[jira] [Updated] (DERBY-6438) Explicitly grant SocketPermission "listen" in default server policy

Wed, 22 Jan 2014 05:46:15 -0800 

     [ 
https://issues.apache.org/jira/browse/DERBY-6438?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Rick Hillegas updated DERBY-6438:
---------------------------------

    Attachment: 1010_server.policy

Attaching an updated version of the 1010_server.policy. I have confirmed that 
the old version flunks the server boot on JDK 7 and higher as reported on this 
derby-user thread: 
http://apache-database.10148.n7.nabble.com/Network-Server-Access-Permissions-and-Java-1-7-0-51-td136583.html.
 The old version was missing a permissions block which is needed for managing 
extra file access controls on JDK 7 and higher. With the new policy file, I am 
able to boot the server and create an in-memory database using Java 
1.8.0-ea-b121.

> Explicitly grant SocketPermission "listen" in default server policy
> -------------------------------------------------------------------
>
>                 Key: DERBY-6438
>                 URL: https://issues.apache.org/jira/browse/DERBY-6438
>             Project: Derby
>          Issue Type: Improvement
>          Components: Network Server
>    Affects Versions: 10.11.0.0
>            Reporter: Knut Anders Hatlen
>            Assignee: Knut Anders Hatlen
>             Fix For: 10.5.3.2, 10.6.2.4, 10.7.1.4, 10.8.3.3, 10.9.2.2, 
> 10.10.1.4, 10.11.0.0
>
>         Attachments: 1010_server.policy, 1010_server.policy, d6438-1a.diff, 
> releaseNote.html, releaseNote.html
>
>
> The network server needs SocketPermission "listen" on the port that it 
> listens to, but this permission is not granted by the basic server policy 
> that's installed by default. This doesn't cause any problems in most cases, 
> since the JVM's default policy grants all code bases SocketPermission 
> "listen" on a range of ports, and Derby's network server port is within that 
> range.
> Still, the network server should not rely on this fact. It is possible to run 
> the network server on any port, not only those ports that happen be in the 
> range that's given carte blanche by the platform's default policy. The 
> network server will however not be able to run on those ports with the basic 
> policy currently, only with a custom policy or with the security manager 
> disabled.
> The default policy should make this permission explicit.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to