frjaeger220 / google-guice

Automatically exported from code.google.com/p/google-guice
Apache License 2.0
0 stars 0 forks source link

DefaultConstructionProxyFactory can throw SecurityException #64

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
I accidentally ended up trying to inject a Class object, whose constructor
can't be made accessible by 'setAccessible(true)' (currently line 40 of
this class).  We should catch this SecurityException and rethrow with one
of our trademark helpful error messages. :)

Original issue reported on code.google.com by kevin...@gmail.com on 14 Mar 2007 at 3:48

GoogleCodeExporter commented 9 years ago
Hmmmmm, why wouldn't setAccessible() work?

Original comment by crazybob...@gmail.com on 15 Mar 2007 at 12:53

GoogleCodeExporter commented 9 years ago
Assuming you have permissions (Kevin does).

Original comment by crazybob...@gmail.com on 15 Mar 2007 at 2:34

GoogleCodeExporter commented 9 years ago
other than a SecurityManager? nothing should... is there a specific message?
conceivably something viral like a class being loaded as a result of the call 
might?
Im really reaching tho...

Original comment by dha...@gmail.com on 15 Mar 2007 at 4:14

GoogleCodeExporter commented 9 years ago
oops, said my last comment in email only.  

Guice ended up trying to construct an instance of the class java.lang.Class.  
It was
an accident, and no way is java gonna let you just setAccessible() on that 
thing, and
let's be glad for that. :)

Anyway, apart from the java.lang.Class example, we ought to make sure that guice
always reports problems helpfully, no matter what the security manager.

Original comment by kevin...@gmail.com on 15 Mar 2007 at 4:22

GoogleCodeExporter commented 9 years ago

Original comment by limpbizkit on 5 Jun 2008 at 6:17

GoogleCodeExporter commented 9 years ago
Only Class.class and Constructor.class disallow setAccessible. These cases were 
indirectly fixed when we 
disallowed private no-arg constructors that weren't annotated with @Inject.

For the general SecurityManager case, this is probably not worth the effort. I 
tried to write a test that uses a 
SecurityManager, but it seems that almost anything we do has the potential of 
throwing a SecurityException. For 
example, looking up the annotations on a type indirectly requires the reflect 
permission.

Original comment by limpbizkit on 12 Jul 2008 at 5:18