1 /*
   2  * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package java.lang.reflect;
  27 
  28 import java.security.AccessController;
  29 import sun.reflect.Reflection;
  30 import sun.reflect.ReflectionFactory;
  31 import java.lang.annotation.Annotation;
  32 
  33 /**
  34  * The AccessibleObject class is the base class for Field, Method and
  35  * Constructor objects.  It provides the ability to flag a reflected
  36  * object as suppressing default Java language access control checks
  37  * when it is used.  The access checks--for public, default (package)
  38  * access, protected, and private members--are performed when Fields,
  39  * Methods or Constructors are used to set or get fields, to invoke
  40  * methods, or to create and initialize new instances of classes,
  41  * respectively.
  42  *
  43  * <p>Setting the {@code accessible} flag in a reflected object
  44  * permits sophisticated applications with sufficient privilege, such
  45  * as Java Object Serialization or other persistence mechanisms, to
  46  * manipulate objects in a manner that would normally be prohibited.
  47  *
  48  * <p>By default, a reflected object is <em>not</em> accessible.
  49  *
  50  * @see Field
  51  * @see Method
  52  * @see Constructor
  53  * @see ReflectPermission
  54  *
  55  * @since 1.2
  56  */
  57 public class AccessibleObject implements AnnotatedElement {
  58 
  59     /**
  60      * The Permission object that is used to check whether a client
  61      * has sufficient privilege to defeat Java language access
  62      * control checks.
  63      */
  64     static final private java.security.Permission ACCESS_PERMISSION =
  65         new ReflectPermission("suppressAccessChecks");
  66 
  67     /**
  68      * Convenience method to set the {@code accessible} flag for an
  69      * array of objects with a single security check (for efficiency).
  70      *
  71      * <p>First, if there is a security manager, its
  72      * {@code checkPermission} method is called with a
  73      * {@code ReflectPermission("suppressAccessChecks")} permission.
  74      *
  75      * <p>A {@code SecurityException} is raised if {@code flag} is
  76      * {@code true} but accessibility of any of the elements of the input
  77      * {@code array} may not be changed (for example, if the element
  78      * object is a {@link Constructor} object for the class {@link
  79      * java.lang.Class}).  In the event of such a SecurityException, the
  80      * accessibility of objects is set to {@code flag} for array elements
  81      * up to (and excluding) the element for which the exception occurred; the
  82      * accessibility of elements beyond (and including) the element for which
  83      * the exception occurred is unchanged.
  84      *
  85      * @param array the array of AccessibleObjects
  86      * @param flag  the new value for the {@code accessible} flag
  87      *              in each object
  88      * @throws SecurityException if the request is denied.
  89      * @see SecurityManager#checkPermission
  90      * @see java.lang.RuntimePermission
  91      */
  92     public static void setAccessible(AccessibleObject[] array, boolean flag)
  93         throws SecurityException {
  94         SecurityManager sm = System.getSecurityManager();
  95         if (sm != null) sm.checkPermission(ACCESS_PERMISSION);
  96         for (AccessibleObject ao : array) {
  97             setAccessible0(ao, flag);
  98         }
  99     }
 100 
 101     /**
 102      * Set the {@code accessible} flag for this object to
 103      * the indicated boolean value.  A value of {@code true} indicates that
 104      * the reflected object should suppress Java language access
 105      * checking when it is used.  A value of {@code false} indicates
 106      * that the reflected object should enforce Java language access checks.
 107      *
 108      * <p>First, if there is a security manager, its
 109      * {@code checkPermission} method is called with a
 110      * {@code ReflectPermission("suppressAccessChecks")} permission.
 111      *
 112      * <p>A {@code SecurityException} is raised if {@code flag} is
 113      * {@code true} but accessibility of this object may not be changed
 114      * (for example, if this element object is a {@link Constructor} object for
 115      * the class {@link java.lang.Class}).
