Proposal: Allow illegal reflective access by default in JDK 9
Alan Bateman
Alan.Bateman at oracle.com
Fri May 19 14:05:40 UTC 2017
On 19/05/2017 14:54, Peter Levart wrote:
> :
>
> Opening the whole JDK (--illegal-access=permit by default) means that
> all internal "public" APIs are made accessible if by chance someone
> can grab an instance of target object and/or an instance of
> Method/Field object. Imagine a JDK developer that thought that by
> putting a public type into a concealed package was equivalent to
> making the type module-private. This is a big surprise from the
> security perspective and jdk.internal.misc.Unsafe.getUnsafe() might
> not be a lone example.
True although it's no different to JDK 8 and older behavior where all
public members of all public types in all packages were accessible to
code on the class path. Furthermore, setAccessible could be use to hack
everywhere. The proposal is really just giving libraries and tools more
time to sort out their issues.
-Alan
More information about the jigsaw-dev
mailing list