RFR 8073056: Repeating annotations throws java.security.AccessControlException with a SecurityManager
Mandy Chung
mandy.chung at oracle.com
Fri Feb 27 01:57:49 UTC 2015
On 2/26/2015 5:01 PM, Peter Levart wrote:
>
> On 02/27/2015 01:07 AM, Mandy Chung wrote:
>> Thanks for the test. The question is what the spec says about
>> SecurityException, or it should require the value() method be public
>> or there is a reason to support a non-public value() method?
>
> The value() method is always public (since it's an interface method),
> but the interface need not be public.
Thanks for the clarification.
> So I don't think we should prevent access to repeatable annotation
> instances just because the container annotation type of the repeatable
> annotation is not public.
>
> The call to setAccessible(true) should be wrapped by doPrivileged and
> should be performed in AnnotationType constructor and not sprinkled in
> other places that need to invoke the Method(s). This is by no means
> less secure as it doesn't matter what part of code makes the Method
> object setAccessible(true) if it is a shared Method object.
Will wait for Joel to say more about this. I agree with your observation.
Mandy
More information about the core-libs-dev
mailing list