openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig Russell (JIRA)" <j...@apache.org>
Subject [jira] Commented: (OPENJPA-244) Java 2 Security enablement
Date Tue, 05 Jun 2007 17:29:25 GMT

    [ https://issues.apache.org/jira/browse/OPENJPA-244?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12501621
] 

Craig Russell commented on OPENJPA-244:
---------------------------------------

What the example code does is to allow any untrusted code with access to the J2DoPrivHelper
class to get the value for the line separator. 

While this doesn't sound like a big deal, it's still violating the security model.

A solution is to code this in the trusted code:
private static final String SEP = (Properties) AccessController.doPrivileged(
    J2DoPrivHelper.getLineSeparatorAction());

And then the helper class is responsible for:
public static PrivilegedAction getLineSeparatorAction() {
    return new PrivilegedAction() {
                       public Object run () 
                        { 
                            return System.getProperty("line.separator"); 
                        } 
                    }); 
}


> Java 2 Security enablement
> --------------------------
>
>                 Key: OPENJPA-244
>                 URL: https://issues.apache.org/jira/browse/OPENJPA-244
>             Project: OpenJPA
>          Issue Type: Bug
>    Affects Versions: 0.9.8
>            Reporter: Kevin Sutter
>         Attachments: J2DoPrivHelper.java
>
>
> Via some testing with the WebSphere Application Server, it's been discovered that we're
missing some doPriv blocks through out the OpenJPA code base.  This JIRA report will be used
to resolve these issues.  More specific examples will be posted later.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message