incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Janne Jalkanen (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JSPWIKI-129) JSPWIki cannot run under a security manager
Date Wed, 07 May 2008 05:43:56 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12594786#action_12594786
] 

Janne Jalkanen commented on JSPWIKI-129:
----------------------------------------

Can we then just drop this off the 2.8 feature list?  That way it wouldn't be blocking...
Besides, since we'll have all the libraries within JSPWiki which do not support this either,
I'm not sure whether we can even have a complete solution.

> JSPWIki cannot run under a security manager
> -------------------------------------------
>
>                 Key: JSPWIKI-129
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-129
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Authentication&Authorization
>    Affects Versions: 2.4.104, 2.6.0, 2.6.1
>         Environment: All
>            Reporter: Andrew Jaquith
>            Assignee: Andrew Jaquith
>             Fix For: 2.8
>
>
> JSPWiki cannot be used when running a security manager. Containers that run by default
with a security manager include Oracle Application Server and Tomcat when run with the '-server'
option.
> In all cases, the root cause is the same: the security policy for the container needs
to include the Permissions needed to execute JSPWiki. However, full enumeration of the Permissions
needed is complicated significantly by the fact that JSPWiki does not compartmentalized privileged
calls the way it should. For example, any code in JSPWiki that accesses files should be enclosed
by AccessController.doPrivileged() blocks.
> The result of our current approach (or rather, lack of privileged code compartmentalization)
means that an effective policy cannot be written.
> This bug is to remind ARJ that he needs to work on this. He is currently writing some
diagnostic tools that will make this process easier. However, it's going to take a while...

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message