[
https://issues.apache.org/jira/browse/JSPWIKI-129?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florian Holeczek updated JSPWIKI-129:
-------------------------------------
Affects Version/s: 2.6.2
2.6.3
2.6.4
2.8
2.8.1
2.8.2
2.8.3
2.8.4
updated affected versions
> JSPWIki cannot run under a security manager
> -------------------------------------------
>
> Key: JSPWIKI-129
> URL: https://issues.apache.org/jira/browse/JSPWIKI-129
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication&Authorization
> Affects Versions: 2.4.104, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.8, 2.8.1,
> 2.8.2, 2.8.3, 2.8.4
> Environment: All
> Reporter: Andrew Jaquith
> Assignee: Andrew Jaquith
>
> JSPWiki cannot be used when running a security manager. Containers that run
> by default with a security manager include Oracle Application Server and
> Tomcat when run with the '-server' option.
> In all cases, the root cause is the same: the security policy for the
> container needs to include the Permissions needed to execute JSPWiki.
> However, full enumeration of the Permissions needed is complicated
> significantly by the fact that JSPWiki does not compartmentalized privileged
> calls the way it should. For example, any code in JSPWiki that accesses files
> should be enclosed by AccessController.doPrivileged() blocks.
> The result of our current approach (or rather, lack of privileged code
> compartmentalization) means that an effective policy cannot be written.
> This bug is to remind ARJ that he needs to work on this. He is currently
> writing some diagnostic tools that will make this process easier. However,
> it's going to take a while...
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
