[
https://issues.apache.org/jira/browse/DERBY-2206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12466508
]
Rick Hillegas commented on DERBY-2206:
--------------------------------------
As I read the SQL standard, it seems to me that jar ids are mandatory parts of
the EXTERNAL NAME. Without a jar id, you should get a syntax error when
declaring a procedure/function. This, at least, is how I read sections 9.8 and
5.2 of part 13 of the SQL standard.
I agree that if you allow someone to install a jar file, then you are
implicitly allowing them to call any method in the JRE, the extensions jars,
and the CLASSPATH.
We could say that the only way to publish those methods is through wrappers in
installed jar files. However, this seems a little awkward to me. In addition, I
think it would raise upgrade issues for customers who have already published
entry points in the JRE.
I'm working on a spec now.
> Provide complete security model for Java routines
> -------------------------------------------------
>
> Key: DERBY-2206
> URL: https://issues.apache.org/jira/browse/DERBY-2206
> Project: Derby
> Issue Type: New Feature
> Components: Security, SQL
> Reporter: Rick Hillegas
> Fix For: 10.3.0.0
>
>
> Add GRANT/REVOKE mechanisms to control which jar files can be mined for
> user-created objects such as Functions and Procedures. In the future this may
> include Aggregates and Function Tables also. The issues are summarized on the
> following wiki page: http://wiki.apache.org/db-derby/JavaRoutineSecurity.
> Plugin management can be tracked by this JIRA rather than by DERBY-2109. This
> is a master JIRA to which subtasks can be linked.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
