AccessibleObject.setAccessible() backward compatibility

David M. Lloyd david.lloyd at
Fri Sep 11 20:42:56 UTC 2015

On 09/11/2015 03:14 PM, Tim Boudreau wrote:
>     >> If the implementation of MethodHandle uses setAccessible() (I don't know
>     >> its internals), then this Java 0day would qualify:
>     >
>     > It does not as far as I know.
>     > It's the opposite, if you want to bypass the security sandbox with a MethodHandle,
>     > you have to use reflection + setAccessible and then use Lookup.unreflect*().
> Point taken.
> Regardless, if one of the problems we want to solve here is security
> related, then having a security sandbox you really can't bypass, even
> reflectively, is not a bad idea at all.

In principle, sure.  But to paraphrase Schneier, adding complexity is a 
sucky way to add security. :-)

If this is a goal though then the only logical way for it to be done 
that I can see is by always using AccessController for reflection 
permission checks even if there is no security manager.  It seems out of 
scope of this JSR to me though...


More information about the jpms-spec-observers mailing list