Add reads to open module
Christian Beikov
christian.beikov at gmail.com
Mon May 17 16:42:34 UTC 2021
Am 17.05.2021 um 18:34 schrieb forax at univ-mlv.fr:
> ----- Mail original -----
>> De: "Christian Beikov" <christian.beikov at gmail.com>
>> À: "Remi Forax" <forax at univ-mlv.fr>
>> Cc: "jigsaw-dev" <jigsaw-dev at openjdk.java.net>
>> Envoyé: Lundi 17 Mai 2021 18:27:01
>> Objet: Re: Add reads to open module
>> Am 17.05.2021 um 18:10 schrieb Remi Forax:
>>> ----- Mail original -----
>>>> De: "Christian Beikov" <christian.beikov at gmail.com>
>>>> À: "jigsaw-dev" <jigsaw-dev at openjdk.java.net>
>>>> Envoyé: Lundi 17 Mai 2021 17:43:15
>>>> Objet: Fwd: Add reads to open module
>>>> Hi,
>>>>
>>>> I have a use case where I generate some code and that code refers to
>>>> classes of some module B.
>>>>
>>>> When the module A (an open module), into which I define that class, has
>>>> no read-edges to the module B, this fails saying that A does not read B.
>>>>
>>>> That's fine and totally understandable, so I tried to add the following
>>>> code:
>>>>
>>>> moduleA.addReads("moduleB.pkg", moduleB)
>>>>
>>>> but this is not allowed as `addReads` only works if `this == callerModule`.
>>>>
>>>> My workaround is to define a class into module A that can then call this
>>>> method.
>>>>
>>>> Is there a reason to this limitation? I mean the module is open anyway,
>>>> so anyone can just define a class into it, so why not also allow calling
>>>> addReads?
>>> It's basic security [1], you can not see something you do not ask for.
>>> By example, if your module as a security issue, you don't want an attacker to be
>>> able to see all other open modules from your module.
>> Right, but the module is open already, so I can do anything by injecting
>> code into that module. It's more of a usabulity question I guess,
>> because I'd rather just call `Module#addReads` directly instead of doing
>> this through a <clinit> or a dedicated class that I inject. Not sure how
>> the system is more secure by not allowing to call this method directly
>> in this case.
> You can do that, because you control the command line, an attacker may not be able to do the same thing.
>
> Rémi
This has nothing to do with the command line. This is all in Java code.
More information about the jigsaw-dev
mailing list