jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Klimetschek <aklim...@day.com>
Subject Re: [jr3] Security through obscurity
Date Wed, 26 May 2010 13:45:33 GMT
IIUC, this is about "package-protected" methods and constructors vs.
"public" ones.

Package-protected is in my opinion a bad/useless feature of Java,
since it just makes it hard to (internally) reuse classes from other
packages, while you can still circumvent the security given by it by
simply putting a client class in the same package. The OSGi approach
that basically hides certain packages completely from the outside but
still lets you use them internally is IMHO the best solution so far.
It lets you use public/private on those internal classes again to
control fine-grained internal OO design, without having to do that for
the outside as well.

Security checks on behalf of the repository should be done by internal
classes that are hidden from the user at runtime, eg. via OSGi's
private package mechanism.


Alexander Klimetschek

View raw message