[jboss-dev-forums] [Design of POJO Server] - Re: ManagedOperation aspects for the ProfileService.Manageme
alesj
do-not-reply at jboss.com
Fri Sep 21 10:35:38 EDT 2007
"adrian at jboss.org" wrote :
| We need to find a way to remove the getClassLoader()
| and make it an implementation detail, or introduce a permission check
| into the implementations. Exposing classloaders in public methods is a security hole.
|
| See Class.getClassLoader() or Thread.currentThread().getContextClassLoader()
| for the kind of checks required.
|
Is this enough:
| public ClassLoader getClassLoader() throws Throwable
| {
| SecurityManager sm = System.getSecurityManager();
| if (sm != null)
| sm.checkPermission(SecurityConstants.GET_CLASSLOADER_PERMISSION);
| return Configurator.getClassLoader(getBeanMetaData());
| }
|
Or I need to 'find' something equivalent for the ccl in
| public ClassLoader getClassLoader() {
| ClassLoader cl = getClassLoader0();
| if (cl == null)
| return null;
| SecurityManager sm = System.getSecurityManager();
| if (sm != null) {
| ClassLoader ccl = ClassLoader.getCallerClassLoader();
| if (ccl != null && ccl != cl && !cl.isAncestor(ccl)) {
| sm.checkPermission(SecurityConstants.GET_CLASSLOADER_PERMISSION);
| }
| }
| return cl;
| }
|
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4087263#4087263
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4087263
More information about the jboss-dev-forums
mailing list