8210496: Improve filtering for classes with security sensitive fields

Alan Bateman Alan.Bateman at oracle.com
Fri Sep 14 17:52:06 UTC 2018

Core reflection has a filtering mechanism to hide a number of fields 
that are critical to security or the integrity of the runtime. It's a 
bit of a band aid but it helps to reduce hacking on fields such as 
java.lang.System.security and java.lang.Class.classLoder. I'd like to 
extend the filters to hide a few additional fields from 
integrity-sensitive (and non-serializable) classes in java.lang.reflect 
and java.lang.invoke. There are of course a number of nasty hacks around 
that might break due to this but these hacks would be broken anyway with 
simple rename or other innocent refactoring (we had some of this during 
JDK 11 when Mandy fixed JDK-8202113 for example).

The webrev with the changes is here:

Mandy has already reviewed the CSR [1].


[1] https://bugs.openjdk.java.net/browse/JDK-8210522

More information about the core-libs-dev mailing list