1 /*
2 * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package java.lang.reflect;
27
28 import java.security.AccessController;
29
30 import jdk.internal.reflect.CallerSensitive;
31 import jdk.internal.reflect.Reflection;
32 import jdk.internal.reflect.ReflectionFactory;
33 import java.lang.annotation.Annotation;
34
35 /**
36 * The AccessibleObject class is the base class for Field, Method and
37 * Constructor objects. It provides the ability to flag a reflected
38 * object as suppressing default Java language access control checks
39 * when it is used. The access checks -- <em>module boundaries</em>,
40 * public, default (package) access, protected, and private members --
41 * are performed when Fields, Methods or Constructors are used to set
42 * or get fields, to invoke methods or to create and initialize new
43 * instances of classes, respectively. Unlike access control specified
44 * in the <cite>The Java™ Language Specification</cite> and
45 * <cite>The Java Virtual Machine Specification</cite>, access checks
46 * with reflected objects assume {@link Module#canRead readability}.
47 *
48 * <p>Setting the {@code accessible} flag in a reflected object
49 * permits sophisticated applications with sufficient privilege, such
50 * as Java Object Serialization or other persistence mechanisms, to
51 * manipulate objects in a manner that would normally be prohibited.
52 *
53 * <p>By default, a reflected object is <em>not</em> accessible.
54 *
55 * @see Field
56 * @see Method
57 * @see Constructor
58 * @see ReflectPermission
59 *
60 * @since 1.2
61 */
62 public class AccessibleObject implements AnnotatedElement {
63
64 /**
65 * The Permission object that is used to check whether a client
66 * has sufficient privilege to defeat Java language access
67 * control checks.
68 */
69 private static final java.security.Permission ACCESS_PERMISSION =
70 new ReflectPermission("suppressAccessChecks");
71
72 static void checkPermission() {
73 SecurityManager sm = System.getSecurityManager();
74 if (sm != null) sm.checkPermission(ACCESS_PERMISSION);
75 }
76
77 /**
78 * Convenience method to set the {@code accessible} flag for an
79 * array of objects with a single security check (for efficiency).
80 *
81 * <p>This method cannot be used to enable access to an object that is a
82 * {@link Member member} of a class in a different module to the caller and
83 * where the class is in a package that is not exported to the caller's
84 * module. Additionally, this method cannot be used to enable access to
85 * non-public members of {@code AccessibleObject} or {@link Module}.
86 *
87 * <p>If there is a security manager, its
88 * {@code checkPermission} method is first called with a
89 * {@code ReflectPermission("suppressAccessChecks")} permission.
90 *
91 * <p>A {@code SecurityException} is also thrown if any of the elements of
92 * the input {@code array} is a {@link java.lang.reflect.Constructor}
93 * object for the class {@code java.lang.Class} and {@code flag} is true.
94 *
95 * @param array the array of AccessibleObjects
96 * @param flag the new value for the {@code accessible} flag
97 * in each object
98 * @throws InaccessibleObjectException if access cannot be enabled
99 * @throws SecurityException if the request is denied.
100 * @see SecurityManager#checkPermission
101 * @see ReflectPermission
102 */
103 @CallerSensitive
104 public static void setAccessible(AccessibleObject[] array, boolean flag) {
105 checkPermission();
106 if (flag) {
107 Class<?> caller = Reflection.getCallerClass();
108 array = array.clone();
109 for (AccessibleObject ao : array) {
110 ao.checkCanSetAccessible(caller);
111 }
112 }
113 for (AccessibleObject ao : array) {
114 ao.setAccessible0(flag);
115 }
116 }
117
118 /**
119 * Set the {@code accessible} flag for this object to
120 * the indicated boolean value. A value of {@code true} indicates that
121 * the reflected object should suppress Java language access
122 * checking when it is used. A value of {@code false} indicates
123 * that the reflected object should enforce Java language access checks
124 * while assuming readability (as noted in the class description).
125 *
126 * <p>This method cannot be used to enable access to an object that is a
127 * {@link Member member} of a class in a different module to the caller and
128 * where the class is in a package that is not exported to the caller's
129 * module. Additionally, this method cannot be used to enable access to
130 * non-public members of {@code AccessibleObject} or {@link Module}.
131 *
132 * <p>If there is a security manager, its
133 * {@code checkPermission} method is first called with a
134 * {@code ReflectPermission("suppressAccessChecks")} permission.
135 *
136 * @param flag the new value for the {@code accessible} flag
137 * @throws InaccessibleObjectException if access cannot be enabled
138 * @throws SecurityException if the request is denied
139 * @see SecurityManager#checkPermission
140 * @see ReflectPermission
141 */
142 public void setAccessible(boolean flag) {
143 AccessibleObject.checkPermission();
144 setAccessible0(flag);
145 }
146
147 void setAccessible0(boolean flag) {
148 this.override = flag;
149 }
150
151 /**
152 * If the given AccessibleObject is a {@code Constructor}, {@code Method}
153 * or {@code Field} then checks that its declaring class is in a package
154 * that can be accessed by the given caller of setAccessible.
155 */
156 void checkCanSetAccessible(Class<?> caller) {
157 // do nothing, needs to be overridden by Constructor, Method, Field
158 }
159
160 void checkCanSetAccessible(Class<?> caller, Class<?> declaringClass) {
161 Module callerModule = caller.getModule();
162 Module declaringModule = declaringClass.getModule();
163
164 if (callerModule != declaringModule
165 && callerModule != Object.class.getModule()) {
166
167 // check exports to target module
168 String pn = packageName(declaringClass);
169 if (!declaringModule.isExported(pn, callerModule)) {
170 String msg = "Unable to make member of "
171 + declaringClass + " accessible: "
172 + declaringModule + " does not export "
173 + pn + " to " + callerModule;
174 Reflection.throwInaccessibleObjectException(msg);
175 }
176
177 }
178
179 if (declaringClass == Module.class
180 