Return-Path: 
 <derby-dev-return-9316-apmail-db-derby-dev-archive=db.apache.org@db.apache.org>
Delivered-To: apmail-db-derby-dev-archive@www.apache.org
Received: (qmail 37555 invoked from network); 14 Oct 2005 18:35:13 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 14 Oct 2005 18:35:13 -0000
Received: (qmail 16639 invoked by uid 500); 14 Oct 2005 18:35:13 -0000
Delivered-To: apmail-db-derby-dev-archive@db.apache.org
Received: (qmail 16406 invoked by uid 500); 14 Oct 2005 18:35:12 -0000
Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:derby-dev-help@db.apache.org>
List-Unsubscribe: <mailto:derby-dev-unsubscribe@db.apache.org>
List-Post: <mailto:derby-dev@db.apache.org>
List-Id: <derby-dev.db.apache.org>
Delivered-To: mailing list derby-dev@db.apache.org
Received: (qmail 16397 invoked by uid 99); 14 Oct 2005 18:35:12 -0000
X-ASF-Spam-Status: No, hits=1.3 required=10.0
	tests=SPF_FAIL
X-Spam-Check-By: apache.org
Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Oct 2005 11:35:10 -0700
Received: from ajax.apache.org (ajax.apache.org [127.0.0.1])
	by ajax.apache.org (Postfix) with ESMTP id 28353592
	for <derby-dev@db.apache.org>; Fri, 14 Oct 2005 20:34:46 +0200 (CEST)
Message-ID: <1715469588.1129314886162.JavaMail.jira@ajax.apache.org>
Date: Fri, 14 Oct 2005 20:34:46 +0200 (CEST)
From: "Daniel John Debrunner (JIRA)" <derby-dev@db.apache.org>
To: derby-dev@db.apache.org
Subject: [jira] Created: (DERBY-626) Booting embedded engine requires read
 permission to derby.jar be granted for all code in the stack
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

Booting embedded engine requires read permission to derby.jar be granted for all code in the stack
--------------------------------------------------------------------------------------------------

         Key: DERBY-626
         URL: http://issues.apache.org/jira/browse/DERBY-626
     Project: Derby
        Type: Bug
  Components: Security, Services  
    Versions: 10.1.1.0, 10.2.0.0    
    Reporter: Daniel John Debrunner
 Assigned to: Daniel John Debrunner 
    Priority: Critical


When running in a security manager the embedded engine uses ClassLoader.getResources() to obtain the set of modules.properties files. This method returns an empty set if running in a security manager and permission has not been granted to read derby.jar to all code in the stack, unless the method is executed in a privileged block.

This is a regression early on in Derby's life and was not caught because of lack of testing under the security manager and was hidden by the need to grant read permission for DERBY-622.

The embedded code does not need this permission to be granted since 'Note: code can always read a file from the same directory it's in (or a subdirectory of that directory); it does not need explicit permission to do so.' 

Need to re-factor code to ensure that the call to getResources and opening the resulting URL  is all in a privileged block.


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira