geronimo-xbean-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Blevins <>
Subject Re: xbean-finder: ClassFinder
Date Fri, 27 Oct 2006 20:24:25 GMT
You have to load the classes to use reflection, static initializers  
run when the class is loaded.  So you're quite literally loading and  
executing completely unknown code while you scrape the classpath for  
annotations.  ASM parses the class file, but doesn't load it.


On Oct 27, 2006, at 12:56 PM, Alan D. Cabrera wrote:

> Interesting.  Can you provide detail about your security comment  
> and how asm figures into this?
> Regards,
> Alan
> Sent from my Verizon Wireless BlackBerry
> -----Original Message-----
> From: David Blevins <>
> Date: Fri, 27 Oct 2006 12:13:39
> Subject: xbean-finder: ClassFinder
> So added a finder for searching for classes that have a specific
> annotation, etc.  It's there it works and is better than some of the
> code i've seen that does the same, but... I still hate it as like all
> the approaches I've seen it loads the classes and uses reflection to
> determine if the annotation is present.
> This is the most insecure code I can think of, so I'm yanking it in
> leu of an asm-based approach.  So take this as your warning not to
> start consuming the ClassFinder just yet.
> -David

View raw message