-
1. Re: Testing under a Security Manager
For the AS, very few (or none) external dependent projects test under the security manager. JBAS acts as an integration platform and can bring out the issues that exist in the core code as well as dependent projects.
I would suggest external projects to have a test run with the security manager enabled.
You cannot blindly add privileged blocks. You have to be careful of:PublicCoreClass: public void changeClassLoader(final ClassLoader cl) { AccessController.doPrivileged(new PrivilegedAction<Object>(){ public Object run() { Thread.currentThread().setContextClassloader(cl); } }
Here PublicCoreClass is eating up the privileged check. So any callers of PublicCoreClass->changeClassLoader will be able to change tcl.
So you have to be careful which operations go into privileged blocks.
Make the call as to whether the caller needs to be shielded from having permissions for that sensitive operation or not. If an operation is the business of a particular class and the callers should not be aware of it, then those ops go into priv blocks. This includes get/set TCL, reflection etc. -
2. Re: Testing under a Security Manager
"anil.saldhana" wrote:
JBAS acts as an integration platform and can bring out the issues that exist in the core code as well as dependent projects.
EJB3 is different in that we don't have good representation within the AS TestSuite. Our integration is tested primarily within the jboss-ejb3-testsuite project, which runs against a full AS.
S,
ALR -
3. Re: Testing under a Security Manager
http://anonsvn.jboss.org/repos/jbossas/projects/ejb3/trunk/interceptors/src/main/java/org/jboss/ejb3/interceptors/lang/ClassHelper.java
I see very few privileged blocks here. You are mucking around with the internals of a Class.