Hi, Jukka Zitting schrieb: > Hi, > > On Wed, Apr 22, 2009 at 2:22 PM, Tobias Bocanegra <[email protected]> wrote: >> System.exit() bears IMO no real risk, since it can be prevented by >> java security. > > I'd like to see the relevant java security settings. With all the OSGi > stuff, JCR bundle loading, and script compiling in place I think > coming up with a correct security policy is a major undertaking. > > Do we want to go down that path, or use alternative means like the > proposed script resolution restrictions?
The result is different: with Java security, we do not prevent anyone from injection scripts in the "wrong" location. With the path alternative we do not prevent anyone from calling System.exit(0). So, it depends on what you want ;-) I think, the first thing might be better to be approached first. Though I would prefer the "execution permission" approach over the path based approach, I think the path based approach is probably easier to implement. Regards Felix
