DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21618>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21618 MappedPropertyDescriptor requires more permissions than necessary Summary: MappedPropertyDescriptor requires more permissions than necessary Product: Commons Version: unspecified Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: Bean Utilities AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Currently, Struts 1.1 is using beansutil.MappedPropertyDescriptor in its processing. The method getPublicDeclaredMethods() in that class is requiring a very potent Java2 security permission, which appears to not be necessary. This is a concern for us because we want to run Struts 1.1 code in an ASP type of environment in which the application code cannot be trusted. Therefore we want to severely limit the granted Java2 permissions to the application code. Specifically, org.apache.commons.beanutils.MappedPropertyDescriptor tries to invoke Class.getDeclaredMethods() for a particular class, which returns a set of public/protected/private/default classes declared exclusively by that class. Since it reflects a class and returns the public as well as non-public methods, the SecurityManager.checkMemberAccess method gets invoked with Member.DECLARED access level. Apparently, the Jakarta class assumes it has enough permissions to perform the call, so it tries to wrap the call in a doPrivileged block. From looking at the code, it appears that the class just wants to cache a set of public Method objects that are exclusively declared by a particular class (not inherited from parent classes). Perhaps the MethodPropertyDesc can instead call Class.getMethods() to get a set of public methods accessible in a particular class. For each Method object in the resulting set, it can check if the method is declared by the expected class by checking Method.getDeclaringClass(). This would require fewer permissions, as SecurityManager.checkMemberAccess would only need a Member.PUBLIC access clearance. If you think it would not be wise to make this kind of code change for the main line path, perhaps you could put a try .. catch block around the getDeclaredMethods call to catch the potential SecurityException and perform the proposed logic in the exception case only. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
