[wildfly-dev] Security manager and RuntimePermission
Darran Lofthouse
darran.lofthouse at jboss.com
Fri Sep 26 09:27:44 EDT 2014
At the same time I think we also need a better review of how
PrivilegedActions are actually used - we kind of have an approach of
using one every time we do something that could perform a security
manager check but really there are cases where the action should be
higher up the call stack.
Secondly we also need additional checking that parameters passed to a
privileged action are correctly sanitised.
Regards,
Darran Lofthouse.
On 26/09/14 14:21, David M. Lloyd wrote:
> There are several people (myself included) who have been using
> RuntimePermission as an easy way to define simple permissions for
> various purposes. However, by spec [1] the possible values of
> RuntimePermission are limited to a specific set defined by the JDK itself.
>
> Therefore our extensive usage of this permission in WildFly [2] and
> elsewhere needs to be revisited, and replaced with more specifically
> applicable permission types. I've created WFLY-3902 [3] to cover the
> main portion of this work, however, non-core project members should also
> perform this same examination to fix this issue in their projects.
>
> [1]
> http://docs.oracle.com/javase/7/docs/api/index.html?java/lang/RuntimePermission.html
> [2] http://fpaste.org/136720/37116141/raw/
> [3] https://issues.jboss.org/browse/WFLY-3902
>
More information about the wildfly-dev
mailing list