incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Janne Jalkanen <Janne.Jalka...@ecyrd.com>
Subject Re: auth problems with Oracle AS
Date Wed, 21 Nov 2007 23:00:59 GMT

>> Taking a quick look at Stripes (reflection) and Hibernate (SQL),  
>> neither of them have doPrivileged() blocks anywhere in the code.   
>> Does it mean that nobody can use them in standard J2EE  
>> containers?  I'd wager not.
>
> Janne, looks like our responses crossed in the mail.
>
> I'd wager yes, people are . Here's an example of somebody who had  
> problems getting Hibernate on Tomcat when the security manager was  
> running:
>
> http://www.petrovic.org/blog/?p=134

Looks like my attempt to produce legible English at 1 am failed :)

> You are probably right about that. But then, only a runtime  
> analysis would be able to tell us which ones are problematic, and  
> where the dependencies lie.

Urgh.  And then we would need to change all the libraries and  
contribute the patches back to those guys...

> Now THAT is almost certainly true. That's why I've postponed this  
> exercise; compared with getting 2.6 done, it's lower priority. It  
> *is* a blocker for running JSPWiki in OAS out-of-the-box. We just  
> need to be comfortable telling every OAS user who asks, "it won't  
> work until you turn off your security manager."

Is there no way to give a blanket permission to JSPWiki work and  
repository directories, and limit runtime.exec()?  That would cut out  
a very big majority of all attack vectors.

> PS. Henry Kissinger was a US Secretary of State. Sounds like you  
> don't want me to dust off the policy-maker project just yet...

Sorry, U.S. History is not my strong subject :-).   I'm just trying  
to perform some cost-benefit analysis here.  My vote would be -1 on  
making this any sort of a priority...

(Looks like again all the bugs blocking the release are IE-related...)

/Janne

Mime
View raw message