1 /* 2 * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.lang.reflect; 27 28 import java.security.AccessController; 29 import sun.reflect.Reflection; 30 import sun.reflect.ReflectionFactory; 31 import java.lang.annotation.Annotation; 32 33 /** 34 * The AccessibleObject class is the base class for Field, Method and 35 * Constructor objects. It provides the ability to flag a reflected 36 * object as suppressing default Java language access control checks 37 * when it is used. The access checks--for public, default (package) 38 * access, protected, and private members--are performed when Fields, 39 * Methods or Constructors are used to set or get fields, to invoke 40 * methods, or to create and initialize new instances of classes, 41 * respectively. 42 * 43 * <p>Setting the {@code accessible} flag in a reflected object 44 * permits sophisticated applications with sufficient privilege, such 45 * as Java Object Serialization or other persistence mechanisms, to 46 * manipulate objects in a manner that would normally be prohibited. 47 * 48 * <p>By default, a reflected object is <em>not</em> accessible. 49 * 50 * @see Field 51 * @see Method 52 * @see Constructor 53 * @see ReflectPermission 54 * 55 * @since 1.2 56 */ 57 public class AccessibleObject implements AnnotatedElement { 58 59 /** 60 * The Permission object that is used to check whether a client 61 * has sufficient privilege to defeat Java language access 62 * control checks. 63 */ 64 static final private java.security.Permission ACCESS_PERMISSION = 65 new ReflectPermission("suppressAccessChecks"); 66 67 /** 68 * Convenience method to set the {@code accessible} flag for an 69 * array of objects with a single security check (for efficiency). 70 * 71 * <p>First, if there is a security manager, its 72 * {@code checkPermission} method is called with a 73 * {@code ReflectPermission("suppressAccessChecks")} permission. 74 * 75 * <p>A {@code SecurityException} is raised if {@code flag} is 76 * {@code true} but accessibility of any of the elements of the input 77 * {@code array} may not be changed (for example, if the element 78 * object is a {@link Constructor} object for the class {@link 79 * java.lang.Class}). In the event of such a SecurityException, the 80 * accessibility of objects is set to {@code flag} for array elements 81 * up to (and excluding) the element for which the exception occurred; the 82 * accessibility of elements beyond (and including) the element for which 83 * the exception occurred is unchanged. 84 * 85 * @param array the array of AccessibleObjects 86 * @param flag the new value for the {@code accessible} flag 87 * in each object 88 * @throws SecurityException if the request is denied. 89 * @see SecurityManager#checkPermission 90 * @see java.lang.RuntimePermission 91 */ 92 public static void setAccessible(AccessibleObject[] array, boolean flag) 93 throws SecurityException { 94 SecurityManager sm = System.getSecurityManager(); 95 if (sm != null) sm.checkPermission(ACCESS_PERMISSION); 96 for (AccessibleObject ao : array) { 97 setAccessible0(ao, flag); 98 } 99 } 100 101 /** 102 * Set the {@code accessible} flag for this object to 103 * the indicated boolean value. A value of {@code true} indicates that 104 * the reflected object should suppress Java language access 105 * checking when it is used. A value of {@code false} indicates 106 * that the reflected object should enforce Java language access checks. 107 * 108 * <p>First, if there is a security manager, its 109 * {@code checkPermission} method is called with a 110 * {@code ReflectPermission("suppressAccessChecks")} permission. 111 * 112 * <p>A {@code SecurityException} is raised if {@code flag} is 113 * {@code true} but accessibility of this object may not be changed 114 * (for example, if this element object is a {@link Constructor} object for 115 * the class {@link java.lang.Class}). 116 * 117 * <p>A {@code SecurityException} is raised if this object is a {@link 118 * java.lang.reflect.Constructor} object for the class 119 * {@code java.lang.Class}, and {@code flag} is true. 120 * 121 * @param flag the new value for the {@code accessible} flag 122 * @throws SecurityException if the request is denied. 123 * @see SecurityManager#checkPermission 124 * @see java.lang.RuntimePermission 125 */ 126 public void setAccessible(boolean flag) throws SecurityException { 127 SecurityManager sm = System.getSecurityManager(); 128 if (sm != null) sm.checkPermission(ACCESS_PERMISSION); 129 setAccessible0(this, flag); 130 } 131 132 /* Check that you aren't exposing java.lang.Class.<init> or sensitive 133 fields in java.lang.Class. */ 134 private static void setAccessible0(AccessibleObject obj, boolean flag) 135 throws SecurityException 136 { 137 if (obj instanceof Constructor && flag == true) { 138 Constructor<?> c = (Constructor<?>)obj; 139 if (c.getDeclaringClass() == Class.class) { 140 throw new SecurityException("Cannot make a java.lang.Class" + 141 " constructor accessible"); 142 } 143 } 144 obj.override = flag; 145 } 146 147 /** 148 * Get the value of the {@code accessible} flag for this object. 149 * 150 * @return the value of the object's {@code accessible} flag 151 */ 152 public boolean isAccessible() { 153 return override; 154 } 155 156 /** 157 * Constructor: only used by the Java Virtual Machine. 