Red Hat Bugzilla – Bug 967674
Make sure that all the SLSB methods are callable from scripted alert notifications
Last modified: 2013-11-19 09:30:05 EST
Description of problem:
EAP 6.1 that JON uses as the base container implements some additional java security permission checks not present in AS 7.1.1.Final (for example the ModelController.createClient() method).
We need to make sure that any such hardened methods reachable from our remote API and classes accessible to the CLI alert scripts are properly handled.
This means that we either let the security exception propagate if we determine that such usage by scripts is indeed dangerous or we need to surround such calls in privileged action blocks so that they're usable from the scripts.
Version-Release number of selected component (if applicable):
maybe, one instance of this already captured by BZ 967622
This is meant to be an umbrella BZ that should depend on concrete cases.
Lukas can you please investigate this and also the dependent Bug 967675 what there is to do.
IMHO, we shouldn't be too worried about this, because we haven't had any new instance of such security-related problems since bug 967622 (or its JON equivalent, BZ 967675).
I believe the QA coverage of the APIs is rather good so I assume we'd already have seen this kind of problems (as we did with BZ 967622 that was discovered by QE).
I propose to close this. What do you think, Heiko?
I am in favor of closing if we haven't found new instances of this in the investigations.
Closing. We haven't discovered a new issue similar to this for the last 10 months.