jdk.internal.reflect.ReflectionFactory and SecurityManager

Peter Levart peter.levart at gmail.com
Mon Dec 26 20:39:24 UTC 2016 

Hi Claes,

On 12/26/2016 09:11 PM, Claes Redestad wrote:
> Hi,
>
> with strong encapsulation in place this seems perfectly fine to me.
>
> The only downside is that we will lose the extra reminder that the
> ReflectionFactory must not escape to untrusted code, but I think we can
> all help ensure that doesn't happen, right? :-)

With strong encapsulation in place, if the ReflectionFactory escaped, it 
could only be used by the following modules:

     exports jdk.internal.reflect to
         java.corba,
         java.logging,
         java.sql,
         java.sql.rowset,
         jdk.dynalink,
         jdk.scripting.nashorn,
         jdk.unsupported;


If SecurityManager check was removed, those modules could then also 
obtain ReflectionFactory (they currently don't use it except 
jdk.unsupported). Does this present any new danger?

Changes needed to support removal of this SecurityManager check are as 
follows:

http://cr.openjdk.java.net/~plevart/jdk9-dev/ReflectionFactory.withoutSM/webrev.01/

Changes mostly remove the need to store ReflectionFactory into a 
variable, therefore they encourage style where ReflectionFactory is less 
likely to escape.

Regards, Peter


>
> Thanks!
>
> /Claes
>
> On 2016-12-26 20:29, Peter Levart wrote:
>> Hi,
>>
>> There are 2 ReflectionFactory classes in JDK 9. The old one is
>> sun.reflect.ReflectionFactory which ended in jdk.unsupported module and
>> to which access is restricted with SecurityManager. There is also new
>> jdk.internal.reflect.ReflectionFactory which is used internally by JDK,
>> is exported to internal modules only but still uses SecurityManager to
>> restrict access to itself. I checked all usages and they all use
>> AccessControler.doPrivileged() for obtaining the instance of
>> jdk.internal.reflect.ReflectionFactory, which somehow defeats the
>> purpose of SecurityManager access checks in this API.
>>
>> I think this could be simplified by removing the SecurityManager check
>> from jdk.internal.reflect.ReflectionFactory#getReflectionFactory static
>> method and change all usages to invoke this method directly without
>> doPrivileged(). There are already two sensitive internal APIs exposed
>> without SecurityManager checks: jdk.internal.misc.Unsafe#getUnsafe and
>> various jdk.internal.misc.SharedSecrets#getXxxAccess methods. So why
>> wouldn't internal ReflectionFactory be exposed the same way?
>>
>> This would make obtaining the ReflectionFactory more robust and not
>> sensitive to bootstrap issues that surfaced recently after my push of a
>> fix for issues 8062389, 8029459, 8061950.
>>
>> So, what do you think? Is this a worthwhile cleanup and simplification?
>>
>> Regards, Peter
>>

More information about the core-libs-dev mailing list