[PATCH] 4851444: Exposing sun.reflect.Reflection#getCallerClass as a public API in Java 8

Alan Bateman Alan.Bateman at oracle.com
Tue Sep 3 09:07:31 UTC 2013


On 02/09/2013 18:45, Nick Williams wrote:
> :
>
> I didn't decide to ignore the security concerns, I just don't see any security concerns. As has been /clearly/ established in the last three months, frameworks have been using getCallerClass for years, if not a decade. It has never caused a security problem. Ever. If I'm wrong, please point out to me a specific vulnerability that this has led to.
I am not allowed to discuss any details about vulnerabilities here. 
However, as a general point then caller sensitive methods have been 
highly problematic in the JDK.

As regards frameworks using sun.reflect.Reflection.getCallerClass 
directly then it's as I said previously, they are probably not run with 
a security manager very often (at least not unless the policy is 
configured to allow direct access to sun.*).

>
> I don't have the ability to go back and start from the beginning on something that I had the understanding was generally agreed upon before I started.
You've done good work and no one is suggesting you throw it again. 
However I don't recall any agreement on a solution, rather the 
discussion mostly fizzled out. In particular I do not recall any 
discussions about changing the goals of JEP 176 and make @CS a public 
API. Whatever about @CS methods being a bad there is also the issue of 
annotations changing runtime behavior.

I see Mandy has restarted the discussion on use-cases (thank you Mandy) 
and working through these and addressing a subset initially might be 
good way to move this forward. More so as this is your first 
patch/contribution to OpenJDK - a first patch does not have to solve 
world peace, starting out with smaller changes is good.

> :
>
> I'm not voicing any objection to any kind of security/permissions checks in these methods. Before I can pass judgement one way or another, I'd want to know 1) specifically what type of permissions check you are looking for, and 2) what you're looking to achieve with said permissions check.
I would say this is TBD and start by asking the question as to whether 
there are concerns about leaking reference to Class objects that 
untrusted code wouldn't normally be able to get a reference to. Tom 
brings up the cost of the permission check and also whether any API 
should be tied to class loader. There are clearly discussion points here 
that could potentially influence the API.

-Alan.





More information about the core-libs-dev mailing list