Andrew McIntyre (JIRA) wrote: > [ > http://issues.apache.org/jira/browse/DERBY-668?page=comments#action_12359113 > ] > > Andrew McIntyre commented on DERBY-668: > --------------------------------------- > > Hi Dan, I was looking at the 1.3.1 javadoc at the time, it's not very > specific about the security ramifications of the methods in question. oh well. > > Anyway, if we didn't have permissions to access the class, > we'd already be in trouble by the time this code was called, > since we would have already attempted to load the class to pass it into the getFileWhichLoadedClass method.
No, permission to load the class is not the same as permission to read the content's of the class file, e.g. analyze its byte code. I can't (yet) find any supporting documentation that says a ClassLoader must (should?) not return information for a .class file. There are a number of Sun/Java bugs on the issue, indicating return a class file is not a good thing to do. Dan.
