views:

26

answers:

1

Here's a very simple example of what I see:

jrunscript -f -
js> var d = new java.util.Date();
js> var m = d.getClass().getMethods();
js> println(m[0].getClass().getName());
java.lang.reflect.Method
js> var name = m[0].getName();
script error: sun.org.mozilla.javascript.internal.WrappedException: Wrapped java.lang.UnsupportedOperationException: invocation not supported (<STDIN>#1) in <STDIN> at line number 1
js> var time = d.getTime();
js> println(time);
1278421741768
js> 

The variable "d" is a Java "Date" instance, and "m" is the array of Java "Method" objects for the "Date" class. When I try to call getName() on one of the "Method" instances, however, it doesn't work. Note that calling getTime() on the "Date" instance works fine, as do pretty much all other calls to Java objects. (Well, I haven't run an exhaustive exploration of course, but it generally works and that's why "Method" seems weird.)

If I write (on the Java side) a class that basically wraps "Method" and delegates, that works fine. So it's not like there's some intrinsic barrier between the Javascript domain and the stuff that "Method" supplies. (Indeed, I imagine that the script layer itself has to do reflection to provide the basic facility in the first place.)

I recall having encountered and hacked around this problem the last time I was fooling around with Rhino via the JDK 6 script framework. I don't recall whether I figured out why it happens or not. Does anybody know?

+1  A: 

IIRC, it's because a number of methods use the immediate caller for certain security checks. If you use Method.invoke to call these methods, then the caller of invoke is taken as the immediate caller. These methods are listed in section 6 of the current Java Secure Coding Guidelines.

Tom Hawtin - tackline
Well that's a very interesting reference, but it's not clear (to me at least) that that has direct relevance to what I'm seeing. I'm not using any security manager at the moment, and the exception I'm getting doesn't indicate a security problem - it's just "unsupported operation."
Pointy
It's done for security reasons. There is no reason to get the security manager involved. Indeed it's a very good idea for the same code to behave the same whether there is a security manager present or not.
Tom Hawtin - tackline