java.lang.invoke vs java.lang.reflect, redundancy and security
MacGregor, Duncan (GE Energy Management)
duncan.macgregor at ge.com
Wed Jan 16 11:46:14 PST 2013
The two APIs are different in that security checks are performed when
looking up method handles but not when calling them, while security checks
are performed at every invocation of a reflected method or field. I'm sure
some security infrastructure can be shared by the two APIs, but I'm not
sure how much is in the current implementation.
Regards, Duncan.
On 16/01/2013 14:46, "Eric Bodden" <eric.bodden at ec-spride.de> wrote:
>Hi all.
>
>The discussion I had on this list with Duncan about intercepting
>invokedynamic calls made me wonder:
>
>Since Lookup supports an unreflect(..) method, why is there any need
>for the (backend of the) reflection API at all. The reason I am asking
>is security: getting security checks is hard and maintaining two APIs
>which require such checks seems unnecessarily painful. Would it not be
>possible to simply reroute calls to the reflection API to the "invoke"
>API using unreflect(..) thus getting rid of all the reflection logic
>altogether?
>
>Best wishes,
>Eric
>--
>Eric Bodden, Ph.D., http://sse.ec-spride.de/ http://bodden.de/
>Head of Secure Software Engineering Group at EC SPRIDE
>Tel: +49 6151 16-75422 Fax: +49 6151 16-72051
>Room 3.2.14, Mornewegstr. 30, 64293 Darmstadt
>_______________________________________________
>mlvm-dev mailing list
>mlvm-dev at openjdk.java.net
>http://mail.openjdk.java.net/mailman/listinfo/mlvm-dev
More information about the mlvm-dev
mailing list