openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Albert Lee (JIRA)" <j...@apache.org>
Subject [jira] Commented: (OPENJPA-244) Java 2 Security enablement
Date Thu, 07 Jun 2007 15:17:25 GMT

    [ https://issues.apache.org/jira/browse/OPENJPA-244?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12502379
] 

Albert Lee commented on OPENJPA-244:
------------------------------------

Having specific function(s) in J2DoPrivHelp that required doPriv is to isolate common access
function without security exposure and hopefully improve performance. Since there is no user
parameters allowed by the helpers, even the getLineSeparator() is public, user is only allowed
to get the lineSeparator string and no other resources security leak.

The wrapper method approach is to provide means to create the Privilege(Exception)Action object
but the doPrivileged will still be in-lined in the openjpa code to avoid undesirable security
exposure. 

Here is a new proposal:

1) The J2DoPrivHelper defines the common security safe functions and PrivilegedAction getters
(example):
        
       public static final String getLineSeparator();
       public static final Object getOtherSpecificSecuritySafeResource();
       .......
 
       public static final PrivilegedAction getClassLoaderAction(final ClassLoader loader);
       public static final PrivilegedExceptionAction getDeclaredMethodAction(final Class clazz,
final String name, final Class[] parameterTypes);
       .......

2)  J2DoPrivHelper usage:

       private static final String SEP = J2DoPrivHelper.getLineSeparator(); 

       ClassLoader loader = (ClassLoader) AccessController.doPrivileged( J2DoPrivHelper.getClassLoaderAction(
clazz ) );

        try {
              AccessController.doPrivileged(J2DoPrivHelper.getDeclaredMethodAction( clazz,
name, args));
        } catch (PrivilegedActionException exception) {
               NoSuchMethodException ex = (NoSuchMethodException)exception.getException();
        } 

3) If there is any situation where testing security is enabled before the doPriv pattern is
used, it will need to be in-lined in user code.

Please comment and indicate if this is an acceptable solution.

Thanks.
Albert Lee.

> Java 2 Security enablement
> --------------------------
>
>                 Key: OPENJPA-244
>                 URL: https://issues.apache.org/jira/browse/OPENJPA-244
>             Project: OpenJPA
>          Issue Type: Bug
>    Affects Versions: 0.9.8
>            Reporter: Kevin Sutter
>         Attachments: J2DoPrivHelper.java
>
>
> Via some testing with the WebSphere Application Server, it's been discovered that we're
missing some doPriv blocks through out the OpenJPA code base.  This JIRA report will be used
to resolve these issues.  More specific examples will be posted later.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message