On 11/23/06, Tom Schindl <[EMAIL PROTECTED]> wrote:
Hi, the problem are not the methods visibility the methods in the sub-class are public but their class declaration is not and you can call them if you method.setAccessible(true) I've currently modified BeanUtils in my project and it works perfectly.
This solution will work (by default) ... until you try it on a server where a security manager with rational policies is enabled by default (such as had *better* be the case, for example, in a server environment that shares a JVM across multiple third party webapps). If you don't think this is imprtant, you might as well be coding in a scripting language, because you are giving up one of the key advantages of using a strongly typed language like Java. Note that I am not at all dissing the choice to use such a language ... but you should be aware of what you give up to gain the corresponding benefits. Therefore I would be pretty unhappy with a proposal to make BeanUtils to this sort of thing by default, without some deliberate choice by the application developer (thereby explicitly accepting the security vulnerabilities that come with setAccessbile() working as described here). Tom Craig
