On Dec 3, 2014, at 10:39 AM, Sean Mullan <[email protected]> wrote:
> On 12/03/2014 10:03 AM, Lance Andersen wrote: >>>> Note, I also tweaked the doPriviliged block for the JDBC property >>> > >>> >It's nice to see use of limited doPrivileged. Limited doPrivileged >>> >restricts the permissions be accessed by the doPrivileged block. On the >>> >other hand, since it only calls System.getProperty, that won't leak any >>> >privileges to untrusted code. I think we would need some guideline what >>> >can benefit from limited doPrivileged. Anyway, I'm fine with your change. >> Trying to slowly add the limited doPrivileged when I do an update. We did >> the same in RowSetProvider earlier for the same reason. > > Use of limited doPrivileged may also incur more overhead when a > SecurityManager is installed, so I recommend checking the performance impact > before switching code to use it. I agree with Mandy that we need a guide as > to when it is best to use limited doPrivileged, and I will look into that. In > this case, I also agree with Mandy that this doesn't provide much security > benefit since the scope of the privileged operation is already extremely > narrow. Thank you Sean. As this code path is only called 1 time, i am not concerned that performance will be an issue. If you and Mandy prefer me to remove it, I can, just let me know. Yes, I agree it is narrow. The suggestion to add the limited doPriviliged came up in a review of RowSetProvider which is why I figured I would add it here also. Now that was quite some time ago, so I understand our position might have changed. Best, Lance > > --Sean Lance Andersen| Principal Member of Technical Staff | +1.781.442.2037 Oracle Java Engineering 1 Network Drive Burlington, MA 01803 [email protected]
