openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Albert Lee (JIRA)" <j...@apache.org>
Subject [jira] Commented: (OPENJPA-244) Java 2 Security enablement
Date Fri, 08 Jun 2007 05:04:25 GMT

    [ https://issues.apache.org/jira/browse/OPENJPA-244?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12502647
] 

Albert Lee commented on OPENJPA-244:
------------------------------------

The getLineSeparator() will not compromise security because this function only return specifically
the line.separator String and nothing else, hence there is no side effect. This method may
cache the value for performance and better code readability and maintenance.

In the original proposal, application can call one of the J2DoPrivHelper public methods which
may grant user resource privileges on behalf of the caller, which is not good. If there is
a resource requires privilege, the AccessController.doPrivileged() must be in-line in the
openjpa code base, but the "new Privilege(Exception)Action" can be common or factor out. 
Even if the doPrivilege() is inlined, one must also be careful not to allow any public method
to be accessed by the application with user specified resource that eventually grant privilege
to access the resource.

>>> Additionally, from a performance standpoint, it seems like we should make the
J2DoPrivHelper methods non-static, create an interface, and provide access to the instance
via the OpenJPAConfiguration object. This will allow us to have an impl that doesn't do security
checks at all and a separate impl that does the security checks.

>Sounds good. 

After some thought on this topics, I just realized that use of interface will not work. The
same reason as just described. The interface can only get the PrivilegedAction because the
doPriv must be in-lined. E.g.

The use cases are:

   private static final String SEP = J2DoPrivHelper.getLineSeparator();

   ClassLoader loader = (ClassLoader) (System.getSecurityManager() == null)
                            ? clazz.getClassLoader()
                            : AccessController.doPrivileged( J2DoPrivHelper.getClassLoaderAction(
clazz ) );

   try
   {
       method = ( System.getSecurityManager() == null )
                   ? clazz.getDeclaredMethod(name,parameterType)
                   : (Method) AccessController.doPrivileged( J2DoPrivHelper.getDeclaredMethodAction(
clazz, name, parameterType) );
   } catch( PrivilegedActionException pae )
   {
           throws (NoSuchMethodException)pae.getException()
   }


       

> Java 2 Security enablement
> --------------------------
>
>                 Key: OPENJPA-244
>                 URL: https://issues.apache.org/jira/browse/OPENJPA-244
>             Project: OpenJPA
>          Issue Type: Bug
>    Affects Versions: 0.9.8
>            Reporter: Kevin Sutter
>         Attachments: J2DoPrivHelper.java
>
>
> Via some testing with the WebSphere Application Server, it's been discovered that we're
missing some doPriv blocks through out the OpenJPA code base.  This JIRA report will be used
to resolve these issues.  More specific examples will be posted later.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message