1 /*
2 * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package java.lang.reflect;
27
28 import java.security.AccessController;
29 import sun.reflect.Reflection;
30 import sun.reflect.ReflectionFactory;
31 import java.lang.annotation.Annotation;
32
33 /**
34 * The AccessibleObject class is the base class for Field, Method and
35 * Constructor objects. It provides the ability to flag a reflected
36 * object as suppressing default Java language access control checks
37 * when it is used. The access checks--for public, default (package)
38 * access, protected, and private members--are performed when Fields,
39 * Methods or Constructors are used to set or get fields, to invoke
40 * methods, or to create and initialize new instances of classes,
41 * respectively.
42 *
43 * <p>Setting the {@code accessible} flag in a reflected object
44 * permits sophisticated applications with sufficient privilege, such
45 * as Java Object Serialization or other persistence mechanisms, to
46 * manipulate objects in a manner that would normally be prohibited.
47 *
48 * <p>By default, a reflected object is <em>not</em> accessible.
49 *
50 * @see Field
51 * @see Method
52 * @see Constructor
53 * @see ReflectPermission
54 *
55 * @since 1.2
56 */
57 public class AccessibleObject implements AnnotatedElement {
58
59 /**
60 * The Permission object that is used to check whether a client
61 * has sufficient privilege to defeat Java language access
62 * control checks.
63 */
64 static final private java.security.Permission ACCESS_PERMISSION =
65 new ReflectPermission("suppressAccessChecks");
66
67 /**
68 * Convenience method to set the {@code accessible} flag for an
69 * array of objects with a single security check (for efficiency).
70 *
71 * <p>First, if there is a security manager, its
72 * {@code checkPermission} method is called with a
73 * {@code ReflectPermission("suppressAccessChecks")} permission.
74 *
75 * <p>A {@code SecurityException} is raised if {@code flag} is
76 * {@code true} but accessibility of any of the elements of the input
77 * {@code array} may not be changed (for example, if the element
78 * object is a {@link Constructor} object for the class {@link
79 * java.lang.Class}). In the event of such a SecurityException, the
80 * accessibility of objects is set to {@code flag} for array elements
81 * up to (and excluding) the element for which the exception occurred; the
82 * accessibility of elements beyond (and including) the element for which
83 * the exception occurred is unchanged.
84 *
85 * @param array the array of AccessibleObjects
86 * @param flag the new value for the {@code accessible} flag
87 * in each object
88 * @throws SecurityException if the request is denied.
89 * @see SecurityManager#checkPermission
90 * @see java.lang.RuntimePermission
91 */
92 public static void setAccessible(AccessibleObject[] array, boolean flag)
93 throws SecurityException {
94 SecurityManager sm = System.getSecurityManager();
95 if (sm != null) sm.checkPermission(ACCESS_PERMISSION);
96 for (AccessibleObject ao : array) {
97 setAccessible0(ao, flag);
98 }
99 }
100
101 /**
102 * Set the {@code accessible} flag for this object to
103 * the indicated boolean value. A value of {@code true} indicates that
104 * the reflected object should suppress Java language access
105 * checking when it is used. A value of {@code false} indicates
106 * that the reflected object should enforce Java language access checks.
107 *
108 * <p>First, if there is a security manager, its
109 * {@code checkPermission} method is called with a
110 * {@code ReflectPermission("suppressAccessChecks")} permission.
111 *
112 * <p>A {@code SecurityException} is raised if {@code flag} is
113 * {@code true} but accessibility of this object may not be changed
114 * (for example, if this element object is a {@link Constructor} object for
115 * the class {@link java.lang.Class}).
116 *
117 * <p>A {@code SecurityException} is raised if this object is a {@link
118 * java.lang.reflect.Constructor} object for the class
119 * {@code java.lang.Class}, and {@code flag} is true.
120 *
121 * @param flag the new value for the {@code accessible} flag
122 * @throws SecurityException if the request is denied.
123 * @see SecurityManager#checkPermission
124 * @see java.lang.RuntimePermission
125 */
126 public void setAccessible(boolean flag) throws SecurityException {
127 SecurityManager sm = System.getSecurityManager();
128 if (sm != null) sm.checkPermission(ACCESS_PERMISSION);
129 setAccessible0(this, flag);
130 }
131
132 /* Check that you aren't exposing java.lang.Class.<init> or sensitive
133 fields in java.lang.Class. */
134 private static void setAccessible0(AccessibleObject obj, boolean flag)
135 throws SecurityException
136 {
137 if (obj instanceof Constructor && flag == true) {
138 Constructor<?> c = (Constructor<?>)obj;
139 if (c.getDeclaringClass() == Class.class) {
140 throw new SecurityException("Cannot make a java.lang.Class" +
141 " constructor accessible");
142 }
143 }
144 obj.override = flag;
145 }
146
147 /**
148 * Get the value of the {@code accessible} flag for this object.
149 *
150 * @return the value of the object's {@code accessible} flag
151 */
152 public boolean isAccessible() {
153 return override;
154 }
155
156 /**
157 * Constructor: only used by the Java Virtual Machine.
158 */
159 protected AccessibleObject() {}
160
161 // Indicates whether language-level access checks are overridden
162 // by this object. Initializes to "false". This field is used by
163 // Field, Method, and Constructor.
