Antoine Levy-Lambert has posted a message at
netscape.public.mozilla.jseng newsgroup about an incompatible change in
Rhino CVS tip that caused Batik to fail during compilation.
First, thanks for the error report, the changes in Rhino were supposed to
be backward-compatible and I will fix Rhino ASAP.
That would be great!
But I also looked at BatikSecurityController which implements
org.mozilla.javascript.SecurityController and that raised the second
issue.
BatikSecurityController does not have a proper implementation of
SecurityController.execWithDomain (or SecurityController.callWithDomain
which was introduced in Rhino CVS) method which allows trivially for
scripts from external URLs to be executed with permissions of local Batik
classes.
Vincent Hardy is the 'security architect' for Batik, however my understanding is that script security is implemented using the Java 2 Security model in particular it puts _all_ the rhino classes in the sand box[*]. I'm sure that a second set of eyes looking at this to make sure we are doing it correctly would be greatly appreciated.
[*] This does have some unfortunate side effects like the debugger can only be used when 'secure scripting' is off - not usually a problem since most people debug there own code - but still annoying.
For proper implementation of the interface please refer to http://lxr.mozilla.org/mozilla/source/js/rhino/toolsrc/org/mozilla/javascript/tools/shell/JavaPolicySecurity.java that contains a proper implementation of the interface.
I will try to create a version of it for Batik but it may take a week or so. Is it ok?
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