158 */ 159 protected AccessibleObject() {} 160 161 // Indicates whether language-level access checks are overridden 162 // by this object. Initializes to "false". This field is used by 163 // Field, Method, and Constructor. 164 // 165 // NOTE: for security purposes, this field must not be visible 166 // outside this package. 167 boolean override; 168 169 // Reflection factory used by subclasses for creating field, 170 // method, and constructor accessors. Note that this is called 171 // very early in the bootstrapping process. 172 static final ReflectionFactory reflectionFactory = 173 AccessController.doPrivileged( 174 new sun.reflect.ReflectionFactory.GetReflectionFactoryAction()); 175 176 /** 177 * @throws NullPointerException {@inheritDoc} 178 * @since 1.5 179 */ 180 public <T extends Annotation> T getAnnotation(Class<T> annotationClass) { 181 throw new AssertionError("All subclasses should override this method"); 182 } 183 184 /** 185 * {@inheritDoc} 186 * @throws NullPointerException {@inheritDoc} 187 * @since 1.5 188 */ 189 @Override 190 public boolean isAnnotationPresent(Class<? extends Annotation> annotationClass) { 191 return AnnotatedElement.super.isAnnotationPresent(annotationClass); 192 } 193 194 /** 195 * @throws NullPointerException {@inheritDoc} 196 * @since 1.8 197 */ 198 @Override 199 public <T extends Annotation> T[] getAnnotationsByType(Class<T> annotationClass) { 200 throw new AssertionError("All subclasses should override this method"); 201 } 202 203 /** 204 * @since 1.5 205 */ 206 public Annotation[] getAnnotations() { 207 return getDeclaredAnnotations(); 208 } 209 210 /** 211 * @throws NullPointerException {@inheritDoc} 212 * @since 1.8 213 */ 214 @Override 215 public <T extends Annotation> T getDeclaredAnnotation(Class<T> annotationClass) { 216 // Only annotations on classes are inherited, for all other 217 // objects getDeclaredAnnotation is the same as 218 // getAnnotation. 219 return getAnnotation(annotationClass); 220 } 221 222 /** 223 * @throws NullPointerException {@inheritDoc} 224 * @since 1.8 225 */ 226 @Override 227 public <T extends Annotation> T[] getDeclaredAnnotationsByType(Class<T> annotationClass) { 228 // Only annotations on classes are inherited, for all other 229 // objects getDeclaredAnnotationsByType is the same as 230 // getAnnotationsByType. 231 return getAnnotationsByType(annotationClass); 232 } 233 234 /** 235 * @since 1.5 236 */ 237 public Annotation[] getDeclaredAnnotations() { 238 throw new AssertionError("All subclasses should override this method"); 239 } 240 241 242 // Shared access checking logic. 243 244 // For non-public members or members in package-private classes, 245 // it is necessary to perform somewhat expensive security checks. 246 // If the security check succeeds for a given class, it will 247 // always succeed (it is not affected by the granting or revoking 248 // of permissions); we speed up the check in the common case by 249 // remembering the last Class for which the check succeeded. 250 // 251 // The simple security check for Constructor is to see if 252 // the caller has already been seen, verified, and cached. 253 // (See also Class.newInstance(), which uses a similar method.) 254 // 255 // A more complicated security check cache is needed for Method and Field 256 // The cache can be either null (empty cache), a 2-array of {caller,target}, 257 // or a caller (with target implicitly equal to this.clazz). 258 // In the 2-array case, the target is always different from the clazz. 259 volatile Object securityCheckCache; 260 261 void checkAccess(Class<?> caller, Class<?> clazz, Object obj, int modifiers) 262 throws IllegalAccessException 263 { 264 if (caller == clazz) { // quick check 265 return; // ACCESS IS OK 266 } 267 Object cache = securityCheckCache; // read volatile 268 Class<?> targetClass = clazz; 269 if (obj != null 270 && Modifier.isProtected(modifiers) 271 && ((targetClass = obj.getClass()) != clazz)) { 272 // Must match a 2-list of { caller, targetClass }. 273 if (cache instanceof Class[]) { 274 Class<?>[] cache2 = (Class<?>[]) cache; 275 if (cache2[1] == targetClass && 276 cache2[0] == caller) { 277 return; // ACCESS IS OK 278 } 279 // (Test cache[1] first since range check for [1] 280 // subsumes range check for [0].) 281 } 282 } else if (cache == caller) { 283 // Non-protected case (or obj.class == this.clazz). 284 return; // ACCESS IS OK 285 } 286 287 // If no return, fall through to the slow path. 288 slowCheckMemberAccess(caller, clazz, obj, modifiers, targetClass); 289 } 290 291 // Keep all this slow stuff out of line: 292 void slowCheckMemberAccess(Class<?> caller, Class<?> clazz, Object obj, int modifiers, 293 Class<?> targetClass) 294 throws IllegalAccessException 295 { 296 Reflection.ensureMemberAccess(caller, clazz, obj, modifiers); 297 298 // Success: Update the cache. 299 Object cache = ((targetClass == clazz) 300 ? caller 301 : new Class<?>[] { caller, targetClass }); 302 303 // Note: The two cache elements are not volatile, 304 // but they are effectively final. The Java memory model 305 // guarantees that the initializing stores for the cache 306 // elements will occur before the volatile write. 307 securityCheckCache = cache; // write volatile 308 } 309 }