[ https://issues.apache.org/jira/browse/OWB-1027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14208782#comment-14208782 ]
Matt Benson commented on OWB-1027: ---------------------------------- The point is not how useful the {{SecurityManager}} is or is not but rather that when we provide implementations of Java EE specifications we have to assume that some users may want to use the {{SecurityManager}} even if we think it is completely broken and useless. If we provide {{public}} objects with {{public}} methods that do privileged things, those are openings whereby third party code can do things that the deployment policy didn't intend for that code to be able to do, using OWB's privileges. This is the problem privilizer addresses; there is no point in using it in the context of a centralized {{SecurityService}} implementation because the vulnerability remains. To your other requirements: * weaver/privilizer adds no runtime dependencies * debugging is currently not possible on privilized code; in theory it might be possible to _partially_ support debugging in the future. > Use Apache Commons Weaver's privilizer module for privileged action code in > OWB > ------------------------------------------------------------------------------- > > Key: OWB-1027 > URL: https://issues.apache.org/jira/browse/OWB-1027 > Project: OpenWebBeans > Issue Type: Task > Affects Versions: 1.5.0 > Reporter: Matt Benson > > See > [http://commons.apache.org/proper/commons-weaver/commons-weaver-modules-parent/commons-weaver-privilizer-parent/index.html]; > this code was intended for helping Apache JEE components use the > {{SecurityManager}} in such a fashion as to make the invocation of privileged > actions as transparent as possible. > A concern is that to make full use of the privilizer module's potential, > OWB's {{SecurityService}} notion would IMO best be removed entirely to > minimize the surface area of publicly accessible code that makes privileged > calls. Since this interface and its implementations, as well as the > {{deprecated SecurityUtil}} class, are {{public}}, this constitutes a break > in API compatibility and forces the community to think about if, when, and > how to upgrade OWB to v2.x . -- This message was sent by Atlassian JIRA (v6.3.4#6332)