David,
See comments below.
--- David Jencks <[EMAIL PROTECTED]> wrote:
> In RdbmsPolicy, if there are no principals,
> AllPermission is
> granted. IIUC this can only happen if security is
> misconfigured,
> since before login everything should be done with
> the "guest"
> subject. Isn't this a security hole, to allow full
> access if
> security is not set up properly?
>
>
> Here is the relevant code with debug statements
> removed:
>
> public boolean implies(ProtectionDomain
> protectionDomain,
> Permission permission)
> {
> Principal[] principals =
> protectionDomain.getPrincipals();
> PermissionCollection perms = new
> Permissions();
> boolean permImplied = false;
> if ((null != principals) &&
> (principals.length > 0))
> {
> // We need to authorize java
> permissions.
> // Without this check, we get a
> ClassCircularityError in
> Tomcat.
> if
> (permission.getClass().getName().startsWith("java"))
> {
> perms.add(new AllPermission());
> }
> else
> {
> perms =
> pms.getPermissions(Arrays.asList(principals));
> }
> }
> else
> {
> // No principal is returned from the
> subject.
> // For security check, be sure to use
> doAsPrivileged
> (theSubject, anAction, null)...
> // We grant access when no principal is
> associated to
> the subject.
> perms.add(new AllPermission());
> >>> DOESN"T THIS MEAN SECURITY IS NOT PROPERLY
> CONFIGURED AND WE
> SHOULD DENY ALL ACCESS?
Agree with you, this should be fixed. I am a little
blurry on why I did this here. I remember running
into infinite loop and startup issues with Tomcat
security enabled, I may have ended up doing this to
address this issue. As we replace the JDK policy ,
not all policy checks will necessarily have a Subject,
with Tomcat for instance, especially at startup, if
you deny all, you will get start up issues.
I look forward to your ideas on the matter.
> }
> if (null != perms)
> {
> permImplied =
> perms.implies(permission);
> }
> return permImplied;
> }
>
>
> Am I missing something?
>
> thanks
> david jencks
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
>
>
________________________
David Le Strat
Blogging @ http://dlsthoughts.blogspot.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
