[Jython-users] security problem

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I'm using Java's security framework with the jdk1.2.2 and have noticed
that all of my python classes appear to have all of the permissions I've
granted to Jython, even though I haven't granted any permissions to the
python classes explicitly. I'm rather new to Java security, but it looks
to me like the problem lies in the org.python.core.BytecodeLoader2 class
in that, in the loadClassFromBytes method, it sets the protection domain
of the loaded class to its _own_ protection domain rather than consulting
the active security policy for an appropriate domain based on the code
source.

The python classes in my application are untrusted, so it's very
undesirable for them to have the same permissions as the Jython jar (which
includes write access so that the compiled python classes can be written
to disk).

Any help would be appreciated.

Thanks,
Neil

Computer Science is no more about computers than
astronomy is about telescopes. -- E. W. Dijkstra 