Uploaded image for project: 'Derby'
  1. Derby
  2. DERBY-467

Restrict direct access to priviliged blocks from application code

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 10.1.1.0, 10.2.1.6
    • Fix Version/s: None
    • Component/s: Miscellaneous
    • Labels:
      None
    • Bug behavior facts:
      Security

      Description

      In looking at the privilged blocks in Derby several are accessible from application code, either as in public/protected methods and public classes. The fix for this includes:

      • making packages in the jar files sealed wherever possible
      • making classes and methods with privilged blocks as private as possible (private or package for methods, package for classes)

      As Derby moves towards a more client server approach (e.g. see grant/revoke) I started to perform a security analysis of the priviliged blocks, but realised it would be easier if I fixed the obvious problems first.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                djd Daniel John Debrunner
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated: