1 /*
2 * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package java.lang.reflect;
27
28 import java.lang.annotation.Annotation;
29 import java.security.AccessController;
30
31 import jdk.internal.misc.VM;
32 import jdk.internal.reflect.CallerSensitive;
33 import jdk.internal.reflect.Reflection;
34 import jdk.internal.reflect.ReflectionFactory;
35 import sun.security.action.GetPropertyAction;
36
37 /**
38 * The AccessibleObject class is the base class for Field, Method and
39 * Constructor objects. It provides the ability to flag a reflected
40 * object as suppressing default Java language access control checks
41 * when it is used. The access checks -- <em>module boundaries</em>,
42 * public, default (package) access, protected, and private members --
43 * are performed when Fields, Methods or Constructors are used to set
44 * or get fields, to invoke methods or to create and initialize new
45 * instances of classes, respectively. Unlike access control specified
46 * in the <cite>The Java™ Language Specification</cite> and
47 * <cite>The Java Virtual Machine Specification</cite>, access checks
48 * with reflected objects assume {@link Module#canRead readability}.
49 *
50 * <p>Setting the {@code accessible} flag in a reflected object
51 * permits sophisticated applications with sufficient privilege, such
52 * as Java Object Serialization or other persistence mechanisms, to
53 * manipulate objects in a manner that would normally be prohibited.
54 *
55 * <p>By default, a reflected object is <em>not</em> accessible.
56 *
57 * @see Field
58 * @see Method
59 * @see Constructor
60 * @see ReflectPermission
61 *
62 * @since 1.2
63 */
64 public class AccessibleObject implements AnnotatedElement {
65
66 /**
67 * The Permission object that is used to check whether a client
68 * has sufficient privilege to defeat Java language access
69 * control checks.
70 */
71 private static final java.security.Permission ACCESS_PERMISSION =
72 new ReflectPermission("suppressAccessChecks");
73
74 static void checkPermission() {
75 SecurityManager sm = System.getSecurityManager();
76 if (sm != null) sm.checkPermission(ACCESS_PERMISSION);
77 }
78
79 /**
80 * Convenience method to set the {@code accessible} flag for an
81 * array of objects with a single security check (for efficiency).
82 *
83 * <p>This method cannot be used to enable access to an object that is a
84 * {@link Member member} of a class in a different module to the caller and
85 * where the class is in a package that is not exported to the caller's
86 * module. Additionally, if the member is non-public or its declaring
87 * class is non-public, then this method can only be used to enable access
88 * if the package is {@link Module#isOpen(String,Module) open} to at least
89 * the caller's module.
90 *
91 * <p>If there is a security manager, its
92 * {@code checkPermission} method is first called with a
93 * {@code ReflectPermission("suppressAccessChecks")} permission.
94 *
95 * <p>A {@code SecurityException} is also thrown if any of the elements of
96 * the input {@code array} is a {@link java.lang.reflect.Constructor}
97 * object for the class {@code java.lang.Class} and {@code flag} is true.
98 *
99 * @param array the array of AccessibleObjects
100 * @param flag the new value for the {@code accessible} flag
101 * in each object
102 * @throws InaccessibleObjectException if access cannot be enabled
103 * @throws SecurityException if the request is denied.
104 * @see SecurityManager#checkPermission
105 * @see ReflectPermission
106 */
107 @CallerSensitive
108 public static void setAccessible(AccessibleObject[] array, boolean flag) {
109 checkPermission();
110 if (flag) {
111 Class<?> caller = Reflection.getCallerClass();
112 array = array.clone();
113 for (AccessibleObject ao : array) {
114 ao.checkCanSetAccessible(caller);
115 }
116 }
117 for (AccessibleObject ao : array) {
118 ao.setAccessible0(flag);
119 }
120 }
121
122 /**
123 * Set the {@code accessible} flag for this object to
124 * the indicated boolean value. A value of {@code true} indicates that
125 * the reflected object should suppress Java language access
126 * checking when it is used. A value of {@code false} indicates
127 * that the reflected object should enforce Java language access checks
128 * while assuming readability (as noted in the class description).
129 *
130 * <p>This method cannot be used to enable access to an object that is a
131 * {@link Member member} of a class in a different module to the caller and
132 * where the class is in a package that is not exported to the caller's
133 * module. Additionally, if the member is non-public or its declaring
134 * class is non-public, then this method can only be used to enable access
135 * if the package is {@link Module#isOpen(String,Module) open} to at least
136 * the caller's module.
137 *
138 * <p>If there is a security manager, its
139 * {@code checkPermission} method is first called with a
140 * {@code ReflectPermission("suppressAccessChecks")} permission.
141 *
142 * @param flag the new value for the {@code accessible} flag
143 * @throws InaccessibleObjectException if access cannot be enabled
144 * @throws SecurityException if the request is denied
145 * @see SecurityManager#checkPermission
146 * @see ReflectPermission
147 * @see java.lang.invoke.MethodHandles#privateLookupIn
148 */
149 public void setAccessible(boolean flag) {
150 AccessibleObject.checkPermission();
151 setAccessible0(flag);
152 }
153
154 void setAccessible0(boolean flag) {
155 this.override = flag;
156 }
157
158 /**
159 * If the given AccessibleObject is a {@code Constructor}, {@code Method}
160 * or {@code Field} then checks that its declaring class is in a package
161 * that can be accessed by the given caller of setAccessible.
162 */
163 void checkCanSetAccessible(Class<?> caller) {
164 // do nothing, needs to be overridden by Constructor, Method, Field
165 }
166
167 void checkCanSetAccessible(Class<?> caller, Class<?> declaringClass) {
168 Module callerModule = caller.getModule();
169 Module declaringModule = declaringClass.getModule();
170
171 if (callerModule == declaringModule) return;
172 if (callerModule == Object.class.getModule()) return;
173 if (!declaringModule.isNamed()) return;
174
175 // package is open to caller
176 String pn = packageName(declaringClass);
177 if (declaringModule.isOpen(pn, callerModule)) {
178 printStackTraceIfOpenedReflectively(declaringModule, pn, callerModule);
179 return;
180 }
181
182 // package is exported to caller and class/member is public
183 boolean isExported = declaringModule.isExported(pn, callerModule);
184 boolean isClassPublic = Modifier.isPublic(declaringClass.getModifiers());
185 int modifiers;
186 if (this instanceof Executable) {
187 modifiers = ((Executable) this).getModifiers();
188 } else {
189 modifiers = ((Field) this).getModifiers();
190 }
191 boolean isMemberPublic = Modifier.isPublic(modifiers);
192 if (isExported && isClassPublic && isMemberPublic) {
193 printStackTraceIfExportedReflectively(declaringModule, pn, callerModule);
194 return;
195 }
196
197 // not accessible
198 String msg = "Unable to make ";
199 if (this instanceof Field)
200 msg += "field ";
201 msg += this + " accessible: " + declaringModule + " does not \"";
202 if (isClassPublic && isMemberPublic)
203 msg += "exports";
204 else
205 msg += "opens";
206 msg += " " + pn + "\" to " + callerModule;
207 InaccessibleObjectException e = new InaccessibleObjectException(msg);
208 if (Reflection.printStackTraceWhenAccessFails()) {
209 e.printStackTrace(System.err);
210 }
211 throw e;
212 }
213
214 private void printStackTraceIfOpenedReflectively(Module module,
215 String pn,
216 Module other) {
217 printStackTraceIfExposedReflectively(module, pn, other, true);
218 }
219
220 private void printStackTraceIfExportedReflectively(Module module,
221 String pn,
222 Module other) {
223 printStackTraceIfExposedReflectively(module, pn, other, false);
224 }
225
226 private static class WARNING extends Exception {
227
228 private static final long serialVersionUID = 42L;
229
230 private WARNING(String msg) {
231 super(msg);
232 }
233
234 public String toString() {
235 return "WARNING: " + getMessage();
236 }
237
238 }
239
240 private void printStackTraceIfExposedReflectively(Module module,
241 String pn,
242 Module other,
243 boolean open) {
244 if (Reflection.printStackTraceWhenAccessSucceeds()
245 && !module.isStaticallyExportedOrOpen(pn, other, open)) {
246 String msg = other + " allowed to invoke setAccessible on ";
247 if (this instanceof Field)
248 msg += "field ";
249 msg += this;
250 new WARNING(msg).printStackTrace(System.err);
251 }
252 }
253
254 /**
255 * Returns the package name of the given class.
256 */
257 private static String packageName(Class<?> c) {
258 while (c.isArray()) {
259 c = c.getComponentType();
260 }
261 String pn = c.getPackageName();
262 return (pn != null) ? pn : "";
263 }
264
265 /**
266 * Get the value of the {@code accessible} flag for this object.
267 *
268 * @return the value of the object's {@code accessible} flag
269 */
270 public boolean isAccessible() {
271 return override;
272 }
273
274 /**
275 * Constructor: only used by the Java Virtual Machine.
276 */
277 protected AccessibleObject() {}
278
279 // Indicates whether language-level access checks are overridden
280 // by this object. Initializes to "false". This field is used by
281 // Field, Method, and Constructor.
282 //
283 // NOTE: for security purposes, this field must not be visible
284 // outside this package.
285 boolean override;
286
287 // Reflection factory used by subclasses for creating field,
288 // method, and constructor accessors. Note that this is called
289 // very early in the bootstrapping process.
290 static final ReflectionFactory reflectionFactory =
291 AccessController.doPrivileged(
292 new ReflectionFactory.GetReflectionFactoryAction());
293
294 /**
295 * @throws NullPointerException {@inheritDoc}
296 * @since 1.5
297 */
298 public <T extends Annotation> T getAnnotation(Class<T> annotationClass) {
299 throw new AssertionError("All subclasses should override this method");
300 }
301
302 /**
303 * {@inheritDoc}
304 * @throws NullPointerException {@inheritDoc}
305 * @since 1.5
306 */
307 @Override
308 public boolean isAnnotationPresent(Class<? extends Annotation> annotationClass) {
309 return AnnotatedElement.super.isAnnotationPresent(annotationClass);
310 }
311
312 /**
313 * @throws NullPointerException {@inheritDoc}
314 * @since 1.8
315 */
316 @Override
317 public <T extends Annotation> T[] getAnnotationsByType(Class<T> annotationClass) {
318 throw new AssertionError("All subclasses should override this method");
319 }
320
321 /**
322 * @since 1.5
323 */
324 public Annotation[] getAnnotations() {
325 return getDeclaredAnnotations();
326 }
327
328 /**
329 * @throws NullPointerException {@inheritDoc}
330 * @since 1.8
331 */
332 @Override
333 public <T extends Annotation> T getDeclaredAnnotation(Class<T> annotationClass) {
334 // Only annotations on classes are inherited, for all other
335 // objects getDeclaredAnnotation is the same as
336 // getAnnotation.
337 return getAnnotation(annotationClass);
338 }
339
340 /**
341 * @throws NullPointerException {@inheritDoc}
342 * @since 1.8
343 */
344 @Override
345 public <T extends Annotation> T[] getDeclaredAnnotationsByType(Class<T> annotationClass) {
346 // Only annotations on classes are inherited, for all other
347 // objects getDeclaredAnnotationsByType is the same as
348 // getAnnotationsByType.
349 return getAnnotationsByType(annotationClass);
350 }
351
352 /**
353 * @since 1.5
354 */
355 public Annotation[] getDeclaredAnnotations() {
356 throw new AssertionError("All subclasses should override this method");
357 }
358
359
360 // Shared access checking logic.
361
362 // For non-public members or members in package-private classes,
363 // it is necessary to perform somewhat expensive security checks.
364 // If the security check succeeds for a given class, it will
365 // always succeed (it is not affected by the granting or revoking
366 // of permissions); we speed up the check in the common case by
367 // remembering the last Class for which the check succeeded.
368 //
369 // The simple security check for Constructor is to see if
370 // the caller has already been seen, verified, and cached.
371 // (See also Class.newInstance(), which uses a similar method.)
372 //
373 // A more complicated security check cache is needed for Method and Field
374 // The cache can be either null (empty cache), a 2-array of {caller,targetClass},
375 // or a caller (with targetClass implicitly equal to memberClass).
376 // In the 2-array case, the targetClass is always different from the memberClass.
377 volatile Object securityCheckCache;
378
379 final void checkAccess(Class<?> caller, Class<?> memberClass,
380 Class<?> targetClass, int modifiers)
381 throws IllegalAccessException
382 {
383 if (caller == memberClass) { // quick check
384 return; // ACCESS IS OK
385 }
386 Object cache = securityCheckCache; // read volatile
387 if (targetClass != null // instance member or constructor
388 && Modifier.isProtected(modifiers)
389 && targetClass != memberClass) {
390 // Must match a 2-list of { caller, targetClass }.
391 if (cache instanceof Class[]) {
392 Class<?>[] cache2 = (Class<?>[]) cache;
393 if (cache2[1] == targetClass &&
394 cache2[0] == caller) {
395 return; // ACCESS IS OK
396 }
397 // (Test cache[1] first since range check for [1]
398 // subsumes range check for [0].)
399 }
400 } else if (cache == caller) {
401 // Non-protected case (or targetClass == memberClass or static member).
402 return; // ACCESS IS OK
403 }
404
405 // If no return, fall through to the slow path.
406 slowCheckMemberAccess(caller, memberClass, targetClass, modifiers);
407 }
408
409 // Keep all this slow stuff out of line:
410 void slowCheckMemberAccess(Class<?> caller, Class<?> memberClass,
411 Class<?> targetClass, int modifiers)
412 throws IllegalAccessException
413 {
414 Reflection.ensureMemberAccess(caller, memberClass, targetClass, modifiers);
415
416 // Success: Update the cache.
417 Object cache = (targetClass != null
418 && Modifier.isProtected(modifiers)
419 && targetClass != memberClass)
420 ? new Class<?>[] { caller, targetClass }
421 : caller;
422
423 // Note: The two cache elements are not volatile,
424 // but they are effectively final. The Java memory model
425 // guarantees that the initializing stores for the cache
426 // elements will occur before the volatile write.
427 securityCheckCache = cache; // write volatile
428 }
429 }