[jboss-dev-forums] [Design of Security on JBoss] - Re: Policy Implementation for VFS
david.lloyd@jboss.com
do-not-reply at jboss.com
Wed Oct 8 10:38:42 EDT 2008
"adrian at jboss.org" wrote : The default implementation using system properties
| http://java.sun.com/javase/6/docs/technotes/guides/security/PolicyFiles.html
| won't understand the vfs urls because the VFS code isn't even in the classpath
| when the server boots and reads the file.
My understanding may well be flawed, but when I was researching this for secure classloading in Remoting, my conclusion was that the URLs need not be resolvable at load time; rather they are somehow compared against the ClassLoader's CodeSource (by way of the ProtectionDomain used to load each class) at the time the permission is checked, or possibly at the time the class is loaded. I think that as long as the VFS classloader is properly configuring the ProtectionDomain when loading classes, including the proper VFS URL for each class (using one of the ClassLoader.defineClass() methods which accepts ProtectionDomain), it should Just Work, even with the default policy.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4181035#4181035
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4181035
More information about the jboss-dev-forums
mailing list