1 /*
   2  * Copyright (c) 1997, 2008, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package java.lang.reflect;
  27 
  28 import java.security.AccessController;
  29 import sun.reflect.Reflection;
  30 import sun.reflect.ReflectionFactory;
  31 import java.lang.annotation.Annotation;
  32 
  33 /**
  34  * The AccessibleObject class is the base class for Field, Method and
  35  * Constructor objects.  It provides the ability to flag a reflected
  36  * object as suppressing default Java language access control checks
  37  * when it is used.  The access checks--for public, default (package)
  38  * access, protected, and private members--are performed when Fields,
  39  * Methods or Constructors are used to set or get fields, to invoke
  40  * methods, or to create and initialize new instances of classes,
  41  * respectively.
  42  *
  43  * <p>Setting the {@code accessible} flag in a reflected object
  44  * permits sophisticated applications with sufficient privilege, such
  45  * as Java Object Serialization or other persistence mechanisms, to
  46  * manipulate objects in a manner that would normally be prohibited.
  47  *
  48  * <p>By default, a reflected object is <em>not</em> accessible.
  49  *
  50  * @see Field
  51  * @see Method
  52  * @see Constructor
  53  * @see ReflectPermission
  54  *
  55  * @since 1.2
  56  */
  57 public class AccessibleObject implements AnnotatedElement {
  58 
  59     /**
  60      * The Permission object that is used to check whether a client
  61      * has sufficient privilege to defeat Java language access
  62      * control checks.
  63      */
  64     static final private java.security.Permission ACCESS_PERMISSION =
  65         new ReflectPermission("suppressAccessChecks");
  66 
  67     /**
  68      * Convenience method to set the {@code accessible} flag for an
  69      * array of objects with a single security check (for efficiency).
  70      *
  71      * <p>First, if there is a security manager, its
  72      * {@code checkPermission} method is called with a
  73      * {@code ReflectPermission("suppressAccessChecks")} permission.
  74      *
  75      * <p>A {@code SecurityException} is raised if {@code flag} is
  76      * {@code true} but accessibility of any of the elements of the input
  77      * {@code array} may not be changed (for example, if the element
  78      * object is a {@link Constructor} object for the class {@link
  79      * java.lang.Class}).  In the event of such a SecurityException, the
  80      * accessibility of objects is set to {@code flag} for array elements
  81      * upto (and excluding) the element for which the exception occurred; the
  82      * accessibility of elements beyond (and including) the element for which
  83      * the exception occurred is unchanged.
  84      *
  85      * @param array the array of AccessibleObjects
  86      * @param flag  the new value for the {@code accessible} flag
  87      *              in each object
  88      * @throws SecurityException if the request is denied.
  89      * @see SecurityManager#checkPermission
  90      * @see java.lang.RuntimePermission
  91      */
  92     public static void setAccessible(AccessibleObject[] array, boolean flag)
  93         throws SecurityException {
  94         SecurityManager sm = System.getSecurityManager();
  95         if (sm != null) sm.checkPermission(ACCESS_PERMISSION);
  96         for (int i = 0; i < array.length; i++) {
  97             setAccessible0(array[i], flag);
  98         }
  99     }
 100 
 101     /**
 102      * Set the {@code accessible} flag for this object to
 103      * the indicated boolean value.  A value of {@code true} indicates that
 104      * the reflected object should suppress Java language access
 105      * checking when it is used.  A value of {@code false} indicates
 106      * that the reflected object should enforce Java language access checks.
 107      *
 108      * <p>First, if there is a security manager, its
 109      * {@code checkPermission} method is called with a
 110      * {@code ReflectPermission("suppressAccessChecks")} permission.
 111      *
 112      * <p>A {@code SecurityException} is raised if {@code flag} is
 113      * {@code true} but accessibility of this object may not be changed
 114      * (for example, if this element object is a {@link Constructor} object for
 115      * the class {@link java.lang.Class}).
 116      *
 117      * <p>A {@code SecurityException} is raised if this object is a {@link
 118      * java.lang.reflect.Constructor} object for the class
 119      * {@code java.lang.Class}, and {@code flag} is true.
 120      *
 121      * @param flag the new value for the {@code accessible} flag
 122      * @throws SecurityException if the request is denied.
 123      * @see SecurityManager#checkPermission
 124      * @see java.lang.RuntimePermission
 125      */
 126     public void setAccessible(boolean flag) throws SecurityException {
 127         SecurityManager sm = System.getSecurityManager();
 128         if (sm != null) sm.checkPermission(ACCESS_PERMISSION);
 129         setAccessible0(this, flag);
 130     }
 131 
 132     /* Check that you aren't exposing java.lang.Class.<init>. */
 133     private static void setAccessible0(AccessibleObject obj, boolean flag)
 134         throws SecurityException
 135     {
 136         if (obj instanceof Constructor && flag == true) {
 137             Constructor<?> c = (Constructor<?>)obj;
 138             if (c.getDeclaringClass() == Class.class) {
 139                 throw new SecurityException("Can not make a java.lang.Class" +
 140                                             " constructor accessible");
 141             }
 142         }
 143         obj.override = flag;
 144     }
 145 
 146     /**
 147      * Get the value of the {@code accessible} flag for this object.
