river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gregg Wonderly <gregg...@gmail.com>
Subject Re: [DISCUSS] Proposed fix for RIVER-149 - ServerContext should not rely on system classloader
Date Mon, 28 Nov 2011 16:16:17 GMT
On 11/27/2011 6:31 PM, Greg Trasuk wrote:
> Hi all:
>
> I've attached a patch to RIVER-149
> (https://issues.apache.org/jira/browse/RIVER-149), to switch to usage of
> the current thread's context classloader.
>
> I realize that commit-then-review is the usual practice, but since
> classloading is fundamental to Jini, I thought I'd seek review first.
>
> The JIRA comments give a good background on the bug and the patch.
One of the things that I wondered when looking at this, was if we wanted to make 
use of a permission which involved the class name that will be loaded.  In a 
sense, that's a pretty big barrier for ease of use, but it does provide a 
control point to deal with security issues.  The use of the "jars" that the 
class loader is using, is an externally configured bit.  So, from a permission 
perspective, there has already be a form of a "grant" made.   The question is, 
whether or not the use of a specific SPI class is another control point, worth 
using.

Gregg Wonderly

Mime
View raw message