Replacement of sun.reflect.Reflection#getCallerClass

Peter Levart peter.levart at gmail.com
Tue Sep 3 18:11:45 UTC 2013


On 09/03/2013 07:41 PM, David M. Lloyd wrote:
>> Now for that part, the public API equivalent
>> (StackTraceFrame.getCallerClass() or whatever it is called) need not be
>> restricted to methods annotated with any annotation, but that means that
>> this public API should not be used to implement security decisions since
>> MethodHandles API allows caller to be spoofed unless looking-up a method
>> annotated with @CallerSensitive...
>
> Using an annotation for security decisions is pretty far off from the 
> standard security model in any case.  Why not use a regular permission 
> check?  If performance is a concern, the check need only be made one 
> time when an instance is acquired that has these methods on it.

What permission check? @CallerSensitive methods are typically public 
methods in public classes. Anyone can call them, but no-one should be 
able to spoof the caller.


On 09/03/2013 07:41 PM, David M. Lloyd wrote:
>> What about a simple restriction on methods returning such instances that
>> Class objects are only returned when they are resolvable from the
>> ClassLoader of client code. If they are not resolvable, null is
>> returned. For example, the equivalent of:
>>
>
> I don't think this will hold up.  Why would (for example) a logging 
> API have access to every class loader that might need to log 
> something?  In any system of appreciable size, there is typically at 
> least *some* class loader isolation, often a lot of it.  Utilities 
> like logging or security code that need to do this kind of check do 
> not typically have direct access to classes which are "higher on the 
> stack", so to speak. 

Ok, I understand. What about the other way around - would this be 
acceptable from security perspective (asking Mandy?):

- If you can see me (by name), then you're exposed (I can get you):

public class StackTraceFrame {

     private final Class<?> declaringClass;

     @CallerSensitive
     public Class<?> getDeclaringClass() {
         try {
             Class<?> cc = Reflection.getCallerClass();
            return Class.forName(cc.getName(),
                                  false,
declaringClass.getClassLoader())
                    == cc ? declaringClass : null;

         } catch (ClassNotFoundException ignore) {}
         return null;
     }


This would not present a problem for JDK system classes since they can 
not see client code.


Regards, Peter




More information about the core-libs-dev mailing list