openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Albert Lee (JIRA)" <j...@apache.org>
Subject [jira] Updated: (OPENJPA-244) Java 2 Security enablement
Date Mon, 02 Jul 2007 19:26:04 GMT

     [ https://issues.apache.org/jira/browse/OPENJPA-244?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Albert Lee updated OPENJPA-244:
-------------------------------

    Attachment: OPENJPA-244.patch

Craig,

I wrote a small program to test the validity of the required permission for File.length()
and it showed below that proper permission/doPriv is required for this method and it matches
the javadoc description.

------------------------------------------

package test;
import java.io.File;
public class TestFileLength {
    public static void main(String[] args) {
        File f = new File("C:\\a.workspace\\eclipse.workspace\\ejb3.serv1\\testSer\\src\\test\\TestFileLength.java");
        System.out.println(f.length());
    }
}

C:\a.workspace\eclipse.workspace\ejb3.serv1\testSer\build\classes>type j2.security.test.policy
grant {
     permission java.io.FilePermission       "<<ALL FILES>>",    "read";
};

C:\a.workspace\eclipse.workspace\ejb3.serv1\testSer\build\classes>java -cp . test.TestFileLength
1266

C:\a.workspace\eclipse.workspace\ejb3.serv1\testSer\build\classes>java -cp . -Djava.security.manager
test.TestFileLength

Exception in thread "main" java.security.AccessControlException: Access denied (java.io.FilePermission
C:\a.workspace\ec
lipse.workspace\ejb3.serv1\testSer\src\test\TestFileLength.java read)
        at java.security.AccessController.checkPermission(AccessController.java:104)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:547)
        at java.lang.SecurityManager.checkRead(SecurityManager.java:886)
        at java.io.File.length(File.java:839)
        at test.TestFileLength.main(TestFileLength.java:38)

C:\a.workspace\eclipse.workspace\ejb3.serv1\testSer\build\classes>java -cp . -Djava.security.manager
-Djava.security.policy=j2.security.test.policy test.TestFileLength
1266

C:\a.workspace\eclipse.workspace\ejb3.serv1\testSer\build\classes>
------------------------------------------

May be the reason the tests passed before is because the first condition of the expression
in XMLFileHandler is false and the f.length() is not evaluated.

-        if (!f.exists() || f.length() == 0)

BTW, scanning for .length() in the source code one more time and I found another instance
of _file.length() that needs the doPriv. I corrected the problem and a new patch is attached.

Albert Lee.



> Java 2 Security enablement
> --------------------------
>
>                 Key: OPENJPA-244
>                 URL: https://issues.apache.org/jira/browse/OPENJPA-244
>             Project: OpenJPA
>          Issue Type: Bug
>    Affects Versions: 0.9.8
>            Reporter: Kevin Sutter
>         Attachments: OPENJPA-244.patch
>
>
> Via some testing with the WebSphere Application Server, it's been discovered that we're
missing some doPriv blocks through out the OpenJPA code base.  This JIRA report will be used
to resolve these issues.  More specific examples will be posted later.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message