[concurrency-interest] Here's why Atomic*FieldReference access checking is broken
Alan Bateman
Alan.Bateman at oracle.com
Sat Oct 4 03:15:13 UTC 2014
On 03/10/2014 08:13, David M. Lloyd wrote:
> :
>
> Why the problem occurs
> ----------------------
> The root of the problem traces back to
> SecurityManager.checkMemberAccess(). This method is the one remaining
> method in all of SecurityManager which uses the calling class context
> (stack) in order to determine the nature of the access check that is
> needed.
Are you sure you see this in JDK 8 too? I ask because I remember David
Holmes changed the Atomic*Updater methods to call getDeclaredField in a
privileged block (JDK-7103570). Also there work in JDK 8 on caller
sensitive methods (JEP 176). As part of this then SM.checkMemberAccess
was deprecated and usages in the JDK dropped (Class.getDeclaredField and
the others no longer use it).
-Alan.
More information about the security-dev
mailing list