db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dag H. Wanvik (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-6680) All jar files need to be granted permission to read derby.ui.* properties
Date Mon, 18 Aug 2014 17:50:20 GMT

    [ https://issues.apache.org/jira/browse/DERBY-6680?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14100934#comment-14100934
] 

Dag H. Wanvik commented on DERBY-6680:
--------------------------------------

Using my default classpath, or starting via java -jar I don't see this issue, because LocalizedResource
is taken from derby.jar, which does have an entry which covers these properties. However,
if the client jar is ahead in the classpath, I do see this issue *iff* I use an explicit policy
specified on the command line, e.g like this:
{code}
java -Dderby.install.url=file:jars/sane/ -Djava.security.debug=access:failure -Djava.security.manager
-Djava.security.policy=java/drda/org/apache/derby/drda/server.policy  -Dderby.ui.locale=nb_NO.UTF-8
org.apache.derby.drda.NetworkServerControl start
{code}
The reason it happens only with an explicit mention is that the reading of the properties
"normally" happens before we have started running with the security manager.

I'm not sure our provided server policy is intended to be used this way, though. Do we anywhere
state it can be used on the command line unmodified? Because it can't: I had to tweak it to
even get this far, it was missing more permissions than the "derby.ui.*" permissions to be
usable in this way. The user who saw this issue had his own policy, btw.

The template would benefit from it in any case, though.

> All jar files need to be granted permission to read derby.ui.* properties
> -------------------------------------------------------------------------
>
>                 Key: DERBY-6680
>                 URL: https://issues.apache.org/jira/browse/DERBY-6680
>             Project: Derby
>          Issue Type: Bug
>    Affects Versions: 10.11.1.1
>            Reporter: Rick Hillegas
>            Assignee: Dag H. Wanvik
>
> The following properties may be read by LocalizedResource, a class which is included
in derby.jar, derbynet.jar, derbyclient.jar, and derbytools.jar:
> {noformat}
> derby.ui.codeset
> derby.ui.locale
> {noformat}
> A user has tripped across this problem in production. With the user's language settings,
the network server fails to come up because the server policy file does not grant the server
permission to read these properties. See http://apache-database.10148.n7.nabble.com/Hellow-I-have-some-problem-in-customize-security-policy-with-derby-modified-3-td141002.html
> We should adjust server.policy and template.policy accordingly.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message