With this approach I think its just too easy to miss using
a UnifiedClassLoader and assigning permissions correctly.
It also has to work with class loaders that delegate to some
parent UnifiedClassLoader as is the case for web containers.
We can try this approach since its a simple change, but we
need a collection of unit tests that run with a security manager
to validate this will work.
As for the current unit tests failures, there are areas where
privaledged blocks need to be added.
For the change I am suggesting if this does not work, the
deploy directory would use the original paths to form a unique
and fixed namespace on which permissions can be assigned.
The permission you listed would be:
grant codeBase "file:/${jboss.home}/tmp/deploy/$(jboss.home}/bin/*" {
permission java.security.AllPermission;
}
grant codeBase "file:/${jboss.home}/tmp/deploy/$(jboss.home}/lib/*" {
permission java.security.AllPermission;
}
grant codeBase "file:/${jboss.home}/tmp/deploy/$(jboss.home}/lib/ext/*" {
permission java.security.AllPermission;
}
grant codeBase "file:/${jboss.home}/tmp/deploy/$(jboss.home}/deploy/lib/*" {
permission java.security.AllPermission;
}
----- Original Message -----
From: "Adrian Brock" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, February 22, 2002 10:06 PM
Subject: Re: [JBoss-dev] Fixing the non-deterministic tmp/deploy file names
> Hi Scott,
>
> I've got a patch that stores the original deployment
> url in the UnifiedClassLoader.
> If it's a subpackage it stores the topmost parent
> from DeploymentInfo.
>
> Then in UnifiedClassLoader it does
>
> protected PermissionsCollection getPermissions(CodeSource cs)
> {
> CodeSource origCS = new CodeSource(origURL, cs.getCertificates());
> super.getPermissions(origCS);
> }
>
> I'm not sure about the performance impact of this code,
> especially on java 1.4
>
> I'm don't know whether the certificates part works?
>
> I haven't tested it with current CVS.
> It didn't work with the Jetty MBeans. They didn't get
> a UnifiedClassLoader, but that is easy to fix.
>
> One annoying feature of the new single deploy/
> directory will be you can't do
>
> grant codeBase "file:/$(jboss.home}/bin/*" {
> permission java.security.AllPermission;
> }
> grant codeBase "file:/$(jboss.home}/lib/*" {
> permission java.security.AllPermission;
> }
> grant codeBase "file:/$(jboss.home}/lib/ext/*" {
> permission java.security.AllPermission;
> }
> grant codeBase "file:/$(jboss.home}/deploy/lib/*" {
> permission java.security.AllPermission;
> }
> grant {
> permission java.util.PropertyPermission "*", "read";
> permission java.lang.RuntimePermission "queuePrintJob";
> permission java.net.SocketPermission "*", "connect";
> }
>
> To get the specs recommendation.
> You have to list every sar in deploy/
>
> Regards,
> Adrian
>
_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development
