"Aaron M. Renn" <[EMAIL PROTECTED]> writes:
> That's a good idea. I thought that under JNI, access restrictions on
> classes were enforced. But I think that the debugging interface could
> probably get around that if they are.
Access restrictions are not enforced using JNI. Serialization (among
other things) would be impossible if they were enforced.
> If someone can call native code, there isn't much reason to think
> they shouldn't be able to bypass any security restrictions.
JNI access certainly allows one to get around security checks by just
directly calling whatever private method a secure method would call
after doing the security check, or perhaps more easily by just setting
whatever private flag determines the outcome of the security check to
true.
--
Geoff Berry
