[EMAIL PROTECTED]
> -----Original Message-----
> From: Rickard �berg [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, March 01, 2000 2:04 PM
> To: EJBoss
> Subject: Re: File system access
>
> Hey
>
> Larry Sanderson wrote:
> > Any class used by a bean is subject to any existing SecurityManager.
> The
> > security manager in place is supposed to throw a SecurityException for
> any
> > anti-EJBSpec access. If you try to load a JDBC driver from your bean
> code,
> > it should fail like anything done directly in the bean, even if it is
> "nice".
> > The only classes that have more priveledges are the ones provided by the
> > server (like the ones you do a JNDI lookup on, like a Resource Factory
> > Reference - javax.sql.DataSource)
>
> This is incorrect. Whether or not a class will succeed in doing
> restricted operations is dependent on two things:
> * If it has the right permissions - which ultimately depends on which
> classloader it was loaded with
> * If it uses doPrivileged blocks around the tricky parts that require
> permissions
>
> So, if an EJB creates an object from a class that is loaded by the
> system classloader, or really any classloader that is != the
> EJB-classloader, and this class does doPrivileged around it's hazardous
> operations, it'll work.
>
> Read the Security API docs for more details. This is tricky stuff, and I
> had to read it a couple of times to get the idea.
>
> /Rickard
>
> --
> Rickard �berg
>
> @home: +46 13 177937
> Email: [EMAIL PROTECTED]
> http://www.dreambean.com
> Question reality
>
>
> --
> --------------------------------------------------------------
> To subscribe: [EMAIL PROTECTED]
> To unsubscribe: [EMAIL PROTECTED]
> Problems?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
