[janino-dev] [jira] Commented: (JANINO-113) Inner class access to inherited protected violates security

> Inner class access to inherited protected violates security
> -----------------------------------------------------------
>
>                 Key: JANINO-113
>                 URL: http://jira.codehaus.org/browse/JANINO-113
>             Project: Janino
>          Issue Type: Bug
>            Reporter: Matt Fowles
>            Assignee: Arno Unkrig
>            Priority: Critical
>         Attachments: indirect.patch
>
>
> This is similar to but different then: http://jira.codehaus.org/browse/JANINO-112
> Consider the following classes:
> {code}
> public class Parent {
>     protected int var = 1;
> }
> public class Child extends Parent {
>     public class Inner {
>         public int get() {
>             return var;
>         }
>         public void set() {
>             var = 4;
>         }
>     }
> }
> public class Main {
>     public static void main(String[] args) {
>         Child.Inner i = new Child().new Inner();
>         System.out.println("before set: " + i.get());
>         i.set();
>         System.out.println("after set: " + i.get());
>     }
> }
> {code}
> If you run this using janinoc as your compiler and java from the command line this will print:
> before set: 1
> after set: 4
> as you would expect.
> however, if you do the equivalent thing using SimpleCompiler() the call to get will fail with an "IllegalAccessError".
> Janino is generating direct accesses to the protected variable from within the inner class, which violates the JVM's security policy.  The default class loader that runs apps is unsecured but any classes loaded through URLClassLoaders (like ones created by SimpleCompiler) run through secured class loaders.  As a result this will fail.
> If you look at the output of javac, you will discover that javac creates specialized accessor methods to handle this case:
> fowles@spiceweasel:~/sample/java$ javap test/Child
> Compiled from "Child.java"
> public class test.Child extends other.Parent{
>     public test.Child();
>     static int access$000(test.Child);
>     static int access$102(test.Child, int);
> }
> Clearly, janino needs to create these accessors too, but I do not yet have a good sense of how to do this in the code base.  Pointers or solutions would be most welcome as this is a blocker for my company's use of Janino until it is resolved.