Janne, if you want, I can dust off Kissinger (har har) and see what's required to get it working.
I have to admit that this joke goes way over my head. I seem to recall that Monty Python had a song about a Henry Kissinger...
In the meantime, the best thing to do is start looking for code that calls methods that require privilege checks (notably file access, serialization, system properties, SQL, reflection) and put doPrivileged() blocks around them. The list of methods that require permissions are here:
Taking a quick look at Stripes (reflection) and Hibernate (SQL), neither of them have doPrivileged() blocks anywhere in the code. Does it mean that nobody can use them in standard J2EE containers? I'd wager not.
Also, don't we have to give the same permissions to *all* of the sub- libraries? Wouldn't it effectively nullify any benefit from security of the internal app, if it can access anything through external libraries?
/Janne
