[
https://issues.apache.org/jira/browse/DERBY-4990?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12988895#comment-12988895
]
Dag H. Wanvik commented on DERBY-4990:
--------------------------------------
Checking line subversion line annotation on the template file I see several
lines added, e.g.
748448 kristwaa // The next two properties are used to determine if the VM
is 32 or 64 bit.
748448 kristwaa permission java.util.PropertyPermission
"sun.arch.data.model", "read";
748448 kristwaa permission java.util.PropertyPermission "os.arch", "read";
corresponding to DERBY-3731. As for the server policies, I see there have been
updates also,
corresponding to DERBY-4441:
935700 kmarsden permission java.util.PropertyPermission
"java.runtime.version", "read";
935700 kmarsden permission java.util.PropertyPermission "java.fullversion",
"read";
935700 kmarsden permission java.io.FilePermission "java.runtime.version",
"read";
935700 kmarsden permission java.io.FilePermission "java.fullversion",
"read";
DERBY-4869:
1060422 rhillegas // The following permission must be granted for
Connection.abort(Executor) to work.
1060422 rhillegas // Note that this permission must also be granted to outer
(application) code domains.
1060422 rhillegas //
1060422 rhillegas permission java.sql.SQLPermission "callAbort";
and
DERBY-4715:
965647 kmarsden // getProtectionDomain is an optional permission needed for
printing classpath
965647 kmarsden // information to derby.log
965647 kmarsden permission java.lang.RuntimePermission
"getProtectionDomain";
or even back to DERBY-3657:
653387 johnemb // JMX: Uncomment this permission to allow the ping operation
of the
653387 johnemb // NetworkServerMBean to connect to the Network Server.
653387 johnemb //permission java.net.SocketPermission "*", "connect,resolve";
I am not sure how many of these are reflected in the docs..
> Documentation should state a custom security policy being required to use
> LDAP in conjunction with network driver
> -----------------------------------------------------------------------------------------------------------------
>
> Key: DERBY-4990
> URL: https://issues.apache.org/jira/browse/DERBY-4990
> Project: Derby
> Issue Type: Task
> Components: Documentation
> Reporter: Thomas Hill
> Assignee: Kim Haase
>
> The documentation is lacking a statement that defining and using a >custom<
> security manager template is required when wanting to use LDAP authorization
> provider in conjunction with the network driver client. driver. Otherwise,
> i.e. just using the default security policy will lead to socket permission
> errors. Details on which permission exactely needs to be granted to which
> code base would be very helpful.
> Chapter 'Running Derby under a security manager', section 'granting
> permissions to Derby' in the Developer's guide seems a good place to mention
> the permission java.net.SocketPermission as optional, but required to be set
> when wanting to use LDAP authorization in conjunction with the network client
> driver and defining the authorisation provider properties as system-level
> properties.
> Adding this to the documentation and preferrably also providing some more
> guidance seems desirable as migrating off the builtin user system to LDAP is
> strongly recommened and the documentation has explicit statements about
> security risks otherwise incurred.
> I also realized that the template included in the documentation at
> http://db.apache.org/derby/docs/10.7/adminguide/tadminnetservbasic.html and
> the default template included in 10.7.1.1 software are no longer in sync.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
