You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@poi.apache.org by bu...@apache.org on 2004/08/25 00:38:25 UTC

DO NOT REPLY [Bug 30836] New: - security restrictions at WorkBook creation (with patch submission)

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=30836>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=30836

security restrictions at WorkBook creation (with patch submission)

           Summary: security restrictions at WorkBook creation (with patch
                    submission)
           Product: POI
           Version: 2.5
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: HSSF
        AssignedTo: poi-dev@jakarta.apache.org
        ReportedBy: evernat@tele2.fr
                CC: acoliver@apache.org


The problem was documented here
www.mail-archive.com/poi-user@jakarta.apache.org/msg01251.html and "Andy"
requested for a patch.

My own context (by the way quite common) for the pb is :
- An applet (or a JavaWebStart client application) should by signed with a
certificate and jarsigner to read system property (the JVM "sandbox"). iText,
Swing Look And Feels and all external libraries are not signed and need not
hopefully to be signed (except poi).

- My app is a JavaWebStart app (but the pb will certainly be the same with an
applet). My app's jar is signed. The poi's jar (2.5) is not signed (and it is
referenced in a JWS extension jnlp). The pb can be reproduced in JRE 1.4.2_01
and in JRE 1.5.0 beta.

- The exception is (JVM security restriction) :
java.security.AccessControlException: access denied
(java.util.PropertyPermission user.name read)
	at java.security.AccessControlContext.checkPermission(Unknown Source)
	at java.security.AccessController.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
	at java.lang.System.getProperty(Unknown Source)
	at org.apache.poi.hssf.model.Workbook.createWriteAccess(Workbook.java:807)
	at org.apache.poi.hssf.model.Workbook.createWorkbook(Workbook.java:232)
	at org.apache.poi.hssf.usermodel.HSSFWorkbook.<init>(HSSFWorkbook.java:126)


In the initial message above, Andrew requested for a patch, here it is :

WorkBook
protected Record createWriteAccess() {
        WriteAccessRecord retval = new WriteAccessRecord();

        try {
                retval.setUsername(System.getProperty("user.name"));
        } catch (java.security.AccessControlException e) {
                // AccessControlException can occur in a restricted context
                // (client applet/jws application or restricted security server)
                retval.setUsername("POI");
        }
        return retval;
    }

Don't hesitate to mail me if needed.

---------------------------------------------------------------------
To unsubscribe, e-mail: poi-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: poi-dev-help@jakarta.apache.org