Class.getRecordComponents security checks

Remi Forax forax at univ-mlv.fr
Sun Feb 21 20:57:02 UTC 2021


----- Mail original -----
> De: "Attila Szegedi" <szegedia at gmail.com>
> À: "core-libs-dev" <core-libs-dev at openjdk.java.net>
> Envoyé: Dimanche 21 Février 2021 21:14:48
> Objet: Class.getRecordComponents security checks

> Hey folks,
> 
> Why are security checks for Class.getRecordComponents as strict as those for
> e.g. getDeclaredMethods? I would’ve expected they’d be as strict as those for
> e.g. getMethods. Specifically, the difference is the:
> 
>> “the caller's class loader is not the same as the class loader of this class and
>> invocation of s.checkPermission method with
>> RuntimePermission("accessDeclaredMembers") denies access to the declared
>> methods within this class”

Good question, getRecordComponents() list the record components not the record accessors,
while each record component has a corresponding accessor method, the reverse is not true.

so here, what you are asking is more like asking fields than methods, so it's more like getDeclaredFields() than getMethods(),
hence the runtime check if there is a SecurityManager enabled.

> 
> step. Aren’t record accessors supposed to be public?

yes, at least for the code generated by javac, accessors are always public
(the class itself may be non public, and the package may not be exported).

> 
> Attila.

Rémi


More information about the core-libs-dev mailing list