[jboss-jira] [JBoss JIRA] Commented: (JBNAME-8) Security Permissions for JNDI sensitive operations

Scott M Stark (JIRA) jira-events at lists.jboss.org
Thu Oct 2 12:08:21 EDT 2008 

    [ https://jira.jboss.org/jira/browse/JBNAME-8?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12432261#action_12432261 ] 

Scott M Stark commented on JBNAME-8:
------------------------------------


I have added security permission checks when running under a security manager to the jnpserver project for the 5.0.0.CR3 release. The following RuntimePermissions are required for sensitive NamingContext operations:

NamingContext.getHANamingServerForPartition requires RuntimePermission("org.jboss.naming.NamingContext.getHANamingServerForPartition");
NamingContext.setHANamingServerForPartition/removeHANamingServerForPartition requires RuntimePermission("org.jboss.naming.NamingContext.setHANamingServerForPartition");
NamingContext.getLocal requires RuntimePermission("org.jboss.naming.NamingContext.getLocal");
NamingContext.setLocal requires RuntimePermission("org.jboss.naming.NamingContext.setLocal");

The NamingServer has a new org.jboss.naming.JndiPermission(String path, String actions) permission that is adopted from the OpenJDK java.io.FilePermission. It uses only the unix '/' path separator, and has the following actions:
bind - Context.bind permission
rebind - Context.rebind permission
unbind - Context.unbind permission.
lookup - Context.lookup permission.
list - Context.list permission.
listBindings - Context.listBindings permission.
createSubcontext - Context.createSubcontext permission
* - alias for all of the above actions

It also has a special path name <<ALL BINDINGS>> that matches any jndi path, similar to the FilePermission <<ALL FILES>> path.



> Security Permissions for JNDI sensitive operations
> --------------------------------------------------
>
>                 Key: JBNAME-8
>                 URL: https://jira.jboss.org/jira/browse/JBNAME-8
>             Project: JBoss Naming
>          Issue Type: Task
>          Components: jnpserver
>    Affects Versions: 5.0.0.CR2
>            Reporter: Anil Saldhana
>            Assignee: Scott M Stark
>             Fix For: 5.0.0.CR3
>
>
> ctx.rebind is the most critical.
> Please add perms to all JNDI ops.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list