1 Reply Latest reply on Oct 19, 2012 5:49 AM by Lukas Krejci

    Securing JNDI lookup with security manager?

    Lukas Krejci Apprentice

      I am trying to solve a problem where I want to prevent certain codepaths in my app to do local JNDI lookup. Those codepaths run user-supplied code (scripts) and I don't want them to be able to lookup local SLSBs, etc. but only use an "official" API of ours.

       

      This is what security manager and some kind of permission would be ideal for - the dangerous code would be run in an access control context WITHOUT some kind of permission to do the JNDI lookup while the rest of the application would have that permission.

      When I saw the org.jboss.as.naming.JndiPermission I thought I've found exactly that. But doing JNDI lookup without that permission still seems to work.

       

      Is that a bug or a "feature"? How else should I approach my problem?

       

      Thanks,

       

      Lukas