 148      *
 149      * @return the value of the object's {@code accessible} flag
 150      */
 151     public boolean isAccessible() {
 152         return override;
 153     }
 154 
 155     /**
 156      * Constructor: only used by the Java Virtual Machine.
 157      */
 158     protected AccessibleObject() {}
 159 
 160     // Indicates whether language-level access checks are overridden
 161     // by this object. Initializes to "false". This field is used by
 162     // Field, Method, and Constructor.
 163     //
 164     // NOTE: for security purposes, this field must not be visible
 165     // outside this package.
 166     boolean override;
 167 
 168     // Reflection factory used by subclasses for creating field,
 169     // method, and constructor accessors. Note that this is called
 170     // very early in the bootstrapping process.
 171     static final ReflectionFactory reflectionFactory =
 172         AccessController.doPrivileged(
 173             new sun.reflect.ReflectionFactory.GetReflectionFactoryAction());
 174 
 175     /**
 176      * @throws NullPointerException {@inheritDoc}
 177      * @since 1.5
 178      */
 179     public <T extends Annotation> T getAnnotation(Class<T> annotationClass) {
 180         throw new AssertionError("All subclasses should override this method");
 181     }
 182 
 183     /**
 184      * @throws NullPointerException {@inheritDoc}
 185      * @since 1.5
 186      */
 187     public boolean isAnnotationPresent(
 188         Class<? extends Annotation> annotationClass) {
 189         return getAnnotation(annotationClass) != null;
 190     }
 191 
 192     /**
 193      * @since 1.5
 194      */
 195     public Annotation[] getAnnotations() {
 196         return getDeclaredAnnotations();
 197     }
 198 
 199     /**
 200      * @since 1.5
 201      */
 202     public Annotation[] getDeclaredAnnotations()  {
 203         throw new AssertionError("All subclasses should override this method");
 204     }
 205 
 206 
 207     // Shared access checking logic.
 208 
 209     // For non-public members or members in package-private classes,
 210     // it is necessary to perform somewhat expensive security checks.
 211     // If the security check succeeds for a given class, it will
 212     // always succeed (it is not affected by the granting or revoking
 213     // of permissions); we speed up the check in the common case by
 214     // remembering the last Class for which the check succeeded.
 215     //
 216     // The simple security check for Constructor is to see if
 217     // the caller has already been seen, verified, and cached.
 218     // (See also Class.newInstance(), which uses a similar method.)
 219     //
 220     // A more complicated security check cache is needed for Method and Field
 221     // The cache can be either null (empty cache), a 2-array of {caller,target},
 222     // or a caller (with target implicitly equal to this.clazz).
 223     // In the 2-array case, the target is always different from the clazz.
 224     volatile Object securityCheckCache;
 225 
 226     void checkAccess(Class<?> caller, Class<?> clazz, Object obj, int modifiers)
 227         throws IllegalAccessException
 228     {
 229         if (caller == clazz) {  // quick check
 230             return;             // ACCESS IS OK
 231         }
 232         Object cache = securityCheckCache;  // read volatile
 233         Class<?> targetClass = clazz;
 234         if (obj != null
 235             && Modifier.isProtected(modifiers)
 236             && ((targetClass = obj.getClass()) != clazz)) {
 237             // Must match a 2-list of { caller, targetClass }.
 238             if (cache instanceof Class[]) {
 239                 Class<?>[] cache2 = (Class<?>[]) cache;
 240                 if (cache2[1] == targetClass &&
 241                     cache2[0] == caller) {
 242                     return;     // ACCESS IS OK
 243                 }
 244                 // (Test cache[1] first since range check for [1]
 245                 // subsumes range check for [0].)
 246             }
 247         } else if (cache == caller) {
 248             // Non-protected case (or obj.class == this.clazz).
 249             return;             // ACCESS IS OK
 250         }
 251 
 252         // If no return, fall through to the slow path.
 253         slowCheckMemberAccess(caller, clazz, obj, modifiers, targetClass);
 254     }
 255 
 256     // Keep all this slow stuff out of line:
 257     void slowCheckMemberAccess(Class<?> caller, Class<?> clazz, Object obj, int modifiers,
 258                                Class<?> targetClass)
 259         throws IllegalAccessException
 260     {
 261         Reflection.ensureMemberAccess(caller, clazz, obj, modifiers);
 262 
 263         // Success: Update the cache.
 264         Object cache = ((targetClass == clazz)
 265                         ? caller
 266                         : new Class<?>[] { caller, targetClass });
 267 
 268         // Note:  The two cache elements are not volatile,
 269         // but they are effectively final.  The Java memory model
 270         // guarantees that the initializing stores for the cache
 271         // elements will occur before the volatile write.
 272         securityCheckCache = cache;         // write volatile
 273     }
 274 }