[jboss-jira] [JBoss JIRA] Commented: (GPD-278) Security issue allows arbitrary java code to be deployed and executed

[ https://jira.jboss.org/jira/browse/GPD-278?page=com.atlassian.jira.plugin... ] Jervis Liu commented on GPD-278: -------------------------------- How about the workaround I suggested in SOA-1065. It is not ideal, but it fits for a "micro/patch release.", it is also consistent with the approach taken by JBOSS ESB. "A quick fix can be sth like what has been done in ESB, i.e., having a property called "supportMessageBasedScripting" in jBPM process configuration file. Turning this flag on means the owner of this piece of code is fully aware of what his/her process will be doing and security related implications. By default this flag is turned off. Please refer to https://jira.jboss.org/jira/browse/JBESB-1561 But I agree that a long term proper fix would have to have SecurityManager involved. " -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira