RFR 8073056: Repeating annotations throws java.security.AccessControlException with a SecurityManager
Peter Levart
peter.levart at gmail.com
Fri Feb 27 00:59:19 UTC 2015
On 02/27/2015 01:07 AM, Mandy Chung wrote:
> On 2/26/15 2:04 PM, Peter Levart wrote:
>> I verified this with the following code:
>> :
>>
>> ... it works without problems and prints the expected:
>
> Thanks for the test. The question is what the spec says about
> SecurityException, or it should require the value() method be public
> or there is a reason to support a non-public value() method?
>
> Mandy
Well, currently, with pre-JDK8 APIs, one has access to annotation
instances of types that are otherwise inaccessible. For example:
public class Test {
public static void main(String[] args) throws Exception {
//
TestSibling.class.getDeclaredAnnotation(TestSibling.PrivateAnn.class);
// >>> javac Error: The type TestSibling.PrivateAnn is not visible
// but:
Annotation privateAnn =
TestSibling.class.getDeclaredAnnotations()[0];
System.out.println(privateAnn);
// >>> @TestSibling$PrivateAnn()
}
}
@TestSibling.PrivateAnn()
class TestSibling {
@Retention(RetentionPolicy.RUNTIME)
private @interface PrivateAnn {
}
}
So I don't think we should prevent access to repeatable annotation
instances just because the container annotation type of the repeatable
annotation is not public.
The call to setAccessible(true) should be wrapped by doPrivileged and
should be performed in AnnotationType constructor and not sprinkled in
other places that need to invoke the Method(s). This is by no means less
secure as it doesn't matter what part of code makes the Method object
setAccessible(true) if it is a shared Method object.
Regards, Peter
More information about the core-libs-dev
mailing list