commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig McClanahan" <craig...@apache.org>
Subject Re: [BeanUtils] Why does needs the method declaring a class to be public
Date Thu, 23 Nov 2006 10:33:33 GMT
On 11/23/06, Tom Schindl <listom@bestsolution.at> wrote:
>
> Hi,
>
> the problem are not the methods visibility the methods in the sub-class
> are public but their class declaration is not and you can call them if
> you method.setAccessible(true) I've currently modified BeanUtils in my
> project and it works perfectly.


This solution will work (by default) ... until you try it on a server where
a security manager with rational policies is enabled by default (such as had
*better* be the case, for example, in a server environment that shares a JVM
across multiple third party webapps).  If you don't think this is imprtant,
you might as well be coding in a scripting language, because you are giving
up one of the key advantages of using a strongly typed language like Java.

Note that I am not at all dissing the choice to use such a language ... but
you should be aware of what you give up to gain the corresponding benefits.
Therefore I would be pretty unhappy with a proposal to make BeanUtils to
this sort of thing by default, without some deliberate choice by the
application developer (thereby explicitly accepting the security
vulnerabilities that come with setAccessbile() working as described here).

Tom


Craig

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message