164 //
165 // NOTE: for security purposes, this field must not be visible
166 // outside this package.
167 boolean override;
168
169 // Reflection factory used by subclasses for creating field,
170 // method, and constructor accessors. Note that this is called
171 // very early in the bootstrapping process.
172 static final ReflectionFactory reflectionFactory =
173 AccessController.doPrivileged(
174 new sun.reflect.ReflectionFactory.GetReflectionFactoryAction());
175
176 /**
177 * @throws NullPointerException {@inheritDoc}
178 * @since 1.5
179 */
180 public <T extends Annotation> T getAnnotation(Class<T> annotationClass) {
181 throw new AssertionError("All subclasses should override this method");
182 }
183
184 /**
185 * {@inheritDoc}
186 * @throws NullPointerException {@inheritDoc}
187 * @since 1.5
188 */
189 @Override
190 public boolean isAnnotationPresent(Class<? extends Annotation> annotationClass) {
191 return AnnotatedElement.super.isAnnotationPresent(annotationClass);
192 }
193
194 /**
195 * @throws NullPointerException {@inheritDoc}
196 * @since 1.8
197 */
198 @Override
199 public <T extends Annotation> T[] getAnnotationsByType(Class<T> annotationClass) {
200 throw new AssertionError("All subclasses should override this method");
201 }
202
203 /**
204 * @since 1.5
205 */
206 public Annotation[] getAnnotations() {
207 return getDeclaredAnnotations();
208 }
209
210 /**
211 * @throws NullPointerException {@inheritDoc}
212 * @since 1.8
213 */
214 @Override
215 public <T extends Annotation> T getDeclaredAnnotation(Class<T> annotationClass) {
216 // Only annotations on classes are inherited, for all other
217 // objects getDeclaredAnnotation is the same as
218 // getAnnotation.
219 return getAnnotation(annotationClass);
220 }
221
222 /**
223 * @throws NullPointerException {@inheritDoc}
224 * @since 1.8
225 */
226 @Override
227 public <T extends Annotation> T[] getDeclaredAnnotationsByType(Class<T> annotationClass) {
228 // Only annotations on classes are inherited, for all other
229 // objects getDeclaredAnnotationsByType is the same as
230 // getAnnotationsByType.
231 return getAnnotationsByType(annotationClass);
232 }
233
234 /**
235 * @since 1.5
236 */
237 public Annotation[] getDeclaredAnnotations() {
238 throw new AssertionError("All subclasses should override this method");
239 }
240
241
242 // Shared access checking logic.
243
244 // For non-public members or members in package-private classes,
245 // it is necessary to perform somewhat expensive security checks.
246 // If the security check succeeds for a given class, it will
247 // always succeed (it is not affected by the granting or revoking
248 // of permissions); we speed up the check in the common case by
249 // remembering the last Class for which the check succeeded.
250 //
251 // The simple security check for Constructor is to see if
252 // the caller has already been seen, verified, and cached.
253 // (See also Class.newInstance(), which uses a similar method.)
254 //
255 // A more complicated security check cache is needed for Method and Field
256 // The cache can be either null (empty cache), a 2-array of {caller,target},
257 // or a caller (with target implicitly equal to this.clazz).
258 // In the 2-array case, the target is always different from the clazz.
259 volatile Object securityCheckCache;
260
261 void checkAccess(Class<?> caller, Class<?> clazz, Object obj, int modifiers)
262 throws IllegalAccessException
263 {
264 if (caller == clazz) { // quick check
265 return; // ACCESS IS OK
266 }
267 Object cache = securityCheckCache; // read volatile
268 Class<?> targetClass = clazz;
269 if (obj != null
270 && Modifier.isProtected(modifiers)
271 && ((targetClass = obj.getClass()) != clazz)) {
272 // Must match a 2-list of { caller, targetClass }.
273 if (cache instanceof Class[]) {
274 Class<?>[] cache2 = (Class<?>[]) cache;
275 if (cache2[1] == targetClass &&
276 cache2[0] == caller) {
277 return; // ACCESS IS OK
278 }
279 // (Test cache[1] first since range check for [1]
280 // subsumes range check for [0].)
281 }
282 } else if (cache == caller) {
283 // Non-protected case (or obj.class == this.clazz).
284 return; // ACCESS IS OK
285 }
286
287 // If no return, fall through to the slow path.
288 slowCheckMemberAccess(caller, clazz, obj, modifiers, targetClass);
289 }
290
291 // Keep all this slow stuff out of line:
292 void slowCheckMemberAccess(Class<?> caller, Class<?> clazz, Object obj, int modifiers,
293 Class<?> targetClass)
294 throws IllegalAccessException
295 {
296 Reflection.ensureMemberAccess(caller, clazz, obj, modifiers);
297
298 // Success: Update the cache.
299 Object cache = ((targetClass == clazz)
300 ? caller
301 : new Class<?>[] { caller, targetClass });
302
303 // Note: The two cache elements are not volatile,
304 // but they are effectively final. The Java memory model
305 // guarantees that the initializing stores for the cache
306 // elements will occur before the volatile write.
307 securityCheckCache = cache; // write volatile
308 }
309 }