incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <andrew.jaqu...@mac.com>
Subject Re: auth problems with Oracle AS
Date Wed, 21 Nov 2007 22:45:14 GMT
> Taking a quick look at Stripes (reflection) and Hibernate (SQL),  
> neither of them have doPrivileged() blocks anywhere in the code.   
> Does it mean that nobody can use them in standard J2EE containers?   
> I'd wager not.

Janne, looks like our responses crossed in the mail.

I'd wager yes, people are . Here's an example of somebody who had  
problems getting Hibernate on Tomcat when the security manager was  
running:

http://www.petrovic.org/blog/?p=134

> Also, don't we have to give the same permissions to *all* of the sub- 
> libraries?  Wouldn't it effectively nullify any benefit from  
> security of the internal app, if it can access anything through  
> external libraries?

Not necessarily... it depends on the sequence of callers in the call  
stack.

>> Stripes does not have a single doPrivileged() code block in it.  I  
>> did a full search.
>
> Neither does log4j, and my guess is that most of the libraries that  
> we use, don't have them either.

You are probably right about that. But then, only a runtime analysis  
would be able to tell us which ones are problematic, and where the  
dependencies lie.

> I'm really no security expert, but it sounds to me that the gain vs  
> effort ratio in this effort would not be very high.  Especially  
> since most of the attacks so far seem to be XSS vectors, which  
> really don't touch the JVM at all.

Now THAT is almost certainly true. That's why I've postponed this  
exercise; compared with getting 2.6 done, it's lower priority. It *is*  
a blocker for running JSPWiki in OAS out-of-the-box. We just need to  
be comfortable telling every OAS user who asks, "it won't work until  
you turn off your security manager."

PS. Henry Kissinger was a US Secretary of State. Sounds like you don't  
want me to dust off the policy-maker project just yet...

A.


Mime
View raw message