David Holmes wrote: > This seems to be a fairly critical part of the classloader security > architecture that is simply not documented. This makes it > rather difficult to know how it is supposed to be implemented.
It looks more like a hack to me, but it seems to do exactly what I want, so I'm not complaining. > > It isn't trivial without creating your own class loader (which is a > > privileged operation). > > True, but the createClassloader permission is not supposed to imply > accessPackage.* permission, but that is what could occur. > This might be a small crack inside the vault but it is still a crack > that should not be there. Much of the security architecture talks about > malicious classloaders, but you are implying that all classloaders are > trustworthy. True, but in reality I've never seen any evidence (or even suggestions) that creating a class loader is safe on any VM (in fact, the Sun 1.4 VM allows a custom class loader to redefine java.lang.Object and crash the VM). Regards, Jeroen _______________________________________________ Classpath mailing list [EMAIL PROTECTED] http://lists.gnu.org/mailman/listinfo/classpath
