[jbpm-issues] [JBoss JIRA] Commented: (JBPM-1958) Security issue allows arbitrary java code to be deployed and executed

[ https://jira.jboss.org/jira/browse/JBPM-1958?page=com.atlassian.jira.plug... ] Thomas Diesler commented on JBPM-1958: -------------------------------------- Deployments of a jbpm processes should indeed not be handled different than any other deployment to the JBoss AS i.e. everything goes through the main deployer A SecurityManager would not fix the issue, because it cannot distinguish between processes that should be allowed certain API calls and processes that should not be allowed to call certain API. Not only System.exit(0) is a problem here, but also malicious file access on the server box for example. It should be obvious, that once a malicious deployment makes it into the server it cannot be prevented to do it's dirty work. Therefore, deployment of the process must be secured in the first place. Deployment security is a property of the jboss deployer architecture and not the jBPM system. That jBPM shortcuts the JBoss MainDeployer by using a naive servlet based deployment approach is probably the real issue. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira