Should setAccessible be part of Java or not? (was Re: It's not too late for access control)
Andrew Haley
aph at redhat.com
Mon Jul 18 09:34:46 UTC 2016
On 15/07/16 19:29, Gregg Wonderly wrote:
>
>> On Jul 14, 2016, at 6:51 AM, Andrew Haley <aph at redhat.com> wrote:
>>
>>> This is #ReflectiveAccessToNonExportedTypes on the JSR 376 issues list.
>>> The problem is reasonably well understood and there are several
>>> proposals and approaches being discussed and considered.
>>
>> Forgive me if I've missed something, but
>> #ReflectiveAccessToNonExportedTypes does not deal with the need to
>> make fields or methods accessible to the framework. That's what
>> setAccessible is used for. It would certainly be nice for a
>> framework to be able to say "make it accessible, but only to me.”
>
> That is the question though. Why does it seem like a good idea to
> limit accessibility when there are so many other ways that the
> software can be exploited without this single limit being able to
> control all the others?
It's no more than a practical way of reducing software complexity. (I
don't intend to explain why complexity is the enemy of reliability.)
System complexity is related to the number of connections between
components in a system. By opening up access with setAccessible() you
add an interface to a module. If that interface is only accessible to
one client, it's a 1:1 connection. Making it globally accessible is
(potentially) a 1:N connection. The wider the access, the more scope
for complex interfaces.
Also, making a method or field globally accessible may mean that the
author of the code can no longer guarantee its correctness.
This is commonplace computer science: it should be familiar to all of
us.
> Do you think that people would not decide to decompile your module
> definition and change all the details for visibility so that they
> can then do with it exactly as they need? In this day and age, and
> especially in the public software realm, control of anything does
> not exist in practicality. No matter what you believe might limit
> any aspect of your software, there is no way to categorically
> enforce that.
No, but we can reduce risk and the size of attack surfaces. And, all
other things being equal, we should.
But we must do so in full awareness of the techniques that real-world
Java software uses. The plasticity of Java has, to a very large
extent, led to its pre-eminence. We must not lose that. There are
bad uses of setAccessible() and good ones.
Andrew.
More information about the jigsaw-dev
mailing list