[jboss-dev-forums] [Design of EJB 3.0] - Re: Testing under a Security Manager

For the AS, very few (or none) external dependent projects test under the security manager. JBAS acts as an integration platform and can bring out the issues that exist in the core code as well as dependent projects. I would suggest external projects to have a test run with the security manager enabled. You cannot blindly add privileged blocks. You have to be careful of: | | PublicCoreClass: | | public void changeClassLoader(final ClassLoader cl) | { | AccessController.doPrivileged(new PrivilegedAction<Object>(){ | public Object run() | { | Thread.currentThread().setContextClassloader(cl); | } | } | Here PublicCoreClass is eating up the privileged check. So any callers of PublicCoreClass->changeClassLoader will be able to change tcl. So you have to be careful which operations go into privileged blocks. Make the call as to whether the caller needs to be shielded from having permissions for that sensitive operation or not. If an operation is the business of a particular class and the callers should not be aware of it, then those ops go into priv blocks. This includes get/set TCL, reflection etc. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4189219#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...