CallerSensitive access rights problems

Mon Nov 18 16:36:50 UTC 2013

On 11/18/2013 04:31 PM, Alan Bateman wrote:
> On 18/11/2013 14:59, Jochen Theodorou wrote:
>> Hi,
>>
>> java.lang.Class has multiple methods annotated with CallerSensitive 
>> (see 
>> http://hg.openjdk.java.net/jdk8/jdk8-gate/jdk/file/tip/src/share/classes/java/lang/Class.java). 
>>
>>
>> Now if we in Groovy here want to build our runtime structure for this 
>> class, and the security manager is not allowing access to 
>> sun.reflect, then we get into trouble. 
>> https://jira.codehaus.org/browse/GROOVY-6405 is caused by this.
>>
>> What do you suggest people with this problem, if adding 
>> accessClassInPackage.sun.reflect is no option?
> Is it sun.reflect.CallerSensitive.class.getDeclaredMethods that is 
> failing?
>
> -Alan.

 From GROOVY-6405 discussion I think it is, yes.

The work-around suggested in GROOVY-6405 does not work, because it has a 
bug. It should be written as:

     private static void setAnnotationMetaData(Annotation[] annotations 
/*, AnnotatedNode an */) {
         for (Annotation annotation : annotations) {
             if (annotation*.annotationType()*.getPackage() == null ||

!"sun.reflect".equals(annotation*.annotationType()*.getPackage().getName())) 
{
                 System.out.println("Processing: " + 
annotation.annotationType().getName());
             } else {
                 System.out.println("Skipping: " + 
annotation.annotationType().getName());
             }
         }
     }

... i.e. don't call annotation.*getClass()* because what you get is a 
dynamic Proxy class implementing the annotation interface and such Proxy 
class does not live in the same package as the annotation interface...

There is another such annotation to watch for, in another protected 
package: *sun.misc.Contended* ...

Regards, Peter