tags:

views:

52

answers:

1
+2  Q: 

Is there a way for a SecurityManager in java to selectively grant ReflectPermission("suppressAccessChecks")?

Is there any way for a SecurityManager in Java to selectively grant ReflectPermission("suppressAccessChecks") depending on the details of what setAccessible() is being called on? I don't see any way for this to be done.

For some sandboxed code, it would be very useful (such as for running various dynamic JVM languages) to allow the setAccessible() reflection API to be called, but only when setAccessible() is called on a method/field of a class that originates in the sandboxed code.

Does anyone have any alternative suggestions other than selective granting of ReflectPermission("suppressAccessChecks") if this isn't possible? Perhaps it would be safe to grant in all cases if SecurityManager.checkMemberAccess() is sufficiently restrictive?

A: 

FWI: Since setAccessible seems only to have a valid use-case with serialization, I would think you might often get away with simply denying it outright.

That said, I am interested in how one does this sort of thing in general because I too have to write a security manager to block dynamically loaded code from doing things that our application container code needs to be able to do.

Software Monkey  2010-02-22 23:57:22
Unfortunately, some dynamic JVM lanauges are unfortunately fairly setAccessible-happy, calling it even for public methods they don't need to call it for. Plus there are use cases like that serialization you mention, or some modes of operation of dependency injection frameworks, that would preferred to not be needlessly blocking.
Alex Schultz  2010-02-23 00:07:06
Hmmm. Not aware of those other use cases - I have long thought that setAccessible is the biggest security screw up Sun ever made with Java.
Software Monkey  2010-02-23 01:01:13

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java