users@glassfish.java.net

Security wrt runtime permissions and createClassLoader

From: Paul G. Szabady <paul_szabady_at_unc.edu>
Date: Mon, 18 May 2009 23:20:23 +0000

Greetings,

One of our developers is trying to run a jasper report through his app to generate a pdf and gets the following error.

java.security.AccessControlException: access denied (java.lang.RuntimePermission createClassLoader)

Is there a safe way to allow him to the access he would need to load the class(es) that jasper wants?

After a bit of research, I must say I'm a bit concerned.

 From Sun's website
(http://java.sun.com/developer/onlineTraining/Programming/JDCBook/appA.html#RuntimePermission):

createClassLoader: This target grants permission to create a class
loader. Granting this permission might allow a malicious application to
instantiate its own class loader and load harmful classes into the
system. Once loaded, the class loader could place these classes into any
protection domain and give them full permissions for that domain.

Thoughts / suggestions?

--
Paul G. Szabady
Web Systems Manager
IT Infrastructure and Operations
University of North Carolina at Chapel Hill
919.966.5862