"anil.saldhana(a)jboss.com" wrote : anonymous wrote : | | I don't see your point? If the administrator configures it wrong then | | there's nothing we can do about it. | | That's like saying you should ban cutlery because you can stab yourself in the eye | | with a fork. ;-) | | I am commenting on "I also don't see the need for the permission to set the codesource generator. | | | If somebody can get access to the policy then can make all sorts of other | | | changes anyway. So was I. If somebody has the createClassLoader permission then they can do whatever they like. e.g. create their own classloader where the classes get any permission they want to assign. Or give them a codesource they know has AllPermission, etc. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4188156#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...