portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Question about RdbmsPolicy with no principals
Date Thu, 19 Jan 2006 19:19:09 GMT
In RdbmsPolicy, if there are no principals, AllPermission is  
granted.  IIUC this can only happen if security is misconfigured,  
since before login everything should be done with the "guest"  
subject.  Isn't this a security  hole, to allow full access if  
security is not set up properly?


Here is the relevant code with debug statements removed:

     public boolean implies(ProtectionDomain protectionDomain,  
Permission permission)
     {
         Principal[] principals = protectionDomain.getPrincipals();
         PermissionCollection perms = new Permissions();
         boolean permImplied = false;
         if ((null != principals) && (principals.length > 0))
         {
             // We need to authorize java permissions.
             // Without this check, we get a ClassCircularityError in  
Tomcat.
             if (permission.getClass().getName().startsWith("java"))
             {
                 perms.add(new AllPermission());
             }
             else
             {
                 perms = pms.getPermissions(Arrays.asList(principals));
             }
         }
         else
         {
             // No principal is returned from the subject.
             // For security check, be sure to use doAsPrivileged 
(theSubject, anAction, null)...
             // We grant access when no principal is associated to  
the subject.
             perms.add(new AllPermission());
 >>> DOESN"T THIS MEAN SECURITY IS NOT PROPERLY CONFIGURED AND WE  
SHOULD DENY ALL ACCESS?
         }
         if (null != perms)
         {
             permImplied = perms.implies(permission);
         }
         return permImplied;
     }


Am I missing something?

thanks
david jencks


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message