On Monday 04 August 2003 11:02, Bryce McKinlay wrote: > On Monday, Aug 4, 2003, at 19:57 Pacific/Auckland, Chris Gray wrote: > > Sure. But to call AccessibleObject.setAccessible() you need > > ReflectPermission, which the user code that initiated serialisation > > does not > > necessarily have. So the java.io serialisation stuff needs to have > > this > > permission, and it seems to me that it needs to call > > AccessibleObject.setAccessible() from inside a PrivilegedAction. > > Isn't the security context of any given class is based on which > ClassLoader that loaded the class, rather than what called it?
No. The security context of a given method invocation is the set of classes "on the stack" at the time of the invocation, and the resulting set of privileges is the intersection of the privileges of all those classes. So if com.acme.FooApp has permission to read all files, and com.ibm.KoolThing has read/write access to the user's directory only, when FooApp calls a method of KoolThing the latter just gets read access to the user's files. > Since > ObjectOutputStream etc should always be loaded by the system > classloader, it doesn't need a PrivilegedAction. ie: regardless of the > code that calls it, the ObjectOutputStream class itself always has full > privileges (assuming the default security policies). Note that the > serialization classes have their own security checks to prevent them > being used maliciously by untrusted code. PrivilegedAction means "the buck stops here": it tells the AccessController not to look any further back on the stack, if the class making the PrivilegedAction has the right permissions then it doesn't who called it. This is the mechanism used by classes which have their own security checks to prevent them being used maliciously by untrusted code. > > Granting AllPermission to everything loaded by the system class loader > > is > > IMHO acceptable, *iff* by system class loader you mean the class > > loader which > > loads java.* classes from a trusted location. Not to be confused with > > the > > application class loader which loads from the -classpath, which is the > > one > > returned by ClassLoader.getSystemClassLoader() (aaargh). > > By default, the application/system class loader gets all permissions - > why would you want to restrict access the access of applications? To enable unstrusted applications to be run without compromising the system. True, that's not the standard desktop computing model, but I don't think the class libraries should prejudge the issue. -- Chris Gray /k/ Embedded Java Solutions Embedded & Mobile Java, OSGi http://www.kiffer.be/k/ [EMAIL PROTECTED] +32 477 599 703 _______________________________________________ Classpath mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/classpath
