Jim Halfpenny on the Webappsec list has discovered that BEA's JRockit JDK _does_ use verification by default, his complete post quoted below (the test was to access private methods on a class):
Hi, BEA JRockit verifies by default and as far as I am aware does not offer a -noverify option. $ java -cp . verifytest2.Main java.lang.IllegalAccessError: getName at verifytest2/Main.<init>()V(Main.java:???) at verifytest2/Main.main([Ljava/lang/String;)V(Main.java:12) Tested with JRockit 1.4.2_08. Regards, Jim Halfpenny _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php