Re: question about serialization

[Chris Gray]

On Monday 04 August 2003 01:53, Bryce McKinlay wrote:
> On Saturday, Aug 2, 2003, at 01:46 Pacific/Auckland, David P Grove
>
> wrote:
> > Hi Tom,
> >
> >         We've had security manager checks in the reflection code in
> > Jikes RVM for a while.  Our current workaround for serialization is
> > that classes loaded by the system classloader are always allowed
> > access.  This is probably too big of a hole, but it does work in
> > practice.  The key routine for us is in
> > java.lang.reflect.JikesRVMSupport (appended below).   If you come up
> > with a finer-grained fix for libgcj, let me know -- I'm not that happy
> > with what we are currently doing in Jikes RVM.
>
> AccessibleObject.setAccessible() is the correct way for serialization
> to get access to private reflection data. See:
>
> http://java.sun.com/j2se/1.4.2/docs/guide/reflection/reflection.html

Sure.  But to call AccessibleObject.setAccessible() you need 
ReflectPermission, which the user code that initiated serialisation does not 
necessarily have.  So the java.io serialisation stuff needs to have this 
permission, and it seems to me that it needs to call 
AccessibleObject.setAccessible()  from inside a PrivilegedAction.

Granting AllPermission to everything loaded by the system class loader is 
IMHO acceptable, *iff* by system class loader you mean the class loader which 
loads java.* classes from a trusted location.  Not to be confused with the 
application class loader which loads from the -classpath, which is the one 
returned by ClassLoader.getSystemClassLoader() (aaargh).

-- 
Chris Gray                                /k/ Embedded Java Solutions
Embedded & Mobile Java, OSGi              http://www.kiffer.be/k/
address@hidden                      +32 477 599 703