|
|
Re: SecurityException when using Apache Derby with Equinox Servletbridge [message #1220520 is a reply to message #1220427] |
Thu, 12 December 2013 10:28 |
Ken Lee Messages: 97 Registered: March 2012 |
Member |
|
|
We are using Luna M3 that is shipped with the servletbridge version org.eclipse.equinox.servletbridge_1.3.0.v20130927-1541.
We've also tried using some older servletbridges like org.eclipse.equinox.servletbridge_1.2.300.v20130508-1243 (Kepler SR1) or org.eclipse.equinox.servletbridge_1.3.0.v20130718-2032 (Luna M2), unfortunately we experienced the same problem.
I don't think that the "." suffix mentioned in bug 393407 is responsible for the security problem. I suppose that the method checkForSealedPackage() does not check the same as described in the documentation for the sealed header / attribute [1].
The first check is
if (pkg.isSealed() && !pkg.isSealed(jarFileURL))
throw new SecurityException("The package '" + packageName + "' was previously loaded and is already sealed.");
Package.isSealed() returns if the package contains the sealBase (=URL of the code source). The sealBase is set if the "sealed" header or the package attribute is set to true. This is the case in our example.
Therefore, the first if-block checks if the package was loaded sealed then the sealBase must be identical. Otherwise, a security exception should be thrown, which is correct in my opinion.
Then the manifest file is parsed and checked for an available sealed attribute or sealed header.
The second if-block then checks
if (Boolean.valueOf(sealed).booleanValue())
throw new SecurityException("The package '" + packageName + "' was previously loaded unsealed. Cannot seal package.");
This is wrong in my opinion because it does not correspond to the thrown exception message.
The previously loaded package was sealed and since we have the same package that is also sealed, the security exception should not occur.
I suppose that the check should look like
if (!pkg.isSealed() && Boolean.valueOf(sealed).booleanValue())
throw new SecurityException("The package '" + packageName + "' was previously loaded unsealed. Cannot seal package.");
This condition would correspond to the exception message.
I'm not sure if an additional check is required to verify whether the previously loaded package is sealed and the new one is unsealed.
if (pkg.isSealed() && !Boolean.valueOf(sealed).booleanValue())
throw new SecurityException("The package '" + packageName + "' was previously loaded sealed. Cannot unseal package.");
What do you think? Should I open a bug?
[1] http://docs.oracle.com/javase/tutorial/deployment/jar/sealman.html
[Updated on: Thu, 12 December 2013 10:34] Report message to a moderator
|
|
|
|
|
|
Powered by
FUDForum. Page generated in 0.03800 seconds