MagicAccessorImpl

[Alan Bateman]

On 09/06/2017 03:19, Henri Tremblay wrote:
> It's for Objenesis. Which is used to instantiate classes without 
> calling a constructor. One of the instantiator is the 
> MagicInstantiator. It's not used by default but some people are using it.
>
> The code is here: 
> https://github.com/easymock/objenesis/blob/master/main/src/main/java/org/objenesis/instantiator/sun/MagicInstantiator.java
>
> Basically, I'm creating an instantiator extending MagicAccessorImpl. 
> This class has one method calling Object default constructor to 
> instantiate another class.
>
> This used to work in Java 8 but I'm not allowed anymore to extend a 
> package private class (yes, yes, I know, that make sense).
>
The special handling of classes in the class file parser, for code 
generated by the core reflection implementation, has been tightened up 
in JDK 9. It looks to me that this above MagicInstantiator code has been 
exploiting this bug to bypass access checks. It seems way too fragile to 
me to rely on the core internal internals like this.

Do you have an "instantiator" that uses 
sun.reflect.ReflectionFactory.newConstructorForSerialization? That 
should continue to work. More so, ReflectionFactory has been updated in 
JDK 9 to allow custom serialization libraries get direct method handles 
to each of the method specified by the Java Serialization spec.

-Alan