db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel John Debrunner <...@apache.org>
Subject Re: QueryObjectGenerator & SecurityManager - bug or requirement?
Date Tue, 11 Apr 2006 14:54:00 GMT
Anurag Shekhar wrote:

> Daniel John Debrunner wrote On 04/10/06 23:54,:
>> In the properties file for the TestQueryObject JDBC 4.0 test we have:
>> #this case tests QueryObject related methods which are present in jdk 1.6
>> #default QueryObjectGenerator uses reflection to check the Data Object
>> #before calling the methods to set the values. This is a privileged
>> operation
>> #and fails in the presence of security manager
>> noSecurityManager=true
>> Is this a bug in Mustang?
> No its not a bug. createQueryObject method needs to check of declared
> fields
> to find mapping of fields and columns.

> Granting accessDeclaredMembers to com.sun.sql.QueryObjectGeneratorImpl
> should fix this error. But com.sun.sql.QueryObjectGeneratorImpl
> is internal class of sun's jdk, so this problem will exist on other jdk's.

Hmmm, I see why the security exception is thrown, but this instantly
leads to other questions about how an application uses this feature with
a security manager enabled.

How would an application grant access to this piece of code?

How would an application do this in a portable manner?

How does the application put a privileged block around a query methods
in an interface? Such as:

interface MyQueries extends BaseQuery {
   @Select(sql="SELECT lastName, description FROM mammals")
   DataSet<Mammal> getAllMammals();

   @Update(sql="delete from mammals")
   int deleteAllMammals();

Or does the application have to put a privileged block around every
caller of these methods, doesn't seem like ease of use to me?

[the stack trace you provided doesn't seem to show use of a privileged
block in the default implementation.]

Seems very strange to me that an application is required to grant
permissions to a class/jar file from the JRE. Normally system code has
all the required permissions and executes restricted operations in
privileged blocks.

It would be good to clarify this in the JDBC 4.0 specification and/or
javadoc, any security manager requirements around the "implementation of
QueryObjectGenerator provided by Java SE 6."


View raw message