Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Improve integration with Java's security manager

Description

Currently we wrap all reflection calls in PrivilegedAction. This way Validators need the following grants in the policy file:

However, this also means that a user might now use ReflectionHelper to execute reflection calls which otherwise would be no allowed. To prevent this we need a Validator specific permission type. Something like this:

Environment

None

Activity

Show:

Hardy Ferentschik July 16, 2014 at 1:55 PM

Yes, we basically need to remove the methods in ReflectionHelper and have each caller do its own doPrivileged() block, passing the right action. Basically we need to copy the run() method into each caller class. It's a bit un-DRY, but I don't see a way around it.

+1 I don't see another way either

On a related note, we should also seal the JAR to prevent code being added to HV packages at other places.

Hmm, tbh I had not even heard of this until now. Sounds reasonable. Maybe this should be against a different issue though.

Gunnar Morling July 16, 2014 at 11:57 AM

Yes, we basically need to remove the methods in ReflectionHelper and have each caller do its own doPrivileged() block, passing the right action. Basically we need to copy the run() method into each caller class. It's a bit un-DRY, but I don't see a way around it.

On a related note, we should also seal the JAR to prevent code being added to HV packages at other places.

Hardy Ferentschik July 15, 2014 at 9:34 PM

At the time, each client side call to the reflection helpers was creating the right privilege block. I think the intend later was to DRY and mutualise the code but that opened up that privilege hole.

that sounds about right

Emmanuel Bernard July 15, 2014 at 9:06 PM

At the time, each client side call to the reflection helpers was creating the right privilege block. I think the intend later was to DRY and mutualise the code but that opened up that privilege hole.

Hardy Ferentschik July 15, 2014 at 8:57 PM

I do remember in the initial implementation pulling my hair to make sure generic privilege methods would remain package private.

Interesting, I don't seem to remember this. If all these methods were (package) private it would work as well, but reflection is needed at several places. Not sure how feasible such an approach is.

Fixed

Details

Assignee

Reporter

Participants

Emmanuel Bernard
Gunnar Morling
Hardy Ferentschik

Components

Fix versions

Affects versions

Priority

Created July 15, 2014 at 8:01 PM
Updated October 22, 2014 at 2:50 PM
Resolved July 25, 2014 at 9:25 AM