1 Reply Latest reply on Nov 13, 2008 1:32 PM by Anil Saldanha

    Total disregard for privileged operations

    Anil Saldanha Master

      Basically all across our code base (mainly the org projects that come in as libraries) have total disregard for sensitive operations that need to be going in privileged blocks (after deciding whether these operations are part of what these libraries need and not something the caller of these libraries should have).

      Basically, we are doing set context class loader, setting system properties at will as examples.

      Examples:
      https://jira.jboss.org/jira/browse/JBMESSAGING-1446

      and such as:
      http://anonsvn.jboss.org/repos/jbossas/trunk/tomcat/src/main/org/jboss/web/tomcat/service/deployers/TomcatService.java

      System.setProperty("catalina.ext.dirs", (System.getProperty("jboss.server.home.dir") + File.separator + "lib"));
      


      I have this jira issue for AS5:
      https://jira.jboss.org/jira/browse/JBAS-5988

      I have updated the AS5 testsuite sec policy as much as possible (work in progress).
      http://anonsvn.jboss.org/repos/jbossas/trunk/testsuite/src/resources/securitymgr/server.policy
      We need better control of permissions for things such as Common Criteria Evaluation.