On 11/27/2011 6:31 PM, Greg Trasuk wrote:
Hi all:
I've attached a patch to RIVER-149
(https://issues.apache.org/jira/browse/RIVER-149), to switch to usage of
the current thread's context classloader.
I realize that commit-then-review is the usual practice, but since
classloading is fundamental to Jini, I thought I'd seek review first.
The JIRA comments give a good background on the bug and the patch.
One of the things that I wondered when looking at this, was if we wanted to make
use of a permission which involved the class name that will be loaded. In a
sense, that's a pretty big barrier for ease of use, but it does provide a
control point to deal with security issues. The use of the "jars" that the
class loader is using, is an externally configured bit. So, from a permission
perspective, there has already be a form of a "grant" made. The question is,
whether or not the use of a specific SPI class is another control point, worth
using.
Gregg Wonderly
