Agree. I was just pointing that there are 'sensitive' packages and access to sensitive package classes - both normal linking reference and reflective reference by Class.forName - is security access checked. (i.e., there are Class objects that are security access protected as well - not just ClassLoader instances).

-Sundar

On Tuesday 03 September 2013 11:03 PM, Jochen Theodorou wrote:
Am 03.09.2013 16:12, schrieb A. Sundararajan:
[...]
If Groovy or any third-party framework gets away with that -- that is
because you need to use modified security policy that gives those
necessary permissions to groovy.jar or whatever third-party jar in
question.

just think of us needing to build a runtime structure "copying" what is in a normal class (plus some changes) available in terms of fields and methods. If you don't generate that information (and you cannot for unknown classes), then how can you get that without using reflection and things like getDeclaredMethods. (not to mention several properties and many other things).

In other words: it is imho impossible to run even a single Groovy program without giving it some permissions.

bye Jochen


Reply via email to