AccessibleObject.setAccessible() backward compatibility
David M. Lloyd
david.lloyd at redhat.com
Fri Sep 11 20:42:56 UTC 2015
On 09/11/2015 03:14 PM, Tim Boudreau wrote:
> >> If the implementation of MethodHandle uses setAccessible() (I don't know
> >> its internals), then this Java 0day would qualify:
> > It does not as far as I know.
> > It's the opposite, if you want to bypass the security sandbox with a MethodHandle,
> > you have to use reflection + setAccessible and then use Lookup.unreflect*().
> Point taken.
> Regardless, if one of the problems we want to solve here is security
> related, then having a security sandbox you really can't bypass, even
> reflectively, is not a bad idea at all.
In principle, sure. But to paraphrase Schneier, adding complexity is a
sucky way to add security. :-)
If this is a goal though then the only logical way for it to be done
that I can see is by always using AccessController for reflection
permission checks even if there is no security manager. It seems out of
scope of this JSR to me though...
More information about the jpms-spec-observers