[ https://issues.apache.org/jira/browse/OPENJPA-244?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Albert Lee updated OPENJPA-244:
-------------------------------
Attachment: J2DoPrivHelper.java
After looking into this Java 2 security issue, here is a proposal to correct the problem in openjpa.
The goals of the enhancements are:
1) non-intrusive changes.
2) easy readability and future usages
3) sensitive to downstream security exposure
4) maintanence of the additional code.
Approach to the solution:
1) Create a static helper class J2DoPrivHelper.java in openjpa-lib\src\main\java\org\apache\openjpa\lib\util. See attachment for the content. The purpose of this class is isolate Java 2 security related code in one place for control and maintenance.
2) Each JDK functions that required doPrivileged encasement associated to a static method in the helper class. The name of the method is closely related to the JDK function. If it is an instance method, the first argument is the instance object. So far I have identified 24 JDK helper methods.
3) Where there is a usage of the security sensitive method call, it can be translated to one of the helper method.
E.g.
a) From
return _url.openStream();
To
return J2DoPrivHelper.openStream(_url);
b) From
ClassLoader loader = cls.getClassLoader();
To
ClassLoader loader = J2DoPrivHelper.getClassLoader(cls);
c) From
loader = ClassLoader.getSystemClassLoader();
To
loader = J2DoPrivHelper.getSystemClassLoader();
To
4) These method call translations will be to the closest place where the doPriv is needed. This will eliminate the possible security "leak" in the down stream code. E.g. callback to unsecured code inside the doPriv encasement.
5) There are approximately 71 files affected, excluding test cases that use the same security sensitive methods.
6) Document the permissions required by Java 2 security used in openjpa.
E.g.
permission java.lang.RuntimePermission "getClassLoader";
permission java.io.FilePermission "<<ALL FILES>>", "read";
I have a prototype of these changes and it is working in the WebSphere environment.
I am open for suggestions and ideas. I continue to work on this path unless I hear there is any objection otherwise.
Thanks.
Albert Lee
> Java 2 Security enablement
> --------------------------
>
> Key: OPENJPA-244
> URL: https://issues.apache.org/jira/browse/OPENJPA-244
> Project: OpenJPA
> Issue Type: Bug
> Affects Versions: 0.9.8
> Reporter: Kevin Sutter
> Attachments: J2DoPrivHelper.java
>
>
> Via some testing with the WebSphere Application Server, it's been discovered that we're missing some doPriv blocks through out the OpenJPA code base. This JIRA report will be used to resolve these issues. More specific examples will be posted later.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.