[jboss-user] [JBoss Microcontainer Development] - Testing jboss-reflect with a SecurityManager enabled

[Adrian Brock]

Adrian Brock [http://community.jboss.org/people/adrian%40jboss.org] replied to the discussion

"Testing jboss-reflect with a SecurityManager enabled"

To view the discussion, visit: http://community.jboss.org/message/534039#534039

--------------------------------------------------------------
> Kabir Khan wrote:
> 
> The next problem is the Javassist version of the Field-/MethodAccessRestrictionTestCase. These fail since the javassist generated accessors (from JBREFLECT-6) are able to access private members, due to inheriting from sun.reflect.MagicAccessorImpl, so we don't get the expected exceptions when calling private members with a security manager enabled. My plan there is to modify JavassistFieldInfo and JavassistMethodInfo to throw an exception if an attempt is made to access them if they are not public and there is a security manager present.
No, if there is a SecurityManager you should do a similar check to what is done by the Reflection based api,
i.e. whether the caller has the "suppressAccessChecks" permission.
See ReflectionMethodInfoImpl.

P.S. I don't think you've solved the whole problem, see
 https://jira.jboss.org/jira/browse/JBREFLECT-2 https://jira.jboss.org/jira/browse/JBREFLECT-2
e.g. the MagicAccessorImpl trick doesn't work on jrockit for classes outside the bootstrap classloader.

--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/534039#534039]

Start a new discussion in JBoss Microcontainer Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2115]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20100325/005db09c/attachment.html