|
| From: | Bryce McKinlay |
| Subject: | Re: question about serialization |
| Date: | Mon, 4 Aug 2003 21:02:03 +1200 |
On Monday, Aug 4, 2003, at 19:57 Pacific/Auckland, Chris Gray wrote:
Sure. But to call AccessibleObject.setAccessible() you needReflectPermission, which the user code that initiated serialisation does not necessarily have. So the java.io serialisation stuff needs to have thispermission, and it seems to me that it needs to call AccessibleObject.setAccessible() from inside a PrivilegedAction.
Isn't the security context of any given class is based on which ClassLoader that loaded the class, rather than what called it? Since ObjectOutputStream etc should always be loaded by the system classloader, it doesn't need a PrivilegedAction. ie: regardless of the code that calls it, the ObjectOutputStream class itself always has full privileges (assuming the default security policies). Note that the serialization classes have their own security checks to prevent them being used maliciously by untrusted code.
Granting AllPermission to everything loaded by the system class loader is IMHO acceptable, *iff* by system class loader you mean the class loader which loads java.* classes from a trusted location. Not to be confused with the application class loader which loads from the -classpath, which is the onereturned by ClassLoader.getSystemClassLoader() (aaargh).
By default, the application/system class loader gets all permissions - why would you want to restrict access the access of applications?
Regards, Bryce.
| [Prev in Thread] | Current Thread | [Next in Thread] |