At the same time I think we also need a better review of how
PrivilegedActions are actually used - we kind of have an approach of
using one every time we do something that could perform a security
manager check but really there are cases where the action should be
higher up the call stack.
Secondly we also need additional checking that parameters passed to a
privileged action are correctly sanitised.
Regards,
Darran Lofthouse.
On 26/09/14 14:21, David M. Lloyd wrote:
There are several people (myself included) who have been using
RuntimePermission as an easy way to define simple permissions for
various purposes. However, by spec [1] the possible values of
RuntimePermission are limited to a specific set defined by the JDK itself.
Therefore our extensive usage of this permission in WildFly [2] and
elsewhere needs to be revisited, and replaced with more specifically
applicable permission types. I've created WFLY-3902 [3] to cover the
main portion of this work, however, non-core project members should also
perform this same examination to fix this issue in their projects.
[1]
http://docs.oracle.com/javase/7/docs/api/index.html?java/lang/RuntimePerm...
[2]
http://fpaste.org/136720/37116141/raw/
[3]
https://issues.jboss.org/browse/WFLY-3902