Derby
  1. Derby
  2. DERBY-626

Booting embedded engine requires read permission to derby.jar be granted for all code in the stack

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 10.1.1.0, 10.2.1.6
    • Fix Version/s: 10.1.2.1, 10.2.1.6
    • Component/s: Services
    • Labels:
      None
    • Bug behavior facts:
      Security

      Description

      When running in a security manager the embedded engine uses ClassLoader.getResources() to obtain the set of modules.properties files. This method returns an empty set if running in a security manager and permission has not been granted to read derby.jar to all code in the stack, unless the method is executed in a privileged block.

      This is a regression early on in Derby's life and was not caught because of lack of testing under the security manager and was hidden by the need to grant read permission for DERBY-622.

      The embedded code does not need this permission to be granted since 'Note: code can always read a file from the same directory it's in (or a subdirectory of that directory); it does not need explicit permission to do so.'

      Need to re-factor code to ensure that the call to getResources and opening the resulting URL is all in a privileged block.

        Issue Links

          Activity

          Daniel John Debrunner created issue -
          Hide
          Daniel John Debrunner added a comment -

          Blocks 615 as without granting read permission to all code every test fails when run under the security manager, and granting such permission can hide bugs.

          Show
          Daniel John Debrunner added a comment - Blocks 615 as without granting read permission to all code every test fails when run under the security manager, and granting such permission can hide bugs.
          Daniel John Debrunner made changes -
          Field Original Value New Value
          Link This issue blocks DERBY-615 [ DERBY-615 ]
          Hide
          Daniel John Debrunner added a comment -

          Will try to merge this to 10.1

          Show
          Daniel John Debrunner added a comment - Will try to merge this to 10.1
          Daniel John Debrunner made changes -
          Fix Version/s 10.1.2.1 [ 12310615 ]
          Hide
          Daniel John Debrunner added a comment -

          Changes for DERBY-615 that enable secuirty manager by default show that the bug is indeed fixed.
          Trunk changes merged to 10.1 svn revision 330110.

          Show
          Daniel John Debrunner added a comment - Changes for DERBY-615 that enable secuirty manager by default show that the bug is indeed fixed. Trunk changes merged to 10.1 svn revision 330110.
          Daniel John Debrunner made changes -
          Resolution Fixed [ 1 ]
          Fix Version/s 10.2.0.0 [ 11187 ]
          Status Open [ 1 ] Resolved [ 5 ]
          Daniel John Debrunner made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Dag H. Wanvik made changes -
          Derby Categories [Security]
          Dag H. Wanvik made changes -
          Component/s Security [ 11411 ]
          Gavin made changes -
          Workflow jira [ 12331152 ] Default workflow, editable Closed status [ 12800611 ]
          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open Resolved Resolved
          18d 59m 1 Daniel John Debrunner 02/Nov/05 04:34
          Resolved Resolved Closed Closed
          252d 2h 9m 1 Daniel John Debrunner 12/Jul/06 07:43

            People

            • Assignee:
              Daniel John Debrunner
              Reporter:
              Daniel John Debrunner
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development