[jbpm-issues] [JBoss JIRA] Commented: (JBPM-1958) Security issue allows arbitrary java code to be deployed and executed

[ https://jira.jboss.org/jira/browse/JBPM-1958?page=com.atlassian.jira.plug... ] Tom Baeyens commented on JBPM-1958: ----------------------------------- My latest email in the SOA platform mailing list thread on this topic: " the only thing we must prevent from a product standpoint is that clients deploy this in production without them knowing. just like with the jmx-console. there is absolutely NO need to start introducing weird security things. the feature do deploy from designer to runtime engine is targetted for easy development. not for production usage. so we should not be spending effort to build a very complex solution so that a developer can VERY SECURELY deploy a process archive on his own machine :-) that is a waiste of our time. so no security is needed in development. at the same time, an operator is not going to fire up his eclipse to get the latest processes from svn and then deploy then with the designer plugin to the production DB. :-) so the designer deployment feature is not needed in production. so 1) we should offer that functionality out of the box to our developers in the project download. 2) in the product, people do not expose this fnctionality on the internet without them knowing about it. which means that in a default production installation this should be turned off. which is exactly how it is done currently. so i don't think there needs to be anything improved. regards, tom. " since no-one replied, i think we can safely :-) mark this issue as rejected. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira