Bump. Anybody have any thoughts on these? I'm inclined to rip out the custom permissions here. I don't think they're actually adding any security, and we're not documenting them in any overall security model. As is, they look like remnants of an early, incomplete attempt to apply the Java security system to our code, but they don't look like they are offering anything in the current implementation to actually improve the security.
On Thu, Aug 11, 2016 at 9:46 PM Christopher <[email protected]> wrote: > I found 7 references in our code (master branch, probably same in others) > to the java SecurityManager.checkPermissions, each with custom permissions > we've created (3 in core, 1 in fate, 3 in server-base). > > There is no documentation for these, and I don't really know what these > are actually trying to protect against. > > Do these custom permissions have any actual purpose? What value are these > adding? > > Do we have an overall security model which we can check these > implementations against? Or to identify where we are missing checks which > should be there? Do we really need to create custom permissions, vs. some > standardized ones? > >
