[icedtea-web] URLPermission in Java 8
Andrew Azores
aazores at redhat.com
Wed Jun 18 17:06:57 UTC 2014
On 06/18/2014 12:59 PM, Omair Majid wrote:
> * Andrew Azores <aazores at redhat.com> [2014-06-18 12:55]:
>> Do we really want to exclude this permission from the reported set of
>> permissions in the applet's SecurityDesc?
>
> I am not sure what you mean by 'reported set'.
The result of SecurityDesc#getSandboxPermissions. If we add the
URLPermission once, in the ClassLoader, then calling
SecurityDesc#getSandboxPermissions will return a result that does not
actually match the conceptual sandbox permissions set.
>
> If you mean keeping this permission separate from others, then
> Code-wise, it's not ideal. But this might be better for performance if
> we stop icedtea-web from re-computing the same permissions multiple
> times and only apply the static permissions once, at class creation
> time.
We can also stop from having to perform a class lookup and stop from
having to do any real computing by simply storing a reference to the
URLPermission class and constructor, if they exist, when the
SecurityDesc is created. Then the reflection cost is only paid once,
too, but the permission lives in IMO the correct location and can also
be included in the result of #getSandboxPermissions.
>
>> Because setting it directly in the ClassLoader instead means that
>> further attempts to determine the sandbox set applied to the applet
>> will be incomplete if done through SecurityDesc, which doesn't sound
>> good to me.
>
> I don't follow. What is the 'sandbox set'?
The default set of permissions granted to all applets, even sandboxed ones.
>
> Thanks,
> Omair
>
Thanks,
--
Andrew Azores
More information about the distro-pkg-dev
mailing list