This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Observed in release330 nov 30, i.e. more or less RC1. Select ColorPreview in the sampledir and customize bean. When the dialog appears, three properties "red", "green", "blue" are shown in the Property Sheet. Try to set "blue" to "33". A security exception is shown. I'm not sure if this applies to *all* customizations of user beans, but I don't see anything unusual about this bean. My analysis: (1) The immediate cause is the fix for issue 11679. (2) More generally, BeanNode.PropL.propertyChange can be called from unprivileged user code. Since it in turn fires changes to IDE code, it should probably use AccessController.invokePrivileged. (3) PS.R.getValue should probably *not* use invokePrivileged unless someone can show that this would not be a security hole.
Created attachment 3641 [details] Log file
What about try { // invoking the method without setting accessible } catch (IllegalAccessException ex) { AccessController.invokePrivileged( {... method.setAccessible(true); method.invoke(..); .. } } Again it is just a hack of JDK bug.
Will try Jesse's suggestion and if it works well will integrate on Monday.
PropertySupport 1.13.18.1 (release33 branch). Please note that I have used suggestions from both of you. First I added setAccessible only if regular invocation fails. Second I am not calling the invoke method from under doPrivileged and thus I am not creating any security hole. Could you guys make a code review for me to get this fix into release330? Thanks a lot for a prompt reply.
Making 3.3.0 candidate. Please note that there can be other security exceptions when using customize bean - for example when the bean is a java.awt.Window. But those should probably be filed separately.
Verified in build#200112040330 (release33).
Fixed in release330. Target milestone 3.3.
Resolved for 3.4.x or earlier, no new info since then -> closing.