AccessibleObject.setAccessible() backward compatibility
David M. Lloyd
david.lloyd at redhat.com
Fri Sep 11 20:42:56 UTC 2015
On 09/11/2015 03:14 PM, Tim Boudreau wrote:
> >> If the implementation of MethodHandle uses setAccessible() (I don't know
> >> its internals), then this Java 0day would qualify:
> >
> > It does not as far as I know.
> > It's the opposite, if you want to bypass the security sandbox with a MethodHandle,
> > you have to use reflection + setAccessible and then use Lookup.unreflect*().
>
>
> Point taken.
>
> Regardless, if one of the problems we want to solve here is security
> related, then having a security sandbox you really can't bypass, even
> reflectively, is not a bad idea at all.
In principle, sure. But to paraphrase Schneier, adding complexity is a
sucky way to add security. :-)
If this is a goal though then the only logical way for it to be done
that I can see is by always using AccessController for reflection
permission checks even if there is no security manager. It seems out of
scope of this JSR to me though...
--
- DML
More information about the jpms-spec-experts
mailing list