8210496: Improve filtering for classes with security sensitive fields

Alan Bateman Alan.Bateman at oracle.com
Fri Sep 14 17:57:50 UTC 2018

On 14/09/2018 18:52, Alan Bateman wrote:
> Core reflection has a filtering mechanism to hide a number of fields 
> that are critical to security or the integrity of the runtime. It's a 
> bit of a band aid but it helps to reduce hacking on fields such as 
> java.lang.System.security and java.lang.Class.classLoder. I'd like to 
> extend the filters to hide a few additional fields from 
> integrity-sensitive (and non-serializable) classes in 
> java.lang.reflect and java.lang.invoke. There are of course a number 
> of nasty hacks around that might break due to this but these hacks 
> would be broken anyway with simple rename or other innocent 
> refactoring (we had some of this during JDK 11 when Mandy fixed 
> JDK-8202113 for example).
> The webrev with the changes is here:
>    https://bugs.openjdk.java.net/browse/JDK-8210496
Sorry, that is the JBS issue, the webrev is here:


More information about the core-libs-dev mailing list