[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: question about serialization
From: |
Chris Gray |
Subject: |
Re: question about serialization |
Date: |
Mon, 4 Aug 2003 09:57:32 +0200 |
On Monday 04 August 2003 01:53, Bryce McKinlay wrote:
> On Saturday, Aug 2, 2003, at 01:46 Pacific/Auckland, David P Grove
>
> wrote:
> > Hi Tom,
> >
> > We've had security manager checks in the reflection code in
> > Jikes RVM for a while. Our current workaround for serialization is
> > that classes loaded by the system classloader are always allowed
> > access. This is probably too big of a hole, but it does work in
> > practice. The key routine for us is in
> > java.lang.reflect.JikesRVMSupport (appended below). If you come up
> > with a finer-grained fix for libgcj, let me know -- I'm not that happy
> > with what we are currently doing in Jikes RVM.
>
> AccessibleObject.setAccessible() is the correct way for serialization
> to get access to private reflection data. See:
>
> http://java.sun.com/j2se/1.4.2/docs/guide/reflection/reflection.html
Sure. But to call AccessibleObject.setAccessible() you need
ReflectPermission, which the user code that initiated serialisation does not
necessarily have. So the java.io serialisation stuff needs to have this
permission, and it seems to me that it needs to call
AccessibleObject.setAccessible() from inside a PrivilegedAction.
Granting AllPermission to everything loaded by the system class loader is
IMHO acceptable, *iff* by system class loader you mean the class loader which
loads java.* classes from a trusted location. Not to be confused with the
application class loader which loads from the -classpath, which is the one
returned by ClassLoader.getSystemClassLoader() (aaargh).
--
Chris Gray /k/ Embedded Java Solutions
Embedded & Mobile Java, OSGi http://www.kiffer.be/k/
address@hidden +32 477 599 703
- Re: question about serialization, David P Grove, 2003/08/03
- Re: question about serialization, Tom Tromey, 2003/08/02
- Re: question about serialization, Bryce McKinlay, 2003/08/04
- Re: question about serialization,
Chris Gray <=
- Re: question about serialization, Bryce McKinlay, 2003/08/04
- Re: question about serialization, Chris Gray, 2003/08/04
- Re: question about serialization, Bryce McKinlay, 2003/08/04
- Re: question about serialization, Tom Tromey, 2003/08/04
- Re: question about serialization, Ingo Prötel, 2003/08/05
- Re: question about serialization, Tom Tromey, 2003/08/05
- Re: question about serialization, Mark Wielaard, 2003/08/05
- Re: question about serialization, Chris Gray, 2003/08/05