Agree. I was just pointing that there are 'sensitive' packages and
access to sensitive package classes - both normal linking reference and
reflective reference by Class.forName - is security access checked.
(i.e., there are Class objects that are security access protected as
well - not just ClassLoader instances).
-Sundar
On Tuesday 03 September 2013 11:03 PM, Jochen Theodorou wrote:
Am 03.09.2013 16:12, schrieb A. Sundararajan:
[...]
If Groovy or any third-party framework gets away with that -- that is
because you need to use modified security policy that gives those
necessary permissions to groovy.jar or whatever third-party jar in
question.
just think of us needing to build a runtime structure "copying" what
is in a normal class (plus some changes) available in terms of fields
and methods. If you don't generate that information (and you cannot
for unknown classes), then how can you get that without using
reflection and things like getDeclaredMethods. (not to mention several
properties and many other things).
In other words: it is imho impossible to run even a single Groovy
program without giving it some permissions.
bye Jochen
