Subj : Rhino Security AccessControlContext To : netscape.public.mozilla.jseng From : Larry Blanchette Date : Tue Apr 06 2004 05:16 pm I'm using Rhino 1.5R5/Sun's JVM 1.4.1 and am having trouble resolving how protection domains are applied in Rhino. I found some comment on security on Batik but details were missing and wondered if my situation is related If I load a security policy & manager dynamically in my app the protection domain is applied faithfully. I properly get access denied when my script attempts to access jars it does not have read permissions for. If I load the same policy/manager via JVM command line the script is able to access non-permissioned jars/classes, I must rely on ClassShutter to enforce restrictions (which actually is cool, but why does it work like this?). I've been stabbing at this for a bit and I was wondering if anyone had an explanation? In both cases the proper restricted AccessControlContext is passed in the doPrivileged call in callWithDomain. Larry Blanchette .