Return-Path: 
 <jspwiki-user-return-40-apmail-incubator-jspwiki-user-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-jspwiki-user-archive@locus.apache.org
Received: (qmail 91228 invoked from network); 21 Nov 2007 22:32:48 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 21 Nov 2007 22:32:48 -0000
Received: (qmail 95996 invoked by uid 500); 21 Nov 2007 22:32:35 -0000
Delivered-To: apmail-incubator-jspwiki-user-archive@incubator.apache.org
Received: (qmail 95981 invoked by uid 500); 21 Nov 2007 22:32:35 -0000
Mailing-List: contact jspwiki-user-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:jspwiki-user-help@incubator.apache.org>
List-Unsubscribe: <mailto:jspwiki-user-unsubscribe@incubator.apache.org>
List-Post: <mailto:jspwiki-user@incubator.apache.org>
List-Id: <jspwiki-user.incubator.apache.org>
Reply-To: jspwiki-user@incubator.apache.org
Delivered-To: mailing list jspwiki-user@incubator.apache.org
Received: (qmail 95972 invoked by uid 99); 21 Nov 2007 22:32:35 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Nov 2007 14:32:35 -0800
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of Janne.Jalkanen@ecyrd.com
 designates 193.64.5.122 as permitted sender)
Received: from [193.64.5.122] (HELO mail.ecyrd.com) (193.64.5.122)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Nov 2007 22:32:24 +0000
Received: from [192.168.0.13] (cs181005170.pp.htv.fi [82.181.5.170])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	by mail.ecyrd.com (Postfix) with ESMTP id 328C24814A
	for <jspwiki-user@incubator.apache.org>;
 Thu, 22 Nov 2007 00:32:02 +0200 (EET)
Mime-Version: 1.0 (Apple Message framework v752.3)
In-Reply-To: <13367A81-222C-4FFD-88B7-F554391CC85F@ecyrd.com>
References: <b28275cf0711210718x7ee7cf0dufd82c6e2aefa592b@mail.gmail.com>
 <20071121170203.GB3713@ecyrd.com>
 <052C57E0-A374-40D2-8CAE-558B4BDF2715@mac.com>
 <D89F63D9-4970-40E1-8C24-A571E0101025@ecyrd.com>
 <D340BCEC-4697-4E41-AA29-968D276E1E8A@SUN.com>
 <71BE0E67-6985-49AF-AC73-65B908992378@ecyrd.com>
 <56EA7B82-C4FF-4BB3-88C8-76318E9F2837@mac.com>
 <13367A81-222C-4FFD-88B7-F554391CC85F@ecyrd.com>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <9F7E9D1E-D76D-4A06-8977-B19592304424@ecyrd.com>
Content-Transfer-Encoding: 7bit
From: Janne Jalkanen <Janne.Jalkanen@ecyrd.com>
Subject: Re: auth problems with Oracle AS
Date: Thu, 22 Nov 2007 00:31:55 +0200
To: jspwiki-user@incubator.apache.org
X-Mailer: Apple Mail (2.752.3)
X-Virus-Checked: Checked by ClamAV on apache.org

> Stripes does not have a single doPrivileged() code block in it.  I  
> did a full search.

Neither does log4j, and my guess is that most of the libraries that  
we use, don't have them either.

I'm really no security expert, but it sounds to me that the gain vs  
effort ratio in this effort would not be very high.  Especially since  
most of the attacks so far seem to be XSS vectors, which really don't  
touch the JVM at all.

/Janne