[jboss-dev-forums] [Design of Security on JBoss] - Re: Invalid Issue: SECURITY-340
scott.stark@jboss.org
do-not-reply at jboss.com
Thu Dec 11 14:05:43 EST 2008
Two things are needed:
1. A permission grant for RuntimePermission or an java.security.AllPermission for the ejb3 interceptor codebase. Looking at the testsuite/src/resources/securitymgr/server.policy it is using java.security.AllPermission for the jboss lib dirs so that should be good.
2. A privileged block in the Ejb3AuthenticationInterceptorv2 around the call to the JBossSecurityContext.setSecurityManagement at line 119:
| SecurityActions.setSecurityContext(sc); // line 116, need similar call for setSecurityManagement
|
| //TODO: Need to get the SecurityManagement instance
| sc.setSecurityManagement(getSecurityManagement());
|
There is already a privileged block method in the SecurityActions for the call to set the SecurityManagement on the SecurityContext. Something similar is needed for the SecurityManagement:
| static void setSecurityManagement(final SecurityContext sc, final ISecurityManagement sm)
| {
| AccessController.doPrivileged(new PrivilegedAction<Object>(){
|
| public Object run()
| {
| sc.setSecurityManagement(sm);
| return null;
| }});
| }
|
or, the following if the SecurityContext should be obtained based on the previous SecurityActions.setSecurityContext(sc) call:
| static void setSecurityManagement(final ISecurityManagement sm)
| {
| AccessController.doPrivileged(new PrivilegedAction<Object>(){
|
| public Object run()
| {
| SecurityContext sc = getSecurityContext()
| sc.setSecurityManagement(sm);
| return null;
| }});
| }
|
|
The TODO about having the SecurityManagement instance injected rather than created anew each time also seems like an issue.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4196041#4196041
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4196041
More information about the jboss-dev-forums
mailing list