[e-lang] Powerless MUST NOT access package scope member on another object

Tyler Close tyler.close at gmail.com
Tue Jan 15 00:41:13 EST 2008

Currently, the difference between a Powerless and an Immutable is the
absence of any Token which is supposed to mean that the Powerless
object is unable to perform any rights amplification. But the most
common form of rights amplification in Java is access to the package
scope interface of another object. Consequently, a Powerless object
can actually represent non-trivial authority. For example,

public final class
Box {
    final Object secret;

    Box(final Object secret) {
        this.secret = secret;

public final class
Unsealer implements Powerless {
    Unsealer() {}

    public Object
    unseal(Box box) { return box.secret; }

public final class
Sealer implements Powerless {
    Sealer() {}

    public Box
    seal(final Object secret) { return new Box(secret); }

The Sealer and Unsealer types in the above code represent real
authority. They should not be Powerless, yet the current Joe-E
verifier allows them to be marked so.


Use web-keys for RESTful access-control:

Name your trusted sites to distinguish them from phishing sites.

More information about the e-lang mailing list