Thanks for addressing this Rick!
I think this patch fixes both
DERBY-2811 and DERBY-2814, great.
- There is possibly a bug still:
It seems Derby supports IPv6, found this in the docs:
//accepts connections from other hosts on an IPV6 system
NetworkServerControl serverControl = new
So, it seems, if the user has an IPv6 system, she would give -h "::"
and that might fail with SocketPermission in the same
way as "0.0.0.0"?
- Also, I think we should update the user docs with the fact that this
automatics translation from "0.0.0.0"/"::" to "*" happens; some users
might puzzle over it if they knew the SocketPermission syntax
well.... And perhaps would try supplying Derby with a -h "*"
- Question: When you set derby.drda.host finally (I had some problem
understanding the comment's use of "force"), after Derby has created
its socket and you have possibly change the syntax, so that the
security manager will see the correct syntax when reading the policy
file, the underlying premise is that Derby is done with using its
value for socket creation purposes.
There is code in the server which sends properties to the client,
cf. NetworkServerControlImpl#sendPropInfo->getPropertyValues which
reads the host value from hostArg, rather than from the current value
of derby.drda.host, which is the right thing to do, since, hostArg
has the correct syntax, but it is slightly confusing, since, at that
point in time, the values of sent derby.drda.host (==hostArg) and
server's derby.drda.host will have (possibly syntactically) different
values. Would it perhaps be useful to reset the value of
derby.drda.host to the Derby syntax after the security manager is
done with (I guess you might need to temporarily set it again if
refreshing the security file later though), so as to avoid confusion
and possible bugs down the line?
In short, let derby.drda.host only have the SocketPermission syntax
temporarily when creating security manager and when reloading policy
Or it should be the other way around, that after this point in
time, the syntax will remain compliant with SocketPermission. Either
way, I'd love the comment to explain this in some more detail. Maybe
a comment in Property.java where DRDA_PROP_HOSTNAME is declared and on
declaration of 'hostArg' is due as well.
- I looked at the modified test and decorator but I need to read some
more before I can comment on those changes.