On Monday 04 August 2003 01:53, Bryce McKinlay wrote: > On Saturday, Aug 2, 2003, at 01:46 Pacific/Auckland, David P Grove > > wrote: > > Hi Tom, > > > > We've had security manager checks in the reflection code in > > Jikes RVM for a while. Our current workaround for serialization is > > that classes loaded by the system classloader are always allowed > > access. This is probably too big of a hole, but it does work in > > practice. The key routine for us is in > > java.lang.reflect.JikesRVMSupport (appended below). If you come up > > with a finer-grained fix for libgcj, let me know -- I'm not that happy > > with what we are currently doing in Jikes RVM. > > AccessibleObject.setAccessible() is the correct way for serialization > to get access to private reflection data. See: > > http://java.sun.com/j2se/1.4.2/docs/guide/reflection/reflection.html
Sure. But to call AccessibleObject.setAccessible() you need ReflectPermission, which the user code that initiated serialisation does not necessarily have. So the java.io serialisation stuff needs to have this permission, and it seems to me that it needs to call AccessibleObject.setAccessible() from inside a PrivilegedAction. Granting AllPermission to everything loaded by the system class loader is IMHO acceptable, *iff* by system class loader you mean the class loader which loads java.* classes from a trusted location. Not to be confused with the application class loader which loads from the -classpath, which is the one returned by ClassLoader.getSystemClassLoader() (aaargh). -- Chris Gray /k/ Embedded Java Solutions Embedded & Mobile Java, OSGi http://www.kiffer.be/k/ [EMAIL PROTECTED] +32 477 599 703 _______________________________________________ Classpath mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/classpath