Custom classloader & sandbox
Hi all,
I have an applet which consists of two jar files. One unsigned with the main class and one which is signed and includes some optional classes which require extra privileges out of the sandbox.
When I boot the applet it loads in sandbox mode without throwing a security warning. When at runtime I create an instance from a class from the signed jar it will nicely throw a security warning wether the user wants to accept the certificate from the signed jar. This signed jar will then create a custom (url)classloader, which downloads an additional jar at runtime and executes it.
So far so good, but I noticed that the runtime downloaded classes may only use sandboxed methods. When I runtime download some classes which execute methods that reach out of the sandbox they fail with a java.security.AccessControlException.
These runtime classes are loaded through my custom classloader (which resides in the signed jar). I signed the jar which is downloaded at runtime with the same certificate. Also the privileged calls in the runtime classes are wrapped in AccessController.doPrivileged blocks. I thought these runtime loaded classes would inherit the permissions from their parent, which was granted permission by the user to escape the sandbox...
Does anyone know how I can force the extended priviliges to apply to my runtime loaded classes as well? Maybe sticking a custom securitymanager with my custom classloader?
Thanks!
Thijs
