Return-Path: X-Original-To: apmail-db-derby-dev-archive@www.apache.org Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6E7B011C2B for ; Tue, 15 Jul 2014 16:47:05 +0000 (UTC) Received: (qmail 85213 invoked by uid 500); 15 Jul 2014 16:47:05 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 85191 invoked by uid 500); 15 Jul 2014 16:47:05 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 85172 invoked by uid 99); 15 Jul 2014 16:47:05 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 15 Jul 2014 16:47:05 +0000 Date: Tue, 15 Jul 2014 16:47:05 +0000 (UTC) From: "Mamta A. Satoor (JIRA)" To: derby-dev@db.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (DERBY-6617) Silently swallowed SecurityExceptions may disable Derby features, including security features. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/DERBY-6617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14062295#comment-14062295 ] Mamta A. Satoor commented on DERBY-6617: ---------------------------------------- The MissingPermissionsTest test failed on Monday's run on trunk http://people.apache.org/~myrnavl/derby_test_results/main/windows/testlog/ibm16/1610565-suites.All_diff.txt but Knut's fix should resolve it for next run. > Silently swallowed SecurityExceptions may disable Derby features, including security features. > ---------------------------------------------------------------------------------------------- > > Key: DERBY-6617 > URL: https://issues.apache.org/jira/browse/DERBY-6617 > Project: Derby > Issue Type: Bug > Components: Services > Affects Versions: 10.11.0.0 > Reporter: Rick Hillegas > Assignee: Dag H. Wanvik > Attachments: derby-6617-04-aa-platformSpecificErrorText.diff, derby-6617-1.diff, derby-6617-2.diff, derby-6617-2.status, derby-6617-3.diff, derby-6617-3.status, derby-6617-junit.diff, exit-subprocess.diff, fix-test.diff > > > When the Monitor tries to read Derby properties, it silently swallows SecurityExceptions. This means that the properties will be silently ignored if Derby has not been granted sufficient privileges. This means that if you make a mistake crafting your security policy, then you may disable authentication and authorization. You may not realize this until you have incurred a security breach. This swallowing occurs at the following code locations: > {noformat} > org.apache.derby.impl.services.monitor.BaseMonitor readApplicationProperties Catch java.lang.SecurityException 1 line 1360 > org.apache.derby.impl.services.monitor.BaseMonitor runWithState Catch java.lang.SecurityException 0 line 280 > org.apache.derby.impl.services.monitor.FileMonitor PBgetJVMProperty Catch java.lang.SecurityException 1 line 183 > org.apache.derby.impl.services.monitor.FileMonitor PBinitialize Catch java.lang.SecurityException 1 line 120 > {noformat} > SecurityExceptions are swallowed at other locations in the Monitor. The implications of these swallowings should be understood and, at a minimum, security problems should be fixed: > {noformat} > org.apache.derby.impl.services.monitor.FileMonitor PBinitialize Catch java.lang.SecurityException 1 line 157 > org.apache.derby.impl.services.monitor.FileMonitor createDaemonGroup Catch java.lang.SecurityException 1 line 89 > {noformat} -- This message was sent by Atlassian JIRA (v6.2#6252)