[
https://issues.apache.org/jira/browse/OWB-1027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14208851#comment-14208851
]
Matt Benson commented on OWB-1027:
----------------------------------
{quote}
Debug part is a blocker for me. Why doesnt it work? Or if it just adds 1 or 2
calls on the same line it is acceptable I guess.
{quote}
Privilizer is implemented in two ways:
1. Annotate methods with {{@Privileged}} - The weaver creates all the bytecode
to wrap such a method in a {{Privileged[Exception]Action}} and perform the
necessary {{AccessController}} calls. So there are a number of things going on
in the bytecode that aren't represented at all in the source. It might be
possible to add the appropriate debug info to the woven bytecode so that the
"meat" of the privileged method would still be tracked.
2. Annotate a class with {{@Privilizing({@CallTo(Foo.class), ...})}} this is
the so-called "blueprint" functionality requested by Mark allowing you to
define code that requires privileges while leaving the actual privileged
execution to the caller. The privilizer weaver copies the bytecode of called
{{static}} methods designated by the {{@Privilizing}} annotation and then
privilizes these as above. In order to debug these one would have to suck in
the source from those original classes, etc., etc. I can't even think how to
organize this cleanly off the top of my head.
{quote}
Not sure if we can find a way to have a kind of flag totally inhibiting it by
default without having the drawbacks you spoke about. Wdyt?
{quote}
I can't really see where you're going with this.
{quote}
Side note: public API can be protected with a Permission so it can be public
and not exposed
{quote}
Do you mean with some of that weird "inspecting the stack" kind of logic, or
something else? IMO this can possibly be circumvented.
> Use Apache Commons Weaver's privilizer module for privileged action code in
> OWB
> -------------------------------------------------------------------------------
>
> Key: OWB-1027
> URL: https://issues.apache.org/jira/browse/OWB-1027
> Project: OpenWebBeans
> Issue Type: Task
> Affects Versions: 1.5.0
> Reporter: Matt Benson
>
> See
> [http://commons.apache.org/proper/commons-weaver/commons-weaver-modules-parent/commons-weaver-privilizer-parent/index.html];
> this code was intended for helping Apache JEE components use the
> {{SecurityManager}} in such a fashion as to make the invocation of privileged
> actions as transparent as possible.
> A concern is that to make full use of the privilizer module's potential,
> OWB's {{SecurityService}} notion would IMO best be removed entirely to
> minimize the surface area of publicly accessible code that makes privileged
> calls. Since this interface and its implementations, as well as the
> {{deprecated SecurityUtil}} class, are {{public}}, this constitutes a break
> in API compatibility and forces the community to think about if, when, and
> how to upgrade OWB to v2.x .
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
