db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Noll <dan...@nuix.com>
Subject Re: Server: deny connection to directories outside of known directories
Date Tue, 06 Nov 2007 23:08:34 GMT
On Tuesday 06 November 2007 20:02:04 Vemund Ostgaard wrote:
> Daniel Noll wrote:
> > Hi all.
> >
> > Is there some way for the Derby server to allow custom code to determine
> > whether a directory can be opened for a database?  I read something about
> > a policy file but that doesn't really suit our use case as the list of
> > directories can be changed by the admin at runtime.
>
> I believe there is a system procedure that can be used to reload the
> policy file in effect dynamically: SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY
>
> See here:
> http://db.apache.org/derby/docs/dev/ref/rrefreloadpolicyproc.html
>
> Maybe that could be used whenever the admin wants to change what
> directories are accessible?

That may work, assuming that generating policy files dynamically isn't too 
hard.  I'll have to look into it.

In terms of an ideal API, what I would rather have is a method in 
NetworkServerControl where I can pass in an implementation of some interface 
which receives a Principal and a File path (or a URL) and where I either 
return true/false or throw a SecurityException.

Side-thought: I've noticed there is a Policy.setPolicy(Policy) method in the 
JRE, makes me wonder if I can make an implementation of that and avoid 
needing to generate the file at all.  It doesn't look too easy to subclass 
however.

Daniel

Mime
View raw message