[weld-dev] Should you allow starting of an external container from mvn test?
Steven Boscarine
steven.boscarine at childrens.harvard.edu
Mon Dec 28 11:13:10 EST 2009
Hmm....
Sorry to come to the conversation late on this, but this e-mail is
raising a potential red flag for me. I apologize if this has been
already addressed and I missed it, but...
Controlling the lifecycle of a non-embedded container from a build is
something you want to be very careful about from a security perspective.
Now, if you have a plugin that requires an explicit command as well as a
link in a settings.xml, that seems perfectly reasonable.
I am worried that a someone running "mvn test" for application foo.war
could startup non-foo wars because they were deployed to a local container.
Also, I am concerned that it may startup the wrong container and cause
similar problems. I usually work on multiple applications at a time and
have a container for foo.war and a separate container for bar.war. I
may think it is starting up foo's container, but it may startup bar's
container and cause trouble.
For me, that can get really dangerous because my applications contact
external resources on startup as well as access things like files and
bdb databases that are not suitable for usage by multiple applications.
They could corrupt the file with simultaneous writes or more likely
write duplicate or erroneous data.
I know I sound like a member of the "tin-foil-hat-club" here, but I deal
with patient data, so my apps are required by law to be paranoid about
security.
On 12/27/2009 03:54 PM, Dan Allen wrote:
> Awesome, that will be a good feature to get in.
>
> - Dan Allen
>
> Sent from my Android-powered phone:
> An open platform for carriers, consumers
> and developers.
>
>> On Dec 27, 2009 1:35 PM, "Aslak Knutsen" <aslak at conduct.no
>> <mailto:aslak at conduct.no>> wrote:
>>
>> Arquillian 'starts' it, but the container impl does not actually
>> start a not started jboss instance.
>>
>> https://jira.jboss.org/jira/browse/ARQ-48
>>
>> -aslak- 2009/12/27 Dan Allen <dan.j.allen at gmail.com
>> <mailto:dan.j.allen at gmail.com>> > > +1 on the standalone CDI
>> bootstap. I think...
>>
>> --
>> --
>>
>> Aslak Knutsen; +47 952 38 791; fax +47 22 33 60 24
>>
>> Kongens gate 14; Boks 805 Sentrum, 0104 Oslo; http://www.conduct.no;
>> mailto:aslak at conduct.no <mailto:aslak at conduct.no> Conduc...
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/weld-dev/attachments/20091228/ddc630cd/attachment.html
More information about the weld-dev
mailing list