Re: SecurityException throwpoint audit

[Mark Wielaard <mark@klomp.org>]

[-- Attachment #1: Type: text/plain, Size: 1695 bytes --]

Hi Gary,

On Mon, 2005-11-21 at 16:58 +0000, Gary Benson wrote:
> I've been trying to work out how to test that permissions are checked
> at every point they ought to be.  There's a table of every such point
> here:
> 
>   http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html#PermsAndMethods

I would not trust that list as the definite guide. I just looked for a
random method (which I was just working on for GNU Classpath)
Toolkit.getSystemSelection() and it was not listed.

> Some of these already have tests, but most probably do not.  Before I
> start creating tests I'm thinking that we need some way to correlate
> mauve tests with the throwpoints on this (and future) lists.
> 
> How would people feel if I numbered the throwpoints on the above list
> and noted them in their corresponding tests in some easily parsable
> form (probably in comments like Tags are already).  That way whether a
> throwpoint is tested (and the location of the test) can be found with
> a simple grep.
> 
> For simplicity I'd probably number the 1.4.2 list from 1-whatever.
> Checks added in 1.5 can be added at the end of the list.

I don't really like the numbering. I would propose to actually name the
tests with somewhat meaningful names. Something like
<PermissionClassName>_<ClassName>_<MethodName> for each Permission and
class.method() needing to check for that permission. (example:
AWTPermission_Toolkit_getSystemSelection)

Or maybe have a directory per PermissionClassName.

That is how jacks is setup. It follows the JLS, but it doesn't use the
section numbers, but logical names of the sections that the tests are
for.

Cheers,

Mark

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]