You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by sk...@apache.org on 2006/07/20 23:52:53 UTC

svn commit: r424078 - /jakarta/commons/proper/logging/trunk/src/test/org/apache/commons/logging/security/SecurityTestCaseAllowed.java

Author: skitching
Date: Thu Jul 20 14:52:52 2006
New Revision: 424078

URL: http://svn.apache.org/viewvc?rev=424078&view=rev
Log:
Only count security exceptions before a message is actually logged, as j.u.logging
does (and should) generate security exceptions.

Modified:
    jakarta/commons/proper/logging/trunk/src/test/org/apache/commons/logging/security/SecurityTestCaseAllowed.java

Modified: jakarta/commons/proper/logging/trunk/src/test/org/apache/commons/logging/security/SecurityTestCaseAllowed.java
URL: http://svn.apache.org/viewvc/jakarta/commons/proper/logging/trunk/src/test/org/apache/commons/logging/security/SecurityTestCaseAllowed.java?rev=424078&r1=424077&r2=424078&view=diff
==============================================================================
--- jakarta/commons/proper/logging/trunk/src/test/org/apache/commons/logging/security/SecurityTestCaseAllowed.java (original)
+++ jakarta/commons/proper/logging/trunk/src/test/org/apache/commons/logging/security/SecurityTestCaseAllowed.java Thu Jul 20 14:52:52 2006
@@ -93,6 +93,19 @@
                     "org.apache.commons.logging.LogFactory");
             Method m = c.getMethod("getLog", new Class[] {Class.class});
             Log log = (Log) m.invoke(null, new Object[] {this.getClass()});
+
+            // Check whether we had any security exceptions so far (which were
+            // caught by the code). We should not, as every secure operation
+            // should be wrapped in an AccessController. Any security exceptions
+            // indicate a path that is missing an appropriate AccessController.
+            //
+            // We don't wait until after the log.info call to get this count
+            // because java.util.logging tries to load a resource bundle, which
+            // requires permission accessClassInPackage. JCL explicitly does not
+            // wrap calls to log methods in AccessControllers because writes to
+            // a log file *should* only be permitted if the original caller is
+            // trusted to access that file. 
+            int untrustedCodeCount = mySecurityManager.getUntrustedCodeCount();
             log.info("testing");
             
             // check that the default map implementation was loaded, as JCL was
@@ -104,7 +117,7 @@
             assertNotNull(factoryTable);
             assertEquals(CustomHashtable.class.getName(), factoryTable.getClass().getName());
             
-            assertEquals(0, mySecurityManager.getUntrustedCodeCount());
+            assertEquals(0, untrustedCodeCount);
         } catch(Throwable t) {
             // Restore original security manager so output can be generated; the
             // PrintWriter constructor tries to read the line.separator



---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org