Should setAccessible be part of Java or not? (was Re: It's not too late for access control)

[Andrew Haley]

On 14/07/16 13:14, Alan Bateman wrote:
> 
> On 14/07/2016 12:51, Andrew Haley wrote:
>> :
>> Forgive me if I've missed something, but
>> #ReflectiveAccessToNonExportedTypes does not deal with the need to
>> make fields or methods accessible to the framework.  That's what
>> setAccessible is used for.  It would certainly be nice for a
>> framework to be able to say "make it accessible, but only to me."
>>
> It's related. If a package is exported to you then you can break into 
> its non-public types and members with setAccessible. So I think it will 
> fall out of the wash once there is agreement on 
> #ReflectiveAccessToNonExportedTypes.

At Red Hat we have many Java programmers.  We also have many customers
who are Java programmers.  I am trying to persuade people to try out
JDK 9 in order to give us the feedback we need to ratify the JDK 9
specification.  But you know where this is going: the changes to
Jigsaw which we need are TBD, but with an assurance of "I think we'll
be able to work something out."  This is a tough sell for me.

I am also rather concerned that too much is going into Jigsaw.  Along
with much-needed modularization of the JDK itself we're getting access
controls such as the one we're discussing.  I understand the argument
for restricting setAccessible() in a module context (and the computer
scientist in me says "Yay!") but it's not a necessary part of
modularization and it should be discussed on its own merits.  Everyone
is going to be affected by Jigsaw, but you can't expect everyone to
read the minutiae of the discussion.

Andrew.