And I told you: policy files are not used that way.
When a security manager is installed it absolutely does not matter from where the relevant code is called. That would be completely idiotic to allow JRE calls and forbid "client side code calls".
So if listFiles() is inside the JRE and is public then any applet with the most strict security policy will be able to call it, and listFiles() will then be able to call ProcessBuilder.start() without any problems. No it won't. That makes no sense.
I have an old iPhone 4S. Yes, it came with a small printed manual, I'm just not sure anymore what was in the manual and what was in iBooks, might as well be that I downloaded the stuff into iBooks and it was mot preinstalled. On the other hand only very few things on iOS require a manual. On the other hand again: I don't know what I have missed and don't know:)
That is only true for an extreme minority of programmers. And you have no keywords in the flowchart anyway, the symbols are the keywords. Most people understand a graphic 10 to 100 times faster than code/text. That is the prime reason why they are en vogue in some circles.
In UML you would use an activity diagram, btw. I use them mainly to capture business requirements (Use Cases) or for Rule Processing Engines. For ordinary code I did not use flow charts since 20 years I think. But some case tools can auto generate them from source code, that is often helpful.
I don't understand what your point is:) Java security managers work in the way I described. No idea about what you are talking.
However I would rewrite the JDK with annotations and let the compiler weave in the calls to the security manager, or even better use proper AOP and define all security related stuff outside of the runtime, you could even use a policy file for that.
I guess you talk about completely different security issues then I did.
Messages sent on one device, or received, would often not show up on other devices.
So I switched it off (yes, of course I have the same iTunes/iCloud account on all devices registered), worst of all: some messages send on my iPad never reached the recipient.
What do you mean with simply saying iTunes? iTunes the Application? I like it, I just don't like that they removed coverflow and that it is used for backing up iPads and iPhones. iTunes the Store? What is wrong with the store?
if "listFiles()" is supposed to only work if there is no SM installed then the code inside of listFiles needs to look something like this:
if (System.getSecurityManager() == null) {
return privateListFiles();
} else if (System.getSecurityManager().getListFilesPermissions() == "can list files") {
return privateListFiles();
} else {
throw new SecurityException("list files not permitted");
}
Policy files are used for different stuff, e.g. Applets (and then read by a SecurityManager).
So: no, the system does not work the way you think it would. However it would make more sense to have policy files for everything and have a CodeWaver that weaves in the security (manager) code.
The JavaDoc you linked has absolutely nothing to do with SecurityManagers aka calling of certain code. It is an abstraction for ACLs, Digestes and Certificates.
Depending on organization your let someone confirm the bug and avoid dups, then you put it on the Kanban board. Alternatively you have on inside of the team confirming it.
But: why are you mixing Kanban with Scrum in the same team? That does not really make sense. Unless you switch from sprint to sprint to one or the other paradigm.
I will sett up laptop renting shops all over the world. Hopefully you have a back up of your own that can be accesed remotely or an usb stick with what is relevant for you during travel. Probably a bootable usb stick or usb drive would be best.
Just a few years ago a MAFIA ring exactly doing that was arrested. They had stollen millions of dollars worth of cameras, laptops, money, jewlary from air plane cargo. Of course they were employees of the relevant air lines.
Suppose that listFiles() is within a trusted package and was left with public access so it's granted appropriate permissions from SecurityManager. That is not how a security manager works.
he fact that it was left with public access _is_ a bug, of course. If it was not public it could be called at all.
Perhaps you mean: there should be a public method that is invoking the security manager before calling the private implementation. And the example above you assumed "listFiles()" was that private implementation and left accidentally public as well?
If call() is a method in a package/class that can only can be accessed under certain circumstances, e.g. SecurityManager grants access, it can only be called then. Unless there is a bug.
And it's the real reason applets were so buggy - it's easy to trick a lot of "trusted code" by carefully crafting the data it works on. That is nonsense.
Java Sandboxing works based on so called Security Managers, which restrict access to certain packages, classes or modules, and have nothing to do with "data".
Nice link though, but it looks similar vulnerable as the Java way. Only glanced over it, but will study it later, thanx.
I know surely dozens, perhaps a hundred Mac and iDevice users.
Never met a fanboi, though.
Is that an american specimen?
I doubt more than a hand full of /. ers grasp what you are talking about ;D
If you use a policy file to grant or restrict access to certain methods of the target object: every method on the call stack needs to have a _grant_
It is clearly written in the Docu you link. Or in the X-linked other pages.
It is completely impossible, unless there is a bug, to trick a JRE method into calling something the client code has no grant for.
And I told you: policy files are not used that way.
When a security manager is installed it absolutely does not matter from where the relevant code is called. That would be completely idiotic to allow JRE calls and forbid "client side code calls".
So if listFiles() is inside the JRE and is public then any applet with the most strict security policy will be able to call it, and listFiles() will then be able to call ProcessBuilder.start() without any problems.
