Details
-
Type:
Bug
-
Status:
Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 2.5.12
-
Component/s: None
-
Labels:None
-
Environment:Janino 2.5.9, Java Webstart, jnlp file includes all-permissions
-
Patch Submitted:Yes
-
Number of attachments :
Description
Under webstart, Janino compiled code does not inherit the protection domain of the current code and causes the SecurityManager to throw AccessControlException when doing something non-trivial, e.g. network access.
The same bug was found and fixed in Jel recently. The original report is here:
http://www.nabble.com/-Help-jel--java.security.AccessControlException-t4579923.html
The fix is a one-liner. When calling defineClass, the protection domain must be specified. In the Janino codebase 2.5.9, ByteArrayClassLoader, line 87 should be changed to add an extra parameter:
return super.defineClass(
name,
data, 0, data.length,
this.getClass().getProtectionDomain() // add this line
);
The original Jel report includes a nice test case.
Done; please test.