That's not how Java security works. The requested permission must be
possessed by all code on the stack (otherwise, a less privileged code
could escalate its privileges by calling more trusted code). Another
way to say this is that the effective set of permissions at the point
of execution is the intersection of its privileges and the privileges
of all its callers. Or, more precisely speaking, it is not "all its
callers" but rather "all its callers until most recent doPrivileged()
call on the stack", and this is probably what in your case we'll need
to institute - a carefully administered sprinkle of doPrivileged()
calls. I need to go to bed now, but I'll investigate your case further
tomorrow.
Attila.
On 2009.02.18., at 21:13, [email protected] wrote:
The question is, why do I need to give codeBase "http://acme.com/
scripting"
these permissions? The script itself does not read any files.
importPackage(java.lang);
var demo = {};
demo.add99 = function( changeNumberForm ) { }
It looks like some of the java code in the org.mozilla.javascript
package is
running with the permissions of codeBase "http://acme.com/scripting";
rather
than the permissions of the caller.
_______________________________________________
dev-tech-js-engine-rhino mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-js-engine-rhino
