You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-dev@db.apache.org by "Knut Anders Hatlen (JIRA)" <ji...@apache.org> on 2014/08/28 14:32:08 UTC

[jira] [Updated] (DERBY-6717) Policies with multiple SystemPermissions are not handled well

     [ https://issues.apache.org/jira/browse/DERBY-6717?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Knut Anders Hatlen updated DERBY-6717:
--------------------------------------

    Attachment: d6717-1a.diff

It turns out returning null from newPermissionCollection() isn't a complete solution. It does seem to fix the problem seen in DERBY-6648, but in some other cases it works in a suboptimal way.

For example:

{code}
Permissions perms = new Permissions();
perms.add(new SystemPermission("engine", "monitor"));
perms.add(new SystemPermission("engine", "shutdown"));
{code}

Given this collection, one would expect {{perms.implies(new SystemPermission("engine", "monitor,shutdown"))}} to return {{true}}. However, it returns {{false}} because none of the individual permissions implies SystemPermission("engine", "monitor,shutdown"). A custom PermissionCollection class seems to be needed to handle this case correctly.

The attached patch [^d6717-1a.diff] adds a custom PermissionCollection implementation, and returns an instance of it from SystemPermission.newPermissionCollection(). It also adds unit tests to verify that it works correctly, including negative test cases that verify that collections read from a corrupted serialization stream cannot end up with illegal permissions.

I'm running the full regression test suite on the patch.

> Policies with multiple SystemPermissions are not handled well
> -------------------------------------------------------------
>
>                 Key: DERBY-6717
>                 URL: https://issues.apache.org/jira/browse/DERBY-6717
>             Project: Derby
>          Issue Type: Bug
>          Components: Services
>    Affects Versions: 10.11.1.1
>            Reporter: Knut Anders Hatlen
>            Assignee: Knut Anders Hatlen
>         Attachments: d6717-1a.diff
>
>
> Rick noted in DERBY-6648 that if you wanted to grant both SystemPermission("engine", "monitor") and SystemPermission("engine", "usederbyinternals") to a code base, the following would work:
> permission org.apache.derby.security.SystemPermission "engine", "monitor,usederbyinternals";
> However, the following does not work:
> permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";
> permission org.apache.derby.security.SystemPermission "engine", "monitor";



--
This message was sent by Atlassian JIRA
(v6.2#6252)