Subj : [Rhino] security policy To : netscape.public.mozilla.jseng From : Jo Date : Wed Mar 12 2003 03:34 pm Hi, I'm trying to restrict some of the permissions of my Rhino scripts (Rhino14R5). For example I don't want my Rhino scripts to create their own class loaders, but of course Rhino code itself should be able to do that as it needs it for internal use. For that I use a Java SecurityManager and I have a policy file that looks like: grant codeBase "file:/.../rhino.jar" { permission java.lang.RuntimePermission "createClassLoader"; } (I also have Rhino SecurityController but with or without it, the problem is the same as soon as I have a SecurityManager). However it happens that I have some exceptions like: java.security.AccessControlException: access denied (java.lang.RuntimePermission createClassLoader) at java.security.AccessControlContext.checkPermission(AccessControlConte xt.java:270) at java.security.AccessController.checkPermission(AccessController.java: 401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java :607) at java.lang.ClassLoader.(ClassLoader.java:243) at org.mozilla.javascript.DefiningClassLoader.(DefiningClassLoader ..java:55) at org.mozilla.javascript.Context.createClassLoader(Context.java:1837) at org.mozilla.javascript.optimizer.InvokerImpl.createInvoker(InvokerImp l.java:62) at org.mozilla.javascript.FunctionObject.doInvoke(FunctionObject.java:49 even if it happens that the call to the createClassLoader is made by some rhino internals and that I granted them the right to do that in my policy file. Is that due to the fact that they are some on the fly generated classes in the stack? Any hint? Any solution? Thanks a lot in advance. C. .