[wildfly-dev] Security manager and RuntimePermission

Darran Lofthouse darran.lofthouse at jboss.com
Fri Sep 26 09:27:44 EDT 2014

At the same time I think we also need a better review of how 
PrivilegedActions are actually used - we kind of have an approach of 
using one every time we do something that could perform a security 
manager check but really there are cases where the action should be 
higher up the call stack.

Secondly we also need additional checking that parameters passed to a 
privileged action are correctly sanitised.

Darran Lofthouse.

On 26/09/14 14:21, David M. Lloyd wrote:
> There are several people (myself included) who have been using
> RuntimePermission as an easy way to define simple permissions for
> various purposes.  However, by spec [1] the possible values of
> RuntimePermission are limited to a specific set defined by the JDK itself.
> Therefore our extensive usage of this permission in WildFly [2] and
> elsewhere needs to be revisited, and replaced with more specifically
> applicable permission types.  I've created WFLY-3902 [3] to cover the
> main portion of this work, however, non-core project members should also
> perform this same examination to fix this issue in their projects.
> [1]
> http://docs.oracle.com/javase/7/docs/api/index.html?java/lang/RuntimePermission.html
> [2] http://fpaste.org/136720/37116141/raw/
> [3] https://issues.jboss.org/browse/WFLY-3902

More information about the wildfly-dev mailing list