[jboss-dev-forums] [Design the new POJO MicroContainer] - Re: Field injection
adrian@jboss.org
do-not-reply at jboss.com
Fri Mar 21 01:20:20 EDT 2008
I've fixed the security hole problems in the private field access,
although I haven't tested every use case.
I rewrote (deleted one) your tests since they were broken/making incorrect assumptions
about how it should work. The one I deleted I tried to fix but it was like playing a game
of "kaplunk" ;-)
See the FieldsAccessControlTestCase in the controller tests for how to write it
properly. It basically deploys two files (one during bootstrap which isn't
subject to security and one manually that is).
Implementation and a WARNING:
The access to private fields is now correctly controlled inside the
ReflectFieldInfoImpl with final methods that nobody can override.
The only way the MC can get it wrong is by accessing fields when it is not
using the controller context's AccessControlContext. i.e. it is running under
its own privileges instead of whoever tried to register the bean.
So the other use cases still need testing to make sure this does not happen
(either now or in the future).
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4138234#4138234
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4138234
More information about the jboss-dev-forums
mailing list