[#DERBY-656] SecurityException with accessDeclaredMembers on DatabaseMetaData.getTables.

Derby

SecurityException with accessDeclaredMembers on DatabaseMetaData.getTables.

Created: 28/Oct/05 02:08 AM Updated: 30/Jun/09 12:14 AM

Return to search

Component/s:

None

Affects Version/s:

10.1.1.0

Fix Version/s:

10.1.2.1, 10.2.1.6

Time Tracking:

Not Specified

Bug behavior facts:	Security
Resolution Date:	02/Nov/05 07:29 AM

Description

« Hide

The code to determine the size of a class is using getDeclaredMembers which requires the permission accessDeclaredMembers. Ideally should not require to grant this permission to derby.jar. Need to see which
class's size was being calculated. The code is not in a priv block which would require granting the permission all the way up the stack.

Maybe if the class's declared memebrs can not be accessed and the value can not be pre-calculkated then some estimate could be made. (using public fields?).

java.security.AccessControlException: Access denied
(java.lang.RuntimePermission accessDeclaredMembers)
       at
java.security.AccessController.checkPermission(AccessController.
java:107)
       at
java.lang.SecurityManager.checkPermission(SecurityManager.java:5
47)
       at
com.ibm.ws.security.core.SecurityManager.checkPermission(Securit
yManager.java:188)
       at
java.lang.SecurityManager.checkMemberAccess(SecurityManager.java
:1677)
       at java.lang.Class.checkMemberAccess(Class.java:104)
       at java.lang.Class.getDeclaredFields(Class.java:508)
       at
org.apache.derby.iapi.services.cache.ClassSize.getSizeCoefficien
ts(Unknown Source)
       at
org.apache.derby.iapi.services.cache.ClassSize.estimateBase(Unkn
own Source)
       at
org.apache.derby.iapi.store.access.BackingStoreHashtable.<cli
nit>(Unknown Source)
       at java.lang.J9VMInternals.initializeImpl(Native
Method)
       at
java.lang.J9VMInternals.initialize(J9VMInternals.java:148)
       at
org.apache.derby.impl.sql.execute.HashTableResultSet.openCore(Un
known Source)
       at
org.apache.derby.impl.sql.execute.JoinResultSet.openRight(Unknow
n Source)
       at
org.apache.derby.impl.sql.execute.JoinResultSet.openCore(Unknown
Source)
       at
org.apache.derby.impl.sql.execute.ProjectRestrictResultSet.openC
ore(Unknown Source)
       at
org.apache.derby.impl.sql.execute.SortResultSet.openCore(Unknown
Source)
       at
org.apache.derby.impl.sql.execute.BasicNoPutResultSetImpl.open(U
nknown Source)
       at
org.apache.derby.impl.sql.GenericPreparedStatement.execute(Unkno
wn Source)
       at
org.apache.derby.impl.jdbc.EmbedStatement.executeStatement(Unkno
wn Source)
       at
org.apache.derby.impl.jdbc.EmbedPreparedStatement.executeStateme
nt(Unknown Source)
       at
org.apache.derby.impl.jdbc.EmbedPreparedStatement.executeQuery(U
nknown Source)
       at
org.apache.derby.impl.jdbc.EmbedDatabaseMetaData.getTables(Unkno
wn Source)

Description

The code to determine the size of a class is using getDeclaredMembers which requires the permission accessDeclaredMembers. Ideally should not require to grant this permission to derby.jar. Need to see which class's size was being calculated. The code is not in a priv block which would require granting the permission all the way up the stack. Maybe if the class's declared memebrs can not be accessed and the value can not be pre-calculkated then some estimate could be made. (using public fields?). java.security.AccessControlException: Access denied (java.lang.RuntimePermission accessDeclaredMembers) at java.security.AccessController.checkPermission(AccessController. java:107) at java.lang.SecurityManager.checkPermission(SecurityManager.java:5 47) at com.ibm.ws.security.core.SecurityManager.checkPermission(Securit yManager.java:188) at java.lang.SecurityManager.checkMemberAccess(SecurityManager.java :1677) at java.lang.Class.checkMemberAccess(Class.java:104) at java.lang.Class.getDeclaredFields(Class.java:508) at org.apache.derby.iapi.services.cache.ClassSize.getSizeCoefficien ts(Unknown Source) at org.apache.derby.iapi.services.cache.ClassSize.estimateBase(Unkn own Source) at org.apache.derby.iapi.store.access.BackingStoreHashtable.<cli nit>(Unknown Source) at java.lang.J9VMInternals.initializeImpl(Native Method) at java.lang.J9VMInternals.initialize(J9VMInternals.java:148) at org.apache.derby.impl.sql.execute.HashTableResultSet.openCore(Un known Source) at org.apache.derby.impl.sql.execute.JoinResultSet.openRight(Unknow n Source) at org.apache.derby.impl.sql.execute.JoinResultSet.openCore(Unknown Source) at org.apache.derby.impl.sql.execute.ProjectRestrictResultSet.openC ore(Unknown Source) at org.apache.derby.impl.sql.execute.SortResultSet.openCore(Unknown Source) at org.apache.derby.impl.sql.execute.BasicNoPutResultSetImpl.open(U nknown Source) at org.apache.derby.impl.sql.GenericPreparedStatement.execute(Unkno wn Source) at org.apache.derby.impl.jdbc.EmbedStatement.executeStatement(Unkno wn Source) at org.apache.derby.impl.jdbc.EmbedPreparedStatement.executeStateme nt(Unknown Source) at org.apache.derby.impl.jdbc.EmbedPreparedStatement.executeQuery(U nknown Source) at org.apache.derby.impl.jdbc.EmbedDatabaseMetaData.getTables(Unkno wn Source)

Show »

All

Comments

Work Log

Change History

Subversion Commits

Sort Order:

Repository	Revision	Date	User	Message
ASF	#330133	Tue Nov 01 22:12:53 UTC 2005	djd	~~DERBY-656~~ Use the size estimates from the catalog to avoid security issues in BackingStoreHashtable. This matches the other uses of the class size utilities, eg. for the DataValueDescriptors.
				Files Changed
				MODIFY /db/derby/code/trunk/java/engine/org/apache/derby/iapi/store/access/BackingStoreHashtable.java

Repository	Revision	Date	User	Message
ASF	#330136	Tue Nov 01 22:28:59 UTC 2005	djd	~~DERBY-656~~ Use the size estimates from the catalog to avoid security issues in BackingStoreHashtable. This matches the other uses of the class size utilities, eg. for the DataValueDescriptors. Merge of 330133 from trunk.
				Files Changed
				MODIFY /db/derby/code/branches/10.1/java/engine/org/apache/derby/iapi/store/access/BackingStoreHashtable.java

[ Permlink | « Hide ]

Daniel John Debrunner added a comment - 02/Nov/05 07:29 AM

Fixed in trunk (330133) and then merged to 10.1 (330136)

Daniel John Debrunner made changes - 02/Nov/05 07:29 AM

Field	Original Value	New Value
Resolution		Fixed [ 1 ]
Fix Version/s		10.2.0.0 [ 11187 ]
Status	Open [ 1 ]	Resolved [ 5 ]
Fix Version/s		10.1.2.1 [ 12310615 ]

Daniel John Debrunner made changes - 12/Jul/06 06:43 AM

Status

Resolved [ 5 ]

Closed [ 6 ]

Dag H. Wanvik made changes - 30/Jun/09 12:12 AM

Derby Categories

[Security]

Dag H. Wanvik made changes - 30/Jun/09 12:14 AM

Component/s

Security [ 11411 ]