Replacement of sun.reflect.Reflection#getCallerClass
Peter Levart
peter.levart at gmail.com
Tue Sep 3 18:11:45 UTC 2013
On 09/03/2013 07:41 PM, David M. Lloyd wrote:
>> Now for that part, the public API equivalent
>> (StackTraceFrame.getCallerClass() or whatever it is called) need not be
>> restricted to methods annotated with any annotation, but that means that
>> this public API should not be used to implement security decisions since
>> MethodHandles API allows caller to be spoofed unless looking-up a method
>> annotated with @CallerSensitive...
>
> Using an annotation for security decisions is pretty far off from the
> standard security model in any case. Why not use a regular permission
> check? If performance is a concern, the check need only be made one
> time when an instance is acquired that has these methods on it.
What permission check? @CallerSensitive methods are typically public
methods in public classes. Anyone can call them, but no-one should be
able to spoof the caller.
On 09/03/2013 07:41 PM, David M. Lloyd wrote:
>> What about a simple restriction on methods returning such instances that
>> Class objects are only returned when they are resolvable from the
>> ClassLoader of client code. If they are not resolvable, null is
>> returned. For example, the equivalent of:
>>
>
> I don't think this will hold up. Why would (for example) a logging
> API have access to every class loader that might need to log
> something? In any system of appreciable size, there is typically at
> least *some* class loader isolation, often a lot of it. Utilities
> like logging or security code that need to do this kind of check do
> not typically have direct access to classes which are "higher on the
> stack", so to speak.
Ok, I understand. What about the other way around - would this be
acceptable from security perspective (asking Mandy?):
- If you can see me (by name), then you're exposed (I can get you):
public class StackTraceFrame {
private final Class<?> declaringClass;
@CallerSensitive
public Class<?> getDeclaringClass() {
try {
Class<?> cc = Reflection.getCallerClass();
return Class.forName(cc.getName(),
false,
declaringClass.getClassLoader())
== cc ? declaringClass : null;
} catch (ClassNotFoundException ignore) {}
return null;
}
This would not present a problem for JDK system classes since they can
not see client code.
Regards, Peter
More information about the core-libs-dev
mailing list