db-jdo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig L Russell <Craig.Russ...@Sun.COM>
Subject Re: Security issue with generated classes
Date Mon, 28 Jul 2008 22:48:12 GMT

On Jul 28, 2008, at 1:18 PM, Craig L Russell wrote:

> Hi Andy,
> On Jul 27, 2008, at 11:17 PM, Andy Jefferson wrote:
>> Hi Craig,
>>> I looked at the datanucleus implementation and found that I'm  
>>> totally
>>> not qualified to propose a patch. I found the code that needs to be
>>> changed in org/datanucleus/enhancer/bcel/method/
>>> JdoReplaceStateManager.java and org/datanucleus/enhancer/asm/method/
>>> JdoReplaceStateManager.java but that's as far as I could get without
>>> knowing asm, bcel, and byte-codes.
>> The ASM-based enhancer is now updated to match the current spec.
> I'll take a look and let you know what I find.

The modified enhanced jdoSetStateManager now works great!

One "last thing". In order to avoid the security manager check in the  
enhanced code, sometime during initialization of the  
PersistenceManagerFactory you need to register the StateManager class.

Here's a patch for JDOPersistenceManagerFactory that works for me; the  
call might better be put somewhere else...

I also had to add another couple of permissions to the security policy  
(after getting through the StateManager security issue). These are now  
checked in.

And the RDO security patch needed just a little more help. The  
implementation of QueryUtils.getPublicPutMethodForResultClass fails in  
security environments. So I reimplemented it with doPrivileged and  
it's ok.

Now the entire TCK runs with security enabled (modulo the existing http://issues.apache.org/jira/browse/JDO-573

  that still fails...)


View raw message