[jira] [Commented] (DERBY-6617) Silently swallowed SecurityExceptions may disable Derby features, including security features.

Mon, 14 Jul 2014 06:18:23 -0700 

    [ 
https://issues.apache.org/jira/browse/DERBY-6617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14060624#comment-14060624
 ] 

ASF subversion and git services commented on DERBY-6617:
--------------------------------------------------------

Commit 1610406 from [~rhillegas] in branch 'code/trunk'
[ https://svn.apache.org/r1610406 ]

DERBY-6617: Make MissingPermissionsTest look for different error text on Java 
6; commit derby-6617-04-aa-platformSpecificErrorText.diff.

> Silently swallowed SecurityExceptions may disable Derby features, including 
> security features.
> ----------------------------------------------------------------------------------------------
>
>                 Key: DERBY-6617
>                 URL: https://issues.apache.org/jira/browse/DERBY-6617
>             Project: Derby
>          Issue Type: Bug
>          Components: Services
>    Affects Versions: 10.11.0.0
>            Reporter: Rick Hillegas
>            Assignee: Dag H. Wanvik
>         Attachments: derby-6617-04-aa-platformSpecificErrorText.diff, 
> derby-6617-1.diff, derby-6617-2.diff, derby-6617-2.status, derby-6617-3.diff, 
> derby-6617-3.status, derby-6617-junit.diff, fix-test.diff
>
>
> When the Monitor tries to read Derby properties, it silently swallows 
> SecurityExceptions. This means that the properties will be silently ignored 
> if Derby has not been granted sufficient privileges. This means that if you 
> make a mistake crafting your security policy, then you may disable 
> authentication and authorization. You may not realize this until you have 
> incurred a security breach. This swallowing occurs at the following code 
> locations:
> {noformat}
> org.apache.derby.impl.services.monitor.BaseMonitor readApplicationProperties 
> Catch java.lang.SecurityException 1 line 1360
> org.apache.derby.impl.services.monitor.BaseMonitor runWithState Catch 
> java.lang.SecurityException 0 line 280
> org.apache.derby.impl.services.monitor.FileMonitor PBgetJVMProperty Catch 
> java.lang.SecurityException 1 line 183
> org.apache.derby.impl.services.monitor.FileMonitor PBinitialize Catch 
> java.lang.SecurityException 1 line 120
> {noformat}
> SecurityExceptions are swallowed at other locations in the Monitor. The 
> implications of these swallowings should be understood and, at a minimum, 
> security problems should be fixed:
> {noformat}
> org.apache.derby.impl.services.monitor.FileMonitor PBinitialize Catch 
> java.lang.SecurityException 1 line 157
> org.apache.derby.impl.services.monitor.FileMonitor createDaemonGroup Catch 
> java.lang.SecurityException 1 line 89
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to