If I understand AccessController.doPrivileged correctly, it is saying that untrusted code should be able to invoke methods requiring permissions (such as System.getProperty()
) through an intermediate method that does have permissions.
That brings up the question: when should AccessController.doPrivileged()
be used? When should untrusted code be allowed to invoke privileged code through intermediate methods? When should it fail?
Following your reasoning, please explain why ClassLoader creation should always be allowed: http://findbugs.sourceforge.net/bugDescriptions.html#DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED
See Question&Answers more detail:os