Sure. But to call AccessibleObject.setAccessible() you need
ReflectPermission, which the user code that initiated serialisation does not
necessarily have. So the java.io serialisation stuff needs to have this
permission, and it seems to me that it needs to call
AccessibleObject.setAccessible() from inside a PrivilegedAction.
Isn't the security context of any given class is based on which ClassLoader that loaded the class, rather than what called it? Since ObjectOutputStream etc should always be loaded by the system classloader, it doesn't need a PrivilegedAction. ie: regardless of the code that calls it, the ObjectOutputStream class itself always has full privileges (assuming the default security policies). Note that the serialization classes have their own security checks to prevent them being used maliciously by untrusted code.
Granting AllPermission to everything loaded by the system class loader is
IMHO acceptable, *iff* by system class loader you mean the class loader which
loads java.* classes from a trusted location. Not to be confused with the
application class loader which loads from the -classpath, which is the one
returned by ClassLoader.getSystemClassLoader() (aaargh).
By default, the application/system class loader gets all permissions - why would you want to restrict access the access of applications?
Regards,
Bryce.
_______________________________________________ Classpath mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/classpath
