[security-dev] Fwd: [javaee-spec users] [jsr342-experts] security permissions for libraries
lightguard.jp at gmail.com
Mon Nov 19 09:06:33 EST 2012
Not sure who's seen this yet.
Begin forwarded message:
> From: Bill Shannon <bill.shannon at oracle.com>
> Date: November 16, 2012, 17:18:12 MST
> To: jsr342-experts at javaee-spec.java.net
> Subject: [javaee-spec users] [jsr342-experts] security permissions for libraries
> Reply-To: jsr342-experts at javaee-spec.java.net
> As described in this document:
> we plan to add the ability to include a permissions.xml file with an
> application to control what security permissions the application gets.
> Our intent was to support this only at the module level, e.g., only for a
> war file, ejb-jar file, or app client jar file. This raises a question
> I'd like your opinion on...
> What permissions should apply to libraries in the "lib" directory of an
> ear file?
> Ultimately we'd like to allow each such library to include a permissions.xml
> file of its own, but even then we need to decide what permissions should
> apply if the library doesn't include a permissions.xml file.
> Remember that libraries are available to all modules of the application.
> There seem to be a few options:
> 1. The permissions for the library are the same as the permissions for
> the code that calls the library. If the library code is called from
> a war file, it gets the permissions of the war file. If the same
> library is called from an ejb-jar file, it gets the permissions of
> the ejb-jar file.
> 2. The permissions for the library are the default permissions for the
> container calling the library. As above, the permissions would vary
> based on what code calls the library, but would always be the default
> permissions for that container, even though the calling code might
> have more or fewer permissions than the default. (It's not clear to
> me that this is implementable.)
> 3. We allow a permissions.xml file to be included in the "lib" directory.
> All the libraries in the "lib" directory get these permissions, no
> matter which container is calling them.
> Note that in addition to libraries in the "lib" directory of an ear file,
> modules can use a Class-Path entry to reference other libraries anywhere
> in the ear file. I think #1 above is the only viable choice for this
> Again, in a future release we hope to support a permissions.xml file in
> the library jar file itself.
> How do you think we should handle security permissions for libraries in
> this release?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security-dev