[
https://issues.apache.org/jira/browse/DERBY-3083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12547151
]
Rick Hillegas commented on DERBY-3083:
--------------------------------------
Hi Knut. I agree that if someone has subverted getProtectionDomain(), then the
fox is already in the hen house. I think this could be our sequence of
operations:
1) Determine the protection domains (e.g. jar files) which will receive
privileges.
2) Construct a DerbyPolicy from those protection domains.
3) Install the default SecurityManager with a dummy policy which lets us change
policies immediately afterwards
4) Install the DerbyPolicy (Policy.setPolicy( derbyPolicy ) )
If there is a window of vulnerability, then I sense that it would lie between
steps (3) and (4). However, I don't see a vulnerability right now.
> Network server demands a file called "derbynet.jar" in classpath
> ----------------------------------------------------------------
>
> Key: DERBY-3083
> URL: https://issues.apache.org/jira/browse/DERBY-3083
> Project: Derby
> Issue Type: Bug
> Components: Tools
> Affects Versions: 10.3.1.4
> Reporter: Aaron Digulla
> Attachments: derby-3083-01-requireDerbynet-aa.diff,
> derby-3083-01-requireDerbynet-ab.diff, derby-716-10-datatypesCollation-aa.diff
>
>
> The network server will not start if the derbynet jar is added under a
> different name than "derbynet.jar" to the classpath. This makes it impossible
> to use it in maven projects where the jar is renamed to
> "derbynet-10.3.1.4.jar".
> This did work with 10.2.2.0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
