incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Jaquith (JIRA)" <>
Subject [jira] Commented: (JSPWIKI-155) Allow customisation of core classes via ClassUtil.getMappedObject
Date Thu, 24 Jan 2008 22:56:35 GMT


Andrew Jaquith commented on JSPWIKI-155:

Now that I understand the capabilities of getMappedObject() better, I am going to go on record
and say that this feature was and is a very bad, bad idea. I know that it was meant as a developer
feature. But I think it's fundamentally dangerous, because it could totally subvert what classloading
is supposed to be all about. I have never seen or heard of any other mature Java project that
does anything like this -- and there's probably a good reason for that. 

Based on the e-mail trail that we've had so far, it is clear that this bug is masking another:
namely, a problem Simon's having getting JSPWiki working with ACEGI. That's the root of this,
right? If so, let's fix that bug, not this one, and make a dangerous feature even worse.

I recommend in the strongest, most unambiguous terms that we close this bug as "won't fix."
Moreover, I'd like to suggest that we completely remove the class-mapping features of ClassUtil.
I acknowledge its power for certain developers, but it is a security disaster waiting to happen.
Developer convenience features shouldn't be in production code.

> Allow customisation of core classes via ClassUtil.getMappedObject
> -----------------------------------------------------------------
>                 Key: JSPWIKI-155
>                 URL:
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Core & storage
>    Affects Versions: 2.6.0
>            Reporter: Simon Kitching
>            Priority: Minor
> The WikiEngine class uses the ClassUtils.getMappedObject method to locate its critical
helper objects, rather than just call "new".
> The intentention of this existing code is for people to be able to override the core
implementations with custom ones - with the warning that these core objects do not have stable
public apis, and may change in any release. Unfortunately because (a) the returned object
is cast to a concrete type, and (b) many of these concrete types are declared "final" this
facility is actually almost useless.
> It would be nice for the "final" to be removed from these classes, and from their member
methods so that getMappedObject becomes useful. Alternately, interfaces could be created for
the concrete classes that WikiEngine currently uses, and all code modified to use the interface
instead; the existing implementations could then remain final. That approach is much more
intrusive though.
> Note that in discussions on the email lists it has been suggested that the "final" qualifier
on these classes helps make jspwiki more secure. Personally I'm not at all convinced that
is true though.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message