This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Summary: | Dangerous reflection access to sun.misc.JavaNetAccess by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected! | ||
---|---|---|---|
Product: | javaee | Reporter: | Jiri Skrivanek <jskrivanek> |
Component: | JSP Parser | Assignee: | Petr Jiricka <pjiricka> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | jhavlin |
Priority: | P3 | ||
Version: | 7.3 | ||
Hardware: | PC | ||
OS: | Windows 7 | ||
Issue Type: | DEFECT | Exception Reporter: |
Description
Jiri Skrivanek
2012-09-20 12:09:20 UTC
I'm not sure whether the reflection access is correct. Please evaluate. If it is correct, consider adding a new item to whitelist in method TopSecurityManager.createCallerWhiteList, module o.n.bootstrap. See http://hg.netbeans.org/core-main/rev/3068362b02f0 for inspiration. Thank you. Yes, reflection access is correct. The code in question (reset method in WebAppParseSupport.ParserClassLoader) uses reflection to close the classloader, to avoid jar locking problems on JDK prior to version 7. There is no other way to do this on JDK 6 and earlier. From JDK 7, this is no longer needed, as there is official API to close URLClassLoader. See this link for the background: http://docs.oracle.com/javase/7/docs/technotes/guides/net/ClassLoader.html I added org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader to the whitelist - is that ok Jardo? http://hg.netbeans.org/web-main/rev/a5ce0913dbf9 I am assuming this is fixed, but since there are no steps to reproduce, could you please verify Jirko? Thanks. > I added
> org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader
> to the whitelist - is that ok Jardo?
> http://hg.netbeans.org/web-main/rev/a5ce0913dbf9
It is OK.
Integrated into 'main-golden', will be available in build *201212170919* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress) Changeset: http://hg.netbeans.org/main-golden/rev/a5ce0913dbf9 User: Petr Jiricka <pjiricka@netbeans.org> Log: #218690 - adding classloader used by JSP parser to the whitelist for sun.misc |