[ https://issues.apache.org/jira/browse/DERBY-3083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12547151 ]
Rick Hillegas commented on DERBY-3083: -------------------------------------- Hi Knut. I agree that if someone has subverted getProtectionDomain(), then the fox is already in the hen house. I think this could be our sequence of operations: 1) Determine the protection domains (e.g. jar files) which will receive privileges. 2) Construct a DerbyPolicy from those protection domains. 3) Install the default SecurityManager with a dummy policy which lets us change policies immediately afterwards 4) Install the DerbyPolicy (Policy.setPolicy( derbyPolicy ) ) If there is a window of vulnerability, then I sense that it would lie between steps (3) and (4). However, I don't see a vulnerability right now. > Network server demands a file called "derbynet.jar" in classpath > ---------------------------------------------------------------- > > Key: DERBY-3083 > URL: https://issues.apache.org/jira/browse/DERBY-3083 > Project: Derby > Issue Type: Bug > Components: Tools > Affects Versions: 10.3.1.4 > Reporter: Aaron Digulla > Attachments: derby-3083-01-requireDerbynet-aa.diff, > derby-3083-01-requireDerbynet-ab.diff, derby-716-10-datatypesCollation-aa.diff > > > The network server will not start if the derbynet jar is added under a > different name than "derbynet.jar" to the classpath. This makes it impossible > to use it in maven projects where the jar is renamed to > "derbynet-10.3.1.4.jar". > This did work with 10.2.2.0 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.