[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug in java.security.SecureClassLoader?
From: |
Mark Wielaard |
Subject: |
Re: Bug in java.security.SecureClassLoader? |
Date: |
13 Aug 2002 23:31:44 +0200 |
Hi,
On Tue, 2002-08-06 at 22:09, Philip Fong wrote:
> The behavior of java.security.SecureClassLoader seems to differ from
> that specified in Java 1.3.1 API spec. According to the API spec,
> method defineClass(String, byte[], int, int, CodeSource) may
> optionally ignore the CodeSource argument if it is null. In the
> 0.04 release, a null CodeSource will cause a NullPointerException
> inside getPermissions. I checked with the cvs just now, and
> it looks like the problem has not been solved. Attached is
> a small patch that fix this. Is this the right way of doing
> it?
>
> Also, the fix also remove the catching of ClassFormatError. That
> error is raised if the classfile is corrupted, and IMHO such a serious
> error should propagate upward to the caller. Am I understanding
> correctly?
Yes. The old behavior was clearly broken.
I applied this patch to CVS.
2002-08-13 Philip Fong <address@hidden>
* java/security/SecureClassLoader.java (SecureClassLoader): Only
create ProtectionDomain when CodeSource is not null. Don't catch and
ignore ClassFormatError.
Thanks,
Mark