[jboss-jira] [JBoss JIRA] (WFLY-11630) JDBC datasource should be granted the connect SocketPermission
Ondrej Kotek (Jira)
issues at jboss.org
Tue Jan 22 09:24:00 EST 2019
Ondrej Kotek created WFLY-11630:
-----------------------------------
Summary: JDBC datasource should be granted the connect SocketPermission
Key: WFLY-11630
URL: https://issues.jboss.org/browse/WFLY-11630
Project: WildFly
Issue Type: Bug
Components: JCA, Security
Affects Versions: 16.0.0.Beta1
Reporter: Ondrej Kotek
Assignee: Flavia Rainone
When a deployment uses connection on a JDBC datasource, the deployment needs the {{connect}} {{SocketPermission}} granted.
For example
{noformat}
...
DataSource ds = (DataSource) ctx.lookup("java:jboss/datasources/ExampleDS");
Connection conn = ds.getConnection();
...
{noformat}
may require {{permissions.xml}} like
{noformat}
<permissions version="7">
<!-- Connections to databases -->
<permission>
<class-name>java.net.SocketPermission</class-name>
<name>*</name> <!-- This can be hardened by using specific URLs/IPs -->
<actions>resolve,connect</actions>
</permission>
</permissions>
{noformat}
However, {{resolve}} {{SocketPermission}} should be enough. The JCA spec states, at the 21.2 session (SecurityPermissions), the rar should always be granted the {{connect}} {{SocketPermission.}} JDBC extends the JCA spec.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list