From dev-return-5711-apmail-directory-dev-archive=directory.apache.org@directory.apache.org Mon May 02 15:16:49 2005
Return-Path: <dev-return-5711-apmail-directory-dev-archive=directory.apache.org@directory.apache.org>
Delivered-To: apmail-directory-dev-archive@www.apache.org
Received: (qmail 39999 invoked from network); 2 May 2005 15:16:49 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 2 May 2005 15:16:49 -0000
Received: (qmail 97756 invoked by uid 500); 2 May 2005 15:18:14 -0000
Delivered-To: apmail-directory-dev-archive@directory.apache.org
Received: (qmail 97605 invoked by uid 500); 2 May 2005 15:18:13 -0000
Mailing-List: contact dev-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@directory.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@directory.apache.org>
List-Post: <mailto:dev@directory.apache.org>
List-Id: <dev.directory.apache.org>
Reply-To: "Apache Directory Developers List" <dev@directory.apache.org>
Delivered-To: mailing list dev@directory.apache.org
Received: (qmail 97590 invoked by uid 99); 2 May 2005 15:18:13 -0000
X-ASF-Spam-Status: No, hits=1.3 required=10.0
	tests=FORGED_MUA_OIMO
X-Spam-Check-By: apache.org
Received-SPF: neutral (hermes.apache.org: local policy)
Received: from rwcrmhc13.comcast.net (HELO rwcrmhc13.comcast.net) (204.127.198.39)
  by apache.org (qpsmtpd/0.28) with ESMTP; Mon, 02 May 2005 08:18:13 -0700
Received: from noelxpvm (c-65-34-168-21.hsd1.fl.comcast.net[65.34.168.21])
          by comcast.net (rwcrmhc13) with SMTP
          id <20050502151644015004kt6oe>; Mon, 2 May 2005 15:16:44 +0000
From: "Noel J. Bergman" <noel@devtech.com>
To: "Apache Directory Developers List" <dev@directory.apache.org>
Subject: RE: Access to LdapPrincipal constructor
Date: Mon, 2 May 2005 11:16:40 -0400
Message-ID: <NBBBJGEAGJAKLIDBKJOPIEMOANAC.noel@devtech.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
In-Reply-To: <200505021925.02697.niclas@hedhman.org>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Importance: Normal
X-Virus-Checked: Checked
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

Niclas Hedhman wrote:

> Protecting fields, methods and constructors is no real protection at
> all, unless combined with proper security policies and the use of
> AccessController.doPriviliged().

This is not necessarily an issue for the core code, although it could be if
we want to provide maximum control to administrators, but should be applied
to all pluggable code.

> If no such thoughts has been spent on the subject, perhaps it is soon
> time to start a security review of the entire system.

Do you want to make that review a project for yourself?

	--- Noel