You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@commons.apache.org by bu...@apache.org on 2004/08/21 22:25:40 UTC

DO NOT REPLY [Bug 25186] - Security problem, BasicDataSource class

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=25186>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=25186

Security problem, BasicDataSource class

yoavs@computer.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX



------- Additional Comments From yoavs@computer.org  2004-08-21 20:25 -------
So you're trying to protect the case where the Tomcat admin doesn't trust the 
Tomcat developers but allows them to write and deploy software on his server?

The Tomcat developer would have to explicitly case the JNDI DataSource to the 
DBCP impl type, BasicDataSource in this case.  Then the developer would be 
able to use any public methods in the impl class.  If getPassword were 
protected or private, the developer could always subclass BasicDataSource with 
his own class that just makes the method private.

So I don't think this is a scenario that's of concern.  Especially since other 
pool implementations like proxool and c3po do the same thing, and I haven't 
heard any concerns or complaints about it.

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org