openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig Russell (JIRA)" <>
Subject [jira] Commented: (OPENJPA-244) Java 2 Security enablement
Date Mon, 02 Jul 2007 17:54:04 GMT


Craig Russell commented on OPENJPA-244:

>> 3. In openjpa-lib/src/main/java/org/apache/openjpa/lib/util/
you might have missed this case: 
>> @@ -238,12 +246,18 @@ 
>>             if (loader == THREAD_LOADER) 
>>                 loader = Thread.currentThread().getContextClassLoader(); 
>Good eye.. Done. 

>> 5. In openjpa-xmlstore/src/main/java/org/apache/openjpa/xmlstore/
don't you need to have a doPrivileged around f.length() ? The javadoc would suggest so. 

> You are correct. Somehow I don't get any security exception even without the doPriv wrapping.
I have added a new lengthAction and "do the right thing" now. 

My only concern now is that without the above changes, your tests ran correctly. Do you have
a test bench where the caller is not privileged and the OpenJPA is privileged? One suspicious
change is in the security permissions file: 
+// ================================================================
+// The following permissions are needed to invoke the 'test' target in OpenJPA maven build.
+grant {
+  permission;

This would appear to grant everyone AllPermissions, which might explain why the tests all
work. Can this be restricted to granting permission to just the test framework (javax.junit)
and see what happens?

> Java 2 Security enablement
> --------------------------
>                 Key: OPENJPA-244
>                 URL:
>             Project: OpenJPA
>          Issue Type: Bug
>    Affects Versions: 0.9.8
>            Reporter: Kevin Sutter
>         Attachments: OPENJPA-244.patch
> Via some testing with the WebSphere Application Server, it's been discovered that we're
missing some doPriv blocks through out the OpenJPA code base.  This JIRA report will be used
to resolve these issues.  More specific examples will be posted later.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message