@

  at org.apache.derby.impl.services.monitor.TopService.bootModule(Unknown Source)
  }}}
  
- In this example the class throwing the security exception is "java.security.MessageDigest.getInstance()".
+ In this example the class throwing the security exception is "java.security.!MessageDigest.getInstance()".
  
  ==== Step 2: Look at the java API javadoc ====
  In the example above, this is:
@@ -118, +118 @@

  ==== Step 3.c Run with Security Manager ====
  Next run the program with security manager on.
  
-  . java  -Djava.security.manager -Djava.security.policy=my.policy TestMessageDigest
+  . java  -Djava.security.manager -Djava.security.policy=my.policy !TestMessageDigest
  
  ==== Step 4: Report the problem to the vendor ====
  Do this using your support channels.
@@ -142, +142 @@

          at org.apache.derbyTesting.junit.BaseTestSetup.run(BaseTestSetup.java:57)
  }}}
  
- Here again we identify the java API call. In this case TimeZone.setDefault(), called from
TimeZoneTestSetup.
+ Here again we identify the java API call. In this case !TimeZone.setDefault(), called from
!TimeZoneTestSetup.
  
  ==== Step 2: Look at the java API javadoc ====
- The Derby code in TimeZoneTestSetup was doing this:
+ The Derby code in !TimeZoneTestSetup was doing this:
  
  {{{
  setDefault(requestedDefault);

Mime
View raw message