incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig L Russell <Craig.Russ...@Sun.COM>
Subject Re: auth problems with Oracle AS
Date Thu, 22 Nov 2007 00:49:23 GMT

On Nov 21, 2007, at 2:10 PM, Janne Jalkanen wrote:

>> Janne, if you want, I can dust off Kissinger (har har) and see  
>> what's required to get it working.
> I have to admit that this joke goes way over my head.  I seem to  
> recall that Monty Python had a song about a Henry Kissinger...

I don't get the joke either. :(
>> In the meantime, the best thing to do is start looking for code  
>> that calls methods that require privilege checks (notably file  
>> access, serialization, system properties, SQL, reflection) and put  
>> doPrivileged() blocks around them. The list of methods that  
>> require permissions are here:
> Taking a quick look at Stripes (reflection) and Hibernate (SQL),  
> neither of them have doPrivileged() blocks anywhere in the code.   
> Does it mean that nobody can use them in standard J2EE containers?   
> I'd wager not.

What it does mean is that security may be compromised when you have  
libraries running in secure environments.

For the real answer, I'd suggest asking on the Hibernate forums why  
they don't have any doPrivileged blocks and if this means they cannot  
run in a secure environment. Then duck.
> Also, don't we have to give the same permissions to *all* of the  
> sub-libraries?  Wouldn't it effectively nullify any benefit from  
> security of the internal app, if it can access anything through  
> external libraries?

If external libraries are used in a secure environment, then all the  
calls that a privilged user can make must be wrapped in a  
doPrivileged block.

> /Janne

Craig Russell
Architect, Sun Java Enterprise System
408 276-5638
P.S. A good JDO? O, Gasp!

View raw message