Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider adding PrivilegedAction (java security manager) check for com.fasterxml.classmate.ResolvedType._getMethods #19

Open
scottmarlow opened this issue Jun 26, 2014 · 6 comments
Open

Consider adding PrivilegedAction (java security manager) check for com.fasterxml.classmate.ResolvedType._getMethods #19

scottmarlow opened this issue Jun 26, 2014 · 6 comments

Comments

@scottmarlow
Copy link

a Java security manager (when using a Java security manager) exception that I am seeing is shown at https://gist.github.com/scottmarlow/30a83514b4d0e0fde901

Could we wrap PrivilegedAction (http://docs.oracle.com/javase/7/docs/api/java/security/PrivilegedAction.html) around code that accesses resources that need permissions? I think that would help. Example is shown at http://docs.oracle.com/javase/tutorial/ext/security/policy.html

Is this something that you are already planning or would like help with?
@cowtowncoder
Copy link
Member

I am not against code to help make ClassMate more usable on sandbox environments. I haven't had similar problems myself, so I have no current plans to work on this, but I would be interested in helping if you you or someone else wanted to submit a patch.

@hferentschik
Copy link

Cool @cowtowncoder, it would make more sense to fix this on classmate. Maybe one of us will be able to help out.

@cowtowncoder
Copy link
Member

@hferentschik Yes, that would be great. Apologies for slow response as well; I just came back from 2 week vacation, and am trying to go over accumulated correspondence. :)

@hferentschik
Copy link

no worries :-)

@scottmarlow
Copy link
Author

If we were to use PrivilegedAction's around code that accesses resources that need permissions, that would allow (potentially naughty) external code to invoke the privileged code (assuming its accessible directly/indirectly). Instead, for code that is accessible (outside of ClassMate), no PrivilegedAction action should be used. For code that is only internally accessible, we could safely use PrivilegedAction (for the specific permissions needed).

I'm thinking that this issue can be closed and the callers into ClassMate, can arrange for the needed permissions to be allowed. This is not perfect, as the permissions needed, could change in the future, as the ClassMate code changes. The alternative, would be to ensure that all ClassMate code that needs privileges for certain permissions, is not accessible outside of ClassMate.

What do others think?

@cowtowncoder
Copy link
Member

@scottmarlow I concur with concerns on automatic wrapping of PrivilegedAction. Perhaps a way to register a callback (provided by caller, which could do whatever is needed), and then caller implementing that, would be reasonable compromise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cowtowncoder @hferentschik @scottmarlow