jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Janne Jalkanen (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JSPWIKI-155) Allow customisation of core classes via ClassUtil.getMappedObject
Date Thu, 24 Jan 2008 23:12:35 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12562287#action_12562287
] 

Janne Jalkanen commented on JSPWIKI-155:
----------------------------------------

Ever heard of AOP?  That's what it is - a very light-weight AOP framework.

And since anyone can just put in a class in a JAR file and prefix it with "a_" or something
and get whichever class they want instantiated, it does not break anything that wouldn't already
be fundamentally broken.  Really.

AOP is and can be highly useful.  Granted, many of the classes cannot be overridden, but some
of them can and should be (such as the renderers).  And it would be awfully complicated to
make a new property for each and every thing that you want to change.

Note that since you can already override functionality in jspwiki.properties, and any plugins
get first-tier access to JSPWiki internals, I am very hard-pressed to see exactly what kind
of a security disaster this could be.

> Allow customisation of core classes via ClassUtil.getMappedObject
> -----------------------------------------------------------------
>
>                 Key: JSPWIKI-155
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-155
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Core & storage
>    Affects Versions: 2.6.0
>            Reporter: Simon Kitching
>            Priority: Minor
>
> The WikiEngine class uses the ClassUtils.getMappedObject method to locate its critical
helper objects, rather than just call "new".
> The intentention of this existing code is for people to be able to override the core
implementations with custom ones - with the warning that these core objects do not have stable
public apis, and may change in any release. Unfortunately because (a) the returned object
is cast to a concrete type, and (b) many of these concrete types are declared "final" this
facility is actually almost useless.
> It would be nice for the "final" to be removed from these classes, and from their member
methods so that getMappedObject becomes useful. Alternately, interfaces could be created for
the concrete classes that WikiEngine currently uses, and all code modified to use the interface
instead; the existing implementations could then remain final. That approach is much more
intrusive though.
> Note that in discussions on the email lists it has been suggested that the "final" qualifier
on these classes helps make jspwiki more secure. Personally I'm not at all convinced that
is true though.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message