No it won't. That makes no sense.
And no touch screens either?
I have an old iPhone 4S. :)
Yes, it came with a small printed manual, I'm just not sure anymore what was in the manual and what was in iBooks, might as well be that I downloaded the stuff into iBooks and it was mot preinstalled.
On the other hand only very few things on iOS require a manual. On the other hand again: I don't know what I have missed and don't know
That is only true for an extreme minority of programmers.
And you have no keywords in the flowchart anyway, the symbols are the keywords.
Most people understand a graphic 10 to 100 times faster than code/text. That is the prime reason why they are en vogue in some circles.
In UML you would use an activity diagram, btw. I use them mainly to capture business requirements (Use Cases) or for Rule Processing Engines. For ordinary code I did not use flow charts since 20 years I think. But some case tools can auto generate them from source code, that is often helpful.
I don't understand what your point is :)
Java security managers work in the way I described.
No idea about what you are talking.
However I would rewrite the JDK with annotations and let the compiler weave in the calls to the security manager, or even better use proper AOP and define all security related stuff outside of the runtime, you could even use a policy file for that.
I guess you talk about completely different security issues then I did.
The instruction manuals are on the phone. in the iBooks App if I recall correctly.
iMessanger never really worked for me reliable.
Messages sent on one device, or received, would often not show up on other devices.
So I switched it off (yes, of course I have the same iTunes/iCloud account on all devices registered), worst of all: some messages send on my iPad never reached the recipient.
What do you mean with simply saying iTunes?
iTunes the Application? I like it, I just don't like that they removed coverflow and that it is used for backing up iPads and iPhones.
iTunes the Store? What is wrong with the store?
if "listFiles()" is supposed to only work if there is no SM installed then the code inside of listFiles needs to look something like this:
if (System.getSecurityManager() == null) {
return privateListFiles();
} else if (System.getSecurityManager().getListFilesPermissions() == "can list files") {
return privateListFiles();
} else {
throw new SecurityException("list files not permitted");
}
Policy files are used for different stuff, e.g. Applets (and then read by a SecurityManager).
So: no, the system does not work the way you think it would.
However it would make more sense to have policy files for everything and have a CodeWaver that weaves in the security (manager) code.
The JavaDoc you linked has absolutely nothing to do with SecurityManagers aka calling of certain code. It is an abstraction for ACLs, Digestes and Certificates.
Perhaps you should read the links you post?
Depending on organization your let someone confirm the bug and avoid dups, then you put it on the Kanban board. Alternatively you have on inside of the team confirming it.
But: why are you mixing Kanban with Scrum in the same team? That does not really make sense. Unless you switch from sprint to sprint to one or the other paradigm.
Most cargo ships have passenger cabins.
And they are faster than passenger ships anyway.
I will sett up laptop renting shops all over the world.
Hopefully you have a back up of your own that can be accesed remotely or an usb stick with what is relevant for you during travel.
Probably a bootable usb stick or usb drive would be best.
Just a few years ago a MAFIA ring exactly doing that was arrested.
They had stollen millions of dollars worth of cameras, laptops, money, jewlary from air plane cargo.
Of course they were employees of the relevant air lines.
And the logic is easy to describe with graphics :D
Anyway, drawing flow charts and converting them to code is out of fashion because now we have super power full IDEs.
If you had only a lame text editor, it would be a challenge to write code instead of drawing a flow chart.
Perhaps ou can google which silicon valley companies mainly use Java :D
www.indeed.com lists about 2400 Java jobs in silicon valley open.
Suppose that listFiles() is within a trusted package and was left with public access so it's granted appropriate permissions from SecurityManager.
That is not how a security manager works.
he fact that it was left with public access _is_ a bug, of course.
If it was not public it could be called at all.
Perhaps you mean: there should be a public method that is invoking the security manager before calling the private implementation. And the example above you assumed "listFiles()" was that private implementation and left accidentally public as well?
No one is "storing" its bitcoins on an exchange service.
They are on my hard disk, on my back up and on several USB sticks/drives.
Sorry, I don't get what you want to say.
If call() is a method in a package/class that can only can be accessed under certain circumstances, e.g. SecurityManager grants access, it can only be called then. Unless there is a bug.
Puh! As long it is not an harvesters outbreak ...
https://www.amazon.com/Season-...
Actually a very good trilogy !!
And now in different colours even :D sent me some photos!
And it's the real reason applets were so buggy - it's easy to trick a lot of "trusted code" by carefully crafting the data it works on.
That is nonsense.
Java Sandboxing works based on so called Security Managers, which restrict access to certain packages, classes or modules, and have nothing to do with "data".
Nice link though, but it looks similar vulnerable as the Java way. Only glanced over it, but will study it later, thanx.
And on impact^H^H^H^H^H^H landing you even safe the time to cut it into pieces or putting it into a mixer. And the food will be well tenderized, too!