 116      *
 117      * <p>A {@code SecurityException} is raised if this object is a {@link
 118      * java.lang.reflect.Constructor} object for the class
 119      * {@code java.lang.Class}, and {@code flag} is true.
 120      *
 121      * @param flag the new value for the {@code accessible} flag
 122      * @throws SecurityException if the request is denied.
 123      * @see SecurityManager#checkPermission
 124      * @see java.lang.RuntimePermission
 125      */
 126     public void setAccessible(boolean flag) throws SecurityException {
 127         SecurityManager sm = System.getSecurityManager();
 128         if (sm != null) sm.checkPermission(ACCESS_PERMISSION);
 129         setAccessible0(this, flag);
 130     }
 131 
 132     /* Check that you aren't exposing java.lang.Class.<init> or sensitive
 133        fields in java.lang.Class. */
 134     private static void setAccessible0(AccessibleObject obj, boolean flag)
 135         throws SecurityException
 136     {
 137         if (obj instanceof Constructor && flag == true) {
 138             Constructor<?> c = (Constructor<?>)obj;
 139             if (c.getDeclaringClass() == Class.class) {
 140                 throw new SecurityException("Cannot make a java.lang.Class" +
 141                                             " constructor accessible");
 142             }
 143         } else if (obj instanceof Field && flag == true) {
 144             Field f = (Field)obj;
 145             if (f.getDeclaringClass() == Class.class &&
 146                 f.getName().equals("classLoader")) {
 147                 throw new SecurityException("Cannot make java.lang.Class.classLoader" +
 148                                             " accessible");
 149             }
 150         }
 151         obj.override = flag;
 152     }
 153 
 154     /**
 155      * Get the value of the {@code accessible} flag for this object.
 156      *
 157      * @return the value of the object's {@code accessible} flag
 158      */
 159     public boolean isAccessible() {
 160         return override;
 161     }
 162 
 163     /**
 164      * Constructor: only used by the Java Virtual Machine.
 165      */
 166     protected AccessibleObject() {}
 167 
 168     // Indicates whether language-level access checks are overridden
 169     // by this object. Initializes to "false". This field is used by
 170     // Field, Method, and Constructor.
 171     //
 172     // NOTE: for security purposes, this field must not be visible
 173     // outside this package.
 174     boolean override;
 175 
 176     // Reflection factory used by subclasses for creating field,
 177     // method, and constructor accessors. Note that this is called
 178     // very early in the bootstrapping process.
 179     static final ReflectionFactory reflectionFactory =
 180         AccessController.doPrivileged(
 181             new sun.reflect.ReflectionFactory.GetReflectionFactoryAction());
 182 
 183     /**
 184      * @throws NullPointerException {@inheritDoc}
 185      * @since 1.5
 186      */
 187     public <T extends Annotation> T getAnnotation(Class<T> annotationClass) {
 188         throw new AssertionError("All subclasses should override this method");
 189     }
 190 
 191     /**
 192      * {@inheritDoc}
 193      * @throws NullPointerException {@inheritDoc}
 194      * @since 1.5
 195      */
 196     @Override
 197     public boolean isAnnotationPresent(Class<? extends Annotation> annotationClass) {
 198         return AnnotatedElement.super.isAnnotationPresent(annotationClass);
 199     }
 200 
 201    /**
 202      * @throws NullPointerException {@inheritDoc}
 203      * @since 1.8
 204      */
 205     @Override
 206     public <T extends Annotation> T[] getAnnotationsByType(Class<T> annotationClass) {
 207         throw new AssertionError("All subclasses should override this method");
 208     }
 209 
 210     /**
 211      * @since 1.5
 212      */
 213     public Annotation[] getAnnotations() {
 214         return getDeclaredAnnotations();
 215     }
 216 
 217     /**
 218      * @throws NullPointerException {@inheritDoc}
 219      * @since 1.8
 220      */
 221     @Override
 222     public <T extends Annotation> T getDeclaredAnnotation(Class<T> annotationClass) {
 223         // Only annotations on classes are inherited, for all other
 224         // objects getDeclaredAnnotation is the same as
 225         // getAnnotation.
