My position on module security/access control
David M. Lloyd
david.lloyd at redhat.com
Wed Nov 18 16:10:30 UTC 2015
I wanted to summarize my position on module security and access control,
so that all my thoughts are in one place instead of scattered across
various threads.
The first point I want to make is that I think that the idea of having
public classes that are not public is a red flag. If a class and member
is public, it should always be accessible to everyone regardless of who
imports what module. There should only be one access control mechanism
in the language. Users already seem keen to find ways to break out of
the Jigsaw export-based restrictions and I think this is an indicator
that, while expedient, the Jigsaw approach is far from ideal. In
addition I think this is an essential step towards the ultimate goal of
removing the dreaded setAccessible() method; if frameworks cannot even
access public members then they will never be able break away from using
reflection as a back door. The concept being established here is the
ability to have a public class which is not exported but is still
accessible to anyone.
The second point is around module privacy. It is clear that
(language-wise) we need an access level that is module-private. Given
the relative uselessness of package-private accessibility in the module
world, I propose that any reference to a default-access-level member in
a Java 9 class should be considered to be a module-private access, not a
package-private access, in both javac and the JVM. The protected access
level should be similarly widened. This avoids the need for changing
the class file format or introducing new modifiers to the language or
reflection APIs, and ensures that the language continues to have only
one central access control mechanism, instead of two interacting
mechanisms, and completely eliminates all the "SharedSecret"-like cases
found throughout the JDK and elsewhere. In the very long term, if/when
support for Java 8-and-earlier class files is removed, only module
access will remain, which results in a somewhat cleaner and more useful
set of access controls.
The third point is around "friend" modules. It seems clear that we have
a requirement (which can be extrapolated easily from the document) that
some modules need the ability to provide selective access to nonpublic
members to other modules. This requirement seems perfectly reasonable,
and the access level change described previously should be amenable to
this mechanism. The mechanism could work on a package-by-package basis
or at a module level; I think that the distinction between the two is
relatively small in terms of implementation and is purely a user
requirements question. The compiler and JVM should take this
information into account when checking access to a peer module's class.
The compiler will need to know, as part of compilation, what peer
modules (or packages within peer modules) are expected to be accessible
to the currently-compiling module at run time; the means of
accomplishing this is a question of how the module metadata is
represented and stored and is not directly relevant to the issue at
hand, though I feel that a simple argument to javac/JavaCompiler is
sufficient (i.e. let the build tool, which understands how the module is
to be assembled and may have access to a variety of forms of metadata,
discover the information and pass it to the compiler).
The fourth point relates to ServiceLoader. If ServiceLoader has a
unique and special blessing to bypass the access mechanism, then we've
failed to design an adequately flexible (and secure) access control
mechanism. By implementing the three points above, ServiceLoader no
longer needs to be a special citizen, because all service implementation
classes are public (as they are today, and as they should be). A user
could implement ServiceLoader in unprivileged code and it would work
with no special trapdoors.
My intuition is that tying exporting with accessibility hides some
potentially serious and maybe unsolvable land mines, and recent
discussion on the Jigsaw list seems to imply that there are more
practical problems as well. Keeping the concepts separate and building
on the established accessibility mechanism seems like a much safer
course to me (if not as expedient), and I hope I can convince the rest
of the experts of the same.
--
- DML
More information about the jpms-spec-experts
mailing list