[jboss-dev-forums] [Design of POJO Server] - Re: VFS Permissions - JBMICROCONT-149

[adrian@jboss.org]

"anil.saldhana at jboss.com" wrote : Currently, the classloader system is the issue to get AS5 working under a security manager.  Your approach of security.xml did the same (introduction of SM after the CL). 
  | 
  | file:/some/directory/my.jar/sub.jar is still being opened and its permissions read by the Policy implementation. 
  | 

It can't do, the URL is invalid. The correct permission is to be able to read
file:/some/directory/my.jar

anonymous wrote : 
  | This is where we have issues.  We cannot read the vfs urls and the introduction of the VFS handlers into bootstrap is unknown territory at the moment.
  | 

But if you fix that problem (which from my point of view you don't need to do
since  the security.xml solves the problem and makes the configuration easier)
then the issue is what permissions you add to the class based on the codesource.

If the VFS URLHandler had its own permission which implied the relevant
file/socket/net permission(s) then all we'd need to do is retrieve that permission 
from the VFS url and add it.

e.g.
new VFSPermission("vfsfile:/blah/path/file", ...) imples 
new FilePermission("/blah/path/file", ...)
and similarly for whatever is required for zip/jar files

This removes the url hacking for permissions and places the url mapping problem in the
VFS url handlers where they belong.
The url hacking is still required if somebody wants to use the file: url as the codesource,
but it must be the correct one, i.e. the url of the top level jar file.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4188149#4188149

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4188149