Use privileged action in CacheInterceptor ----------------------------------------- Key: JBCACHE-157 URL: http://jira.jboss.com/jira/browse/JBCACHE-157 Project: JBoss Cache Issue Type: Patch Security Level: Public(Everyone can see) Components: PojoCache Affects Versions: 1.2.2 Environment: Standalone JDK 1.5 application with custom security policy Reporter: twundke Assigned To: Jason T. Greene Fix For: PojoCache 2.1.0 Attachments: CacheInterceptor.patch When using the AOP version of JBoss Cache in a security-managed environment, various classes require certain permissions (such as org.jboss.cache.aop.CachedType requiring java.lang.RuntimePermission "accessDeclaredMembers"). This also means that any class accessing a cached object must be granted these permissions. There are a number of problems with this. The first is that it breaks the transparency of using AOP-ed objects with the cache, as users of these objects must be granted additional permissions. The second problem is the nature of the permissions that must be granted. They are powerful permissions that allow runtime reflection, and in my particular case cannot be granted to the code using cached objects. The solution is to wrap the CacheInterceptor.invoke() method in a call to AccessController.doPrivileged() when a security manager is present. This allows the necessary permissions to be granted to the cache, without affecting the permissions of the calling code. The attached patch does just that. However, I don't know if this will have an effect on using the cache within a managed environment. I suspect not, but have no way of testing this.