You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-dev@db.apache.org by "Knut Anders Hatlen (JIRA)" <ji...@apache.org> on 2014/08/27 13:51:57 UTC

[jira] [Commented] (DERBY-6717) Policies with multiple SystemPermissions are not handled well

    [ https://issues.apache.org/jira/browse/DERBY-6717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14112168#comment-14112168 ] 

Knut Anders Hatlen commented on DERBY-6717:
-------------------------------------------

SystemPermission extends BasicPermission, which by default ignores the action string. In particular, SystemPermission does not override BasicPermission.newPermissionCollection(). BasicPermission's implementation of newPermissionCollection() only considers the name of the permission.

In our example, where the policy contains

permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";
permission org.apache.derby.security.SystemPermission "engine", "monitor";

both permission objects have the same name ("engine"), so the collection instance returned by BasicPermission.newPermissionCollection() will consider them the same, and it will only hold keep one of them.

I believe SystemPermission should override newPermissionCollection(). It should either return a custom PermissionCollection instance with logic specific to SystemPermissions, or null if no custom logic is needed. Probably null would do for now. (Custom logic could for example be wildcard handling.)

> Policies with multiple SystemPermissions are not handled well
> -------------------------------------------------------------
>
>                 Key: DERBY-6717
>                 URL: https://issues.apache.org/jira/browse/DERBY-6717
>             Project: Derby
>          Issue Type: Bug
>          Components: Services
>    Affects Versions: 10.11.1.1
>            Reporter: Knut Anders Hatlen
>
> Rick noted in DERBY-6648 that if you wanted to grant both SystemPermission("engine", "monitor") and SystemPermission("engine", "usederbyinternals") to a code base, the following would work:
> permission org.apache.derby.security.SystemPermission "engine", "monitor,usederbyinternals";
> However, the following does not work:
> permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";
> permission org.apache.derby.security.SystemPermission "engine", "monitor";



--
This message was sent by Atlassian JIRA
(v6.2#6252)