[JSPWIKI-129] JSPWIki cannot run under a security manager - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: In Progress
Priority: Major
Resolution: Unresolved
Affects Version/s: 2.4.104, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.8, 2.8.1, 2.8.2, 2.8.3, 2.8.4
Fix Version/s: None
Component/s: Authentication & Authorization
Labels:
None
Environment:

All

Description

JSPWiki cannot be used when running a security manager. Containers that run by default with a security manager include Oracle Application Server and Tomcat when run with the '-server' option.

In all cases, the root cause is the same: the security policy for the container needs to include the Permissions needed to execute JSPWiki. However, full enumeration of the Permissions needed is complicated significantly by the fact that JSPWiki does not compartmentalized privileged calls the way it should. For example, any code in JSPWiki that accesses files should be enclosed by AccessController.doPrivileged() blocks.

The result of our current approach (or rather, lack of privileged code compartmentalization) means that an effective policy cannot be written.

This bug is to remind ARJ that he needs to work on this. He is currently writing some diagnostic tools that will make this process easier. However, it's going to take a while...

Attachments

Issue Links

is duplicated by

JSPWIKI-322 Including failed, got a servlet exception from sub-page ViewTemplate.jsp

Closed

JSPWIKI-698 properties not accessible

Closed

Sub-Tasks

There are no Sub-Tasks for this issue.

Activity

People

Assignee:: Andrew R. Jaquith

Reporter:: Andrew R. Jaquith

Votes:: 2 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 11/Jan/08 05:03

Updated:: 18/Sep/11 18:35