Derby
  1. Derby
  2. DERBY-467

Restrict direct access to priviliged blocks from application code

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 10.1.1.0, 10.2.1.6
    • Fix Version/s: None
    • Component/s: Miscellaneous
    • Labels:
      None
    • Bug behavior facts:
      Security

      Description

      In looking at the privilged blocks in Derby several are accessible from application code, either as in public/protected methods and public classes. The fix for this includes:

      • making packages in the jar files sealed wherever possible
      • making classes and methods with privilged blocks as private as possible (private or package for methods, package for classes)

      As Derby moves towards a more client server approach (e.g. see grant/revoke) I started to perform a security analysis of the priviliged blocks, but realised it would be easier if I fixed the obvious problems first.

        Issue Links

          Activity

          Hide
          Daniel John Debrunner added a comment -

          Stopping SQL routines accessing the privileged blocks is through DERBY-2331 and DERBY-2330

          Show
          Daniel John Debrunner added a comment - Stopping SQL routines accessing the privileged blocks is through DERBY-2331 and DERBY-2330

            People

            • Assignee:
              Unassigned
              Reporter:
              Daniel John Debrunner
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:

                Development