You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-dev@db.apache.org by "Myrna van Lunteren (JIRA)" <ji...@apache.org> on 2014/01/15 20:33:35 UTC

[jira] [Comment Edited] (DERBY-6438) Explicitly grant SocketPermission "listen" in default server policy

    [ https://issues.apache.org/jira/browse/DERBY-6438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13872475#comment-13872475 ] 

Myrna van Lunteren edited comment on DERBY-6438 at 1/15/14 7:33 PM:
--------------------------------------------------------------------

I would like to see a release note for this one. There is an (Oracle, and picked up by IBM) JVM security change that requests or suggests removal or limitation of the 'range of ports' on which JVMS by default grant the "listen" permission. I cannot find details about this JVM change, but as a result of it, users that have (unknowingly) relied on this in the past will now have to modify their policy files, or Network Server will no longer work.

I think a release note will be useful to draw attention to it.


was (Author: myrna):
I would like to see a release note for this one.

> Explicitly grant SocketPermission "listen" in default server policy
> -------------------------------------------------------------------
>
>                 Key: DERBY-6438
>                 URL: https://issues.apache.org/jira/browse/DERBY-6438
>             Project: Derby
>          Issue Type: Improvement
>          Components: Network Server
>    Affects Versions: 10.11.0.0
>            Reporter: Knut Anders Hatlen
>            Assignee: Knut Anders Hatlen
>             Fix For: 10.5.3.2, 10.6.2.4, 10.7.1.4, 10.8.3.3, 10.9.2.2, 10.10.1.4, 10.11.0.0
>
>         Attachments: d6438-1a.diff
>
>
> The network server needs SocketPermission "listen" on the port that it listens to, but this permission is not granted by the basic server policy that's installed by default. This doesn't cause any problems in most cases, since the JVM's default policy grants all code bases SocketPermission "listen" on a range of ports, and Derby's network server port is within that range.
> Still, the network server should not rely on this fact. It is possible to run the network server on any port, not only those ports that happen be in the range that's given carte blanche by the platform's default policy. The network server will however not be able to run on those ports with the basic policy currently, only with a custom policy or with the security manager disabled.
> The default policy should make this permission explicit.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)