tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: [OT] SecurityManager and Java Policy Files
Date Wed, 10 Nov 2010 22:40:24 GMT
On 10/11/2010 21:42, Christopher Schultz wrote:
> To be explicit, if I want a class (say, DbStuff) to be able to make a
> database connection yet prevent other classes from doing so, I need to
> do something like this:
> 
> public class DbStuff
> {
>   protected Connection getConnection()
>   {
>     Connection conn = null;
> 
>     AccessController.doPrivileged(new PrivilegedAction<Connection>() {
>         public Connection run()
>         {
>           DataSource ds = // get from JNDI
>           return ds.getConnection();
>         }
>       });
>   }
> 
>   public List<Person> getPeople()
>   {
>     Connection conn = null;
> 
>     try {
>       conn = getConnection();
> 
>       // SELECT * FROM people
> 
>       return people;
>     }
>   }
> }
> 
> public class MyTest
> {
>   public static void main(String[] args)
>   {
>     new DbStuff().getPeople();
>   }
> }
> 
> So, if I give access to "connect", etc. in my policy file to the DbStuff
> class, then DbStuff can use it's own getConnection method to obtain
> database connections, but MyTest would be unable to, say, use
> DriverManager to create a new connection to the database. Do I have that
> right?

You do, but...

The way DbStuff is written I could extend it and call the protected
getConnection() method directly. You should probably make that method
private.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message