db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Hillegas <Richard.Hille...@Sun.COM>
Subject Re: QueryObjectGenerator & SecurityManager - bug or requirement?
Date Tue, 11 Apr 2006 17:39:34 GMT
Hi Dan,

I believe this has exposed a jdk bug. I think it's being worked on. 
Thanks for raising the issue.

Regards,
-Rick

Daniel John Debrunner wrote:

>Anurag Shekhar wrote:
>
>  
>
>>Daniel John Debrunner wrote On 04/10/06 23:54,:
>>
>>    
>>
>>>In the properties file for the TestQueryObject JDBC 4.0 test we have:
>>>
>>>#this case tests QueryObject related methods which are present in jdk 1.6
>>>#default QueryObjectGenerator uses reflection to check the Data Object
>>>#before calling the methods to set the values. This is a privileged
>>>operation
>>>#and fails in the presence of security manager
>>>noSecurityManager=true
>>>
>>>Is this a bug in Mustang?
>>> 
>>>
>>>      
>>>
>>No its not a bug. createQueryObject method needs to check of declared
>>fields
>>to find mapping of fields and columns.
>>    
>>
>
>
>  
>
>>Granting accessDeclaredMembers to com.sun.sql.QueryObjectGeneratorImpl
>>should fix this error. But com.sun.sql.QueryObjectGeneratorImpl
>>is internal class of sun's jdk, so this problem will exist on other jdk's.
>>    
>>
>
>Hmmm, I see why the security exception is thrown, but this instantly
>leads to other questions about how an application uses this feature with
>a security manager enabled.
>
>How would an application grant access to this piece of code?
>
>How would an application do this in a portable manner?
>
>How does the application put a privileged block around a query methods
>in an interface? Such as:
>
>interface MyQueries extends BaseQuery {
>   @Select(sql="SELECT lastName, description FROM mammals")
>   DataSet<Mammal> getAllMammals();
>
>   @Update(sql="delete from mammals")
>   int deleteAllMammals();
>}
>
>Or does the application have to put a privileged block around every
>caller of these methods, doesn't seem like ease of use to me?
>
>[the stack trace you provided doesn't seem to show use of a privileged
>block in the default implementation.]
>
>Seems very strange to me that an application is required to grant
>permissions to a class/jar file from the JRE. Normally system code has
>all the required permissions and executes restricted operations in
>privileged blocks.
>
>It would be good to clarify this in the JDBC 4.0 specification and/or
>javadoc, any security manager requirements around the "implementation of
>QueryObjectGenerator provided by Java SE 6."
>
>Thanks,
>Dan.
>
>  
>


Mime
View raw message