On Thu, 2010-02-25 at 13:11 -0600, David M. Lloyd wrote:
My understanding is that if the Packages are not equal, then
package-protected access checks across JAR boundaries would fail, which is
what we'd want. I.e. you're strengthening security, not weakening it.
The JVM spec says "Each such class or interface belongs to a single runtime
package. The runtime package of a class or interface is determined by the
package name and defining class loader of the class or interface." which I
take to mean Package object, since Package objects are unique per
classloader. So you'd have one classloader per JAR with completely
segregated Package spaces, possibly within the same domain, thus allowing
individual JARs to be sealed.
No. Even if they are in the same physical package, you can't use
package private access across classes defined in
different classloaders.
That used to be an FAQ in early JBoss-3.0.x when every subdeployment
got its own classloader. ;-)
See for example:
http://altair.cs.oswego.edu/pipermail/jsr294-modularity-eg/2009-March/000...
discussing and dismissing a proposal to change that rule.
Whether sealing has any other security benefits I don't know?
But I'd be loath to weaken the checking on somebody's **guess** that
it does not. ;-)
Perhaps I've missed something in the conversation though, it
wouldn't be
the first time.
- DML
--
xxxxxxxxxxxxxxxxxxxxx
Adrian Brock
Chief Scientist
JBoss by Redhat
xxxxxxxxxxxxxxxxxxxxx