Jeroen, > Yeah, the documentation sucks, but how is this any different from any of > the other APIs ;-)
This seems to be a fairly critical part of the classloader security architecture that is simply not documented. This makes it rather difficult to know how it is supposed to be implemented. > It isn't trivial without creating your own class loader (which is a > privileged operation). True, but the createClassloader permission is not supposed to imply accessPackage.* permission, but that is what could occur. This might be a small crack inside the vault but it is still a crack that should not be there. Much of the security architecture talks about malicious classloaders, but you are implying that all classloaders are trustworthy. > If you read the security bulletin I pointed to, > you'll see that Sun relies on this same mechanism to prevent access to > the sun.* package, so presumably it is intended to be secure. Presumably that is the intent. But then it depends on how you actually put this security check in place. How can I say this without "tainting" you? - Sun does not do this according to the letter of the method documentation. > > The only way this check could work reliably is if the VM > > itself performs the check. But it seems to me that this is a very > > underspecified part of the security architecture - other than when > > invoked via the reflection method. > > Curiously I've been unable to find any information as to when > > checkPackageAccess should actually be invoked! > > I hope you're not arguing that we shouldn't implement it, just because > it is underspecified? Of course not. Classpath should be implementing this regardless - it is part of the security architecture. The problem is that we don't know exactly how to implement it - ie where should the check take place. And it is my opinion that the check would need to be done by the VM so that a malicious classloader could not circumvent it. I'm still quite surprised that I can find so little information about this aspect of the security architecture. I'm tempted to file a Sun bug report against Classloader.loadclass to request that it documents how the security check is to take place. David _______________________________________________ Classpath mailing list [EMAIL PROTECTED] http://lists.gnu.org/mailman/listinfo/classpath
