[PATCH] 4851444: Exposing sun.reflect.Reflection#getCallerClass as a public API in Java 8
Remi Forax
forax at univ-mlv.fr
Mon Sep 2 15:07:09 UTC 2013
On 09/02/2013 03:56 PM, Tom Hawtin wrote:
> On 02/09/2013 09:33, Alan Bateman wrote:
>
>> From a quick scan then it appears that you've decided to ignore the
>> security concerns so I don't think anyone can (or should) sponsor this
>> patch until there is further discussion on the API and the security
>> implications.
>
> I've barely looked through the patch, let alone audited it. However:
>
> As the method appears to be mostly for tracing, performing a security
> check per invocation is likely to hurt performance. Unless it was
> caller sensitive (which seems to be equated with Bad Practice these
> days) it would also require a doPrivileged block. Much better to
> perform a single security check when acquiring a capability object, in
> a similar(ish) way to sun.misc.Unsafe or SharedSecrets.
>
> In order to work with less privileged code, it may also be worthwhile
> to provide a version of the capability object parameterised with a
> class loader. If code has access to a ClassLoader object, then it is
> consistent for it to be given access to Classes loaded by it or child
> loaders, and in practice from parent loaders (but not children of
> parents).
>
> Security relating to Class objects is "interesting". The genuine
> security issue with Class objects is that they have are an attenuation
> of the capability of their ClassLoader. There are many ways to acquire
> Class objects. Some have confusing defence-in-depth security; some,
> such as Object.getClass used for quick null checks, do not.
>
> Tom
I wonder if a java.lang.invoke.MethodHandles.Lookup is not a better
object than a ClassLoader for a capability object.
Rémi
More information about the core-libs-dev
mailing list