[jboss-dev-forums] [Design of Security on JBoss] - Re: Invalid Issue: SECURITY-340

Two things are needed: 1. A permission grant for RuntimePermission or an java.security.AllPermission for the ejb3 interceptor codebase. Looking at the testsuite/src/resources/securitymgr/server.policy it is using java.security.AllPermission for the jboss lib dirs so that should be good. 2. A privileged block in the Ejb3AuthenticationInterceptorv2 around the call to the JBossSecurityContext.setSecurityManagement at line 119: | SecurityActions.setSecurityContext(sc); // line 116, need similar call for setSecurityManagement | | //TODO: Need to get the SecurityManagement instance | sc.setSecurityManagement(getSecurityManagement()); | There is already a privileged block method in the SecurityActions for the call to set the SecurityManagement on the SecurityContext. Something similar is needed for the SecurityManagement: | static void setSecurityManagement(final SecurityContext sc, final ISecurityManagement sm) | { | AccessController.doPrivileged(new PrivilegedAction<Object>(){ | | public Object run() | { | sc.setSecurityManagement(sm); | return null; | }}); | } | or, the following if the SecurityContext should be obtained based on the previous SecurityActions.setSecurityContext(sc) call: | static void setSecurityManagement(final ISecurityManagement sm) | { | AccessController.doPrivileged(new PrivilegedAction<Object>(){ | | public Object run() | { | SecurityContext sc = getSecurityContext() | sc.setSecurityManagement(sm); | return null; | }}); | } | | The TODO about having the SecurityManagement instance injected rather than created anew each time also seems like an issue. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4196041#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...