When you load a class the vm may execute any static initializers in
that class, and that can lead to Bad Things(tm). Basically, you give
a hacker an easy way to get arbitrary code loaded and executed.
One other issue, is that it is wicked slow to load lots of classes as
the vm must parse the entire class and perform byte code
verification. With asm you can don't have to parse the entire class
since you are just interested in annotations on class declarations.
-dain
On Oct 27, 2006, at 12:56 PM, Alan D. Cabrera wrote:
Interesting. Can you provide detail about your security comment
and how asm figures into this?
Regards,
Alan
Sent from my Verizon Wireless BlackBerry
-----Original Message-----
From: David Blevins <[EMAIL PROTECTED]>
Date: Fri, 27 Oct 2006 12:13:39
To:[email protected]
Subject: xbean-finder: ClassFinder
So added a finder for searching for classes that have a specific
annotation, etc. It's there it works and is better than some of the
code i've seen that does the same, but... I still hate it as like all
the approaches I've seen it loads the classes and uses reflection to
determine if the annotation is present.
This is the most insecure code I can think of, so I'm yanking it in
leu of an asm-based approach. So take this as your warning not to
start consuming the ClassFinder just yet.
-David
