[
https://jira.jboss.org/jira/browse/DNA-499?page=com.atlassian.jira.plugin...
]
Brian Carothers commented on DNA-499:
-------------------------------------
It appears that JBoss may have a pattern (formal or informal) for isolating privileged
actions on a per package level:
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozil...
We probably need to research whether this is a true pattern (as opposed to the way that
one developer solved the same problem in different places) and, if so, comply with it.
Wrap system access, context class loader access, and reflection with
doPrivileged
---------------------------------------------------------------------------------
Key: DNA-499
URL:
https://jira.jboss.org/jira/browse/DNA-499
Project: DNA
Issue Type: Bug
Components: API, Common, Connectors, Examples, Federation, Graph, JCR, Maven
Classloader, Sequencers
Affects Versions: 0.5
Reporter: Randall Hauch
Assignee: Vijay Kiran Duvvuri
Fix For: 0.7
Attachments: DNA-499.1.patch
Several activities should make use of the Java SecurityManager to ensure the caller has
the appropriate privileges to perform the activity. These activities should be wrapped in
a block such as the following:
String lineSeparator = java.security.AccessController.doPrivileged(
new java.security.PrivilegedAction<String>() {
public String run() {
return System.getProperty("line.separator");
}
}
);
obviously with the correct generic type for whatever is being returned from the run.
(Nice and concise, huh? Ugh.)
We need to go through all of the (non-test) code and add this checking (if it is not
already there) when the following types of activities are performed:
- System.getProperty
- System.setProperty
- Thread.currentThread().getContextClassLoader()
- All code executed via reflection
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira