Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 59757 invoked from network); 8 Dec 2008 16:41:17 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 8 Dec 2008 16:41:17 -0000 Received: (qmail 50047 invoked by uid 500); 8 Dec 2008 16:41:19 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 50018 invoked by uid 500); 8 Dec 2008 16:41:19 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 49989 invoked by uid 99); 8 Dec 2008 16:41:19 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Dec 2008 08:41:19 -0800 X-ASF-Spam-Status: No, hits=-4.0 required=10.0 tests=RCVD_IN_DNSWL_MED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Dec 2008 16:41:05 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 56664234C336 for ; Mon, 8 Dec 2008 08:40:44 -0800 (PST) Message-ID: <505507612.1228754444352.JavaMail.jira@brutus> Date: Mon, 8 Dec 2008 08:40:44 -0800 (PST) From: "Kathey Marsden (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Assigned: (DERBY-467) Restrict direct access to priviliged blocks from application code In-Reply-To: <1630652910.1121890906792.JavaMail.jira@ajax.apache.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/DERBY-467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kathey Marsden reassigned DERBY-467: ------------------------------------ Assignee: (was: Daniel John Debrunner) > Restrict direct access to priviliged blocks from application code > ----------------------------------------------------------------- > > Key: DERBY-467 > URL: https://issues.apache.org/jira/browse/DERBY-467 > Project: Derby > Issue Type: Improvement > Components: Security > Affects Versions: 10.1.1.0, 10.2.1.6 > Reporter: Daniel John Debrunner > > In looking at the privilged blocks in Derby several are accessible from application code, either as in public/protected methods and public classes. The fix for this includes: > - making packages in the jar files sealed wherever possible > - making classes and methods with privilged blocks as private as possible (private or package for methods, package for classes) > As Derby moves towards a more client server approach (e.g. see grant/revoke) I started to perform a security analysis of the priviliged blocks, but realised it would be easier if I fixed the obvious problems first. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.