openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Patrick Linskey (JIRA)" <j...@apache.org>
Subject [jira] Commented: (OPENJPA-244) Java 2 Security enablement
Date Thu, 07 Jun 2007 21:11:26 GMT

    [ https://issues.apache.org/jira/browse/OPENJPA-244?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12502515
] 

Patrick Linskey commented on OPENJPA-244:
-----------------------------------------

> > Given that you demonstrate in point 2 above that it is legit to cache the
> > return values of the security-wrapping calls, can we achieve better 
> > encapsulation? For example, why not just have a J2DoPrivHelper.getDeclaredMethod()
> > call that does the right thing internally?
> 
> If I hear you right, the sugguestion is to have all the doPriv processing in the 
> J2DoPrivHelper.getDeclaredMethod().   This was the original proposal and Mitesh
> has pointed out that this is a security leak. See previous comment.

... but it looks like your most recent proposal shares this leak, since it has methods like
getLineSeparator(). We should either make all of the methods secure and consider it a goal
to not allow that leak, or make all of the helper methods behave the same, no?

-Patrick

> Java 2 Security enablement
> --------------------------
>
>                 Key: OPENJPA-244
>                 URL: https://issues.apache.org/jira/browse/OPENJPA-244
>             Project: OpenJPA
>          Issue Type: Bug
>    Affects Versions: 0.9.8
>            Reporter: Kevin Sutter
>         Attachments: J2DoPrivHelper.java
>
>
> Via some testing with the WebSphere Application Server, it's been discovered that we're
missing some doPriv blocks through out the OpenJPA code base.  This JIRA report will be used
to resolve these issues.  More specific examples will be posted later.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message