 226         return getAnnotation(annotationClass);
 227     }
 228 
 229     /**
 230      * @throws NullPointerException {@inheritDoc}
 231      * @since 1.8
 232      */
 233     @Override
 234     public <T extends Annotation> T[] getDeclaredAnnotationsByType(Class<T> annotationClass) {
 235         // Only annotations on classes are inherited, for all other
 236         // objects getDeclaredAnnotationsByType is the same as
 237         // getAnnotationsByType.
 238         return getAnnotationsByType(annotationClass);
 239     }
 240 
 241     /**
 242      * @since 1.5
 243      */
 244     public Annotation[] getDeclaredAnnotations()  {
 245         throw new AssertionError("All subclasses should override this method");
 246     }
 247 
 248 
 249     // Shared access checking logic.
 250 
 251     // For non-public members or members in package-private classes,
 252     // it is necessary to perform somewhat expensive security checks.
 253     // If the security check succeeds for a given class, it will
 254     // always succeed (it is not affected by the granting or revoking
 255     // of permissions); we speed up the check in the common case by
 256     // remembering the last Class for which the check succeeded.
 257     //
 258     // The simple security check for Constructor is to see if
 259     // the caller has already been seen, verified, and cached.
 260     // (See also Class.newInstance(), which uses a similar method.)
 261     //
 262     // A more complicated security check cache is needed for Method and Field
 263     // The cache can be either null (empty cache), a 2-array of {caller,target},
 264     // or a caller (with target implicitly equal to this.clazz).
 265     // In the 2-array case, the target is always different from the clazz.
 266     volatile Object securityCheckCache;
 267 
 268     void checkAccess(Class<?> caller, Class<?> clazz, Object obj, int modifiers)
 269         throws IllegalAccessException
 270     {
 271         if (caller == clazz) {  // quick check
 272             return;             // ACCESS IS OK
 273         }
 274         Object cache = securityCheckCache;  // read volatile
 275         Class<?> targetClass = clazz;
 276         if (obj != null
 277             && Modifier.isProtected(modifiers)
 278             && ((targetClass = obj.getClass()) != clazz)) {
 279             // Must match a 2-list of { caller, targetClass }.
 280             if (cache instanceof Class[]) {
 281                 Class<?>[] cache2 = (Class<?>[]) cache;
 282                 if (cache2[1] == targetClass &&
 283                     cache2[0] == caller) {
 284                     return;     // ACCESS IS OK
 285                 }
 286                 // (Test cache[1] first since range check for [1]
 287                 // subsumes range check for [0].)
 288             }
 289         } else if (cache == caller) {
 290             // Non-protected case (or obj.class == this.clazz).
 291             return;             // ACCESS IS OK
 292         }
 293 
 294         // If no return, fall through to the slow path.
 295         slowCheckMemberAccess(caller, clazz, obj, modifiers, targetClass);
 296     }
 297 
 298     // Keep all this slow stuff out of line:
 299     void slowCheckMemberAccess(Class<?> caller, Class<?> clazz, Object obj, int modifiers,
 300                                Class<?> targetClass)
 301         throws IllegalAccessException
 302     {
 303         Reflection.ensureMemberAccess(caller, clazz, obj, modifiers);
 304 
 305         // Success: Update the cache.
 306         Object cache = ((targetClass == clazz)
 307                         ? caller
 308                         : new Class<?>[] { caller, targetClass });
 309 
 310         // Note:  The two cache elements are not volatile,
 311         // but they are effectively final.  The Java memory model
 312         // guarantees that the initializing stores for the cache
 313         // elements will occur before the volatile write.
 314         securityCheckCache = cache;         // write volatile
 315     }
 316 }