-
-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider adding PrivilegedAction (java security manager) check for com.fasterxml.classmate.ResolvedType._getMethods #19
Comments
I am not against code to help make ClassMate more usable on sandbox environments. I haven't had similar problems myself, so I have no current plans to work on this, but I would be interested in helping if you you or someone else wanted to submit a patch. |
Cool @cowtowncoder, it would make more sense to fix this on classmate. Maybe one of us will be able to help out. |
@hferentschik Yes, that would be great. Apologies for slow response as well; I just came back from 2 week vacation, and am trying to go over accumulated correspondence. :) |
no worries :-) |
If we were to use PrivilegedAction's around code that accesses resources that need permissions, that would allow (potentially naughty) external code to invoke the privileged code (assuming its accessible directly/indirectly). Instead, for code that is accessible (outside of ClassMate), no PrivilegedAction action should be used. For code that is only internally accessible, we could safely use PrivilegedAction (for the specific permissions needed). I'm thinking that this issue can be closed and the callers into ClassMate, can arrange for the needed permissions to be allowed. This is not perfect, as the permissions needed, could change in the future, as the ClassMate code changes. The alternative, would be to ensure that all ClassMate code that needs privileges for certain permissions, is not accessible outside of ClassMate. What do others think? |
@scottmarlow I concur with concerns on automatic wrapping of |
a Java security manager (when using a Java security manager) exception that I am seeing is shown at https://gist.github.com/scottmarlow/30a83514b4d0e0fde901
Could we wrap PrivilegedAction (http://docs.oracle.com/javase/7/docs/api/java/security/PrivilegedAction.html) around code that accesses resources that need permissions? I think that would help. Example is shown at http://docs.oracle.com/javase/tutorial/ext/security/policy.html
Is this something that you are already planning or would like help with?
The text was updated successfully, but these errors were encountered: