Should setAccessible be part of Java or not? (was Re: It's not too late for access control)
John Rose
john.r.rose at oracle.com
Sat Jul 16 00:19:13 UTC 2016
On Jul 14, 2016, at 3:25 PM, Jason Greene <jason.greene at redhat.com> wrote:
>
> Not to sound like a broken record, but not all systems want the module to control its own security. They want an intermediary.
>
> And that's a perfectly fine and reasonable security model.
I agree, as long as the intermediary is highly predictable and accountable
in its violations of standard access rules.
And that's in the middle ground I'm talking about, where a module (or class)
is deemed (without direct delegation on its part) to extend trusted access to some
intermediary, which is generally trusted to do things on behalf of a broad range of
such modules (or classes). It's middle ground (not the extreme of setA) because
(a) the intermediary would be more clearly marked as trusted (not just contain
a setA call somewhere in its guts), and (b) the task entrusted to the intermediary
would not require trusted access to all classes, but some well-defined "slice"
across a well-defined set of classes.
To reason about setA you have to predict the actions of a Turing machine,
as it assembles Class and String constants to pick out any API point whatever,
and then make a skeleton key for it.
A good framework makes those actions predictable, based on rules which
allow predictions based on the form of a program rather than the steps it
takes during execution.
Personally, I prefer the MethodHandles.Lookup API to setA (when I have
a choice between the two) because Lookup respects the existing access
control boundaries, while allowing delegation. I think the data flow of
capabilities is easier to reason about than the data flow of random String
and Class values, followed by an unpredictable setA call. But a Lookup
(today) must be created by the principal that owns the access rights,
which is what I think Jason is objecting to.
If we were to make some sort of middle ground between setA and Lookup,
it would look like a kind of Lookup that was obtained with upgraded access
(relative to publicLookup), but without direct creation by the target class.
In exchange for that power, there would be rules for limiting and configuring
the effect of such a Lookup. For example, it might work only for API points
carrying a particular annotation.
You can build this sort of thing on top of setA of course, since setA is
basically root privileges. My point is not that access rules should be
inviolate, but that exceptions to the rules should be as predictable and
even configurable as possible.
A final point: Predictability and configurability leads to alternative
implementations, such as AOP-like injection of code at AOT time.
That's one of the promises of jlink.
HTH
— John
More information about the jigsaw-dev
mailing list