CallerSensitive access rights problems

Mandy Chung mandy.chung at oracle.com
Mon Nov 18 19:22:12 UTC 2013 

On 11/18/13 8:36 AM, Peter Levart wrote:
> On 11/18/2013 04:31 PM, Alan Bateman wrote:
>> On 18/11/2013 14:59, Jochen Theodorou wrote:
>>> Hi,
>>>
>>> java.lang.Class has multiple methods annotated with CallerSensitive 
>>> (see 
>>> http://hg.openjdk.java.net/jdk8/jdk8-gate/jdk/file/tip/src/share/classes/java/lang/Class.java). 
>>>
>>>
>>> Now if we in Groovy here want to build our runtime structure for 
>>> this class, and the security manager is not allowing access to 
>>> sun.reflect, then we get into trouble. 
>>> https://jira.codehaus.org/browse/GROOVY-6405 is caused by this.
>>>
>>> What do you suggest people with this problem, if adding 
>>> accessClassInPackage.sun.reflect is no option?
>> Is it sun.reflect.CallerSensitive.class.getDeclaredMethods that is 
>> failing?
>>
>> -Alan.
>
> From GROOVY-6405 discussion I think it is, yes.
>
> The work-around suggested in GROOVY-6405 does not work, because it has 
> a bug. It should be written as:
>
>     private static void setAnnotationMetaData(Annotation[] annotations 
> /*, AnnotatedNode an */) {
>         for (Annotation annotation : annotations) {
>             if (annotation*.annotationType()*.getPackage() == null ||
> !"sun.reflect".equals(annotation*.annotationType()*.getPackage().getName())) 
> {
>                 System.out.println("Processing: " + 
> annotation.annotationType().getName());
>             } else {
>                 System.out.println("Skipping: " + 
> annotation.annotationType().getName());
>             }
>         }
>     }
>
>
> ... i.e. don't call annotation.*getClass()* because what you get is a 
> dynamic Proxy class implementing the annotation interface and such 
> Proxy class does not live in the same package as the annotation 
> interface...
>

Good catch Peter.

> There is another such annotation to watch for, in another protected 
> package: *sun.misc.Contended* ...

sun.reflect.CallerSensitive and sun.misc.Contended are two new 
annotations added in jdk8 and they are both restricted packages. sun.* 
is only one of the restricted packages and the entire list is in 
package.access in java.security property file.

Mandy

More information about the core-libs-dev mailing list