| Subject | Re: [Firebird-Architect] External engines - security |
|---|---|
| Author | Roman Rokytskyy |
| Post date | 2007-10-21T21:54:23Z |
Adriano,
If you give socket permission on classes from FB/java/classpath/sys, but
not to classes from FB/java/classpath/user, you will get
SecurityException unless the class from FB/java/classpath/sys uses
doPriviledged(...) call. Read the Javadocs for AccessController class -
that's the one responsible for permission checks.
it will be solved by thread context or by signedBy, not by codeBase. But
I will start thinking about this only after we solve all the issues in
other areas :)
Roman
> Roman, can't we have a directory structure like this:You can do this, but you don't get the desired result.
> FB/java/classpath
> FB/java/classpath/sys
> FB/java/classpath/user
>
> And consider classpath/sys and classpath/user as different code sources
> with different permissions?
>
> Then we put Jaybird in classpath/sys and users classes should be put in
> classpath/user.
If you give socket permission on classes from FB/java/classpath/sys, but
not to classes from FB/java/classpath/user, you will get
SecurityException unless the class from FB/java/classpath/sys uses
doPriviledged(...) call. Read the Javadocs for AccessController class -
that's the one responsible for permission checks.
> And in the future, with classes in blobs, that will be another code source.The codeBase from the blob is going to be a complex issue. Very likely
it will be solved by thread context or by signedBy, not by codeBase. But
I will start thinking about this only after we solve all the issues in
other areas :)
Roman