Should setAccessible be part of Java or not? (was Re: It's not too late for access control)
John Rose
john.r.rose at oracle.com
Thu Jul 14 22:07:12 UTC 2016
On Jul 14, 2016, at 4:51 AM, Andrew Haley <aph at redhat.com> wrote:
>
> Forgive me if I've missed something, but
> #ReflectiveAccessToNonExportedTypes does not deal with the need to
> make fields or methods accessible to the framework. That's what
> setAccessible is used for. It would certainly be nice for a
> framework to be able to say "make it accessible, but only to me."
Saying setAccessible is like "borrowing" (without owner permission) a
key to one locked door, if a non-public method is like a locked door.
Today's MethodHandles.Lookup object gives another way to open such
doors. But you have to obtain the lookup object from a party that already
has access rights. It is like the owner of a building (a class) giving a key
which opens all the doors in the building, or all the doors not marked "Private".
With both setA Methods and Lookups, once you have the key in hand,
you have to lock it up to prevent bad guys from stealing it from you.
And if you loan it out, you have to loan it to trustworthy parties.
Somewhere in between the two (unrestricted "borrowing" vs. direct delegation
of original access rights) must be some better conventions for reflecting into frameworks.
— John
More information about the jigsaw-dev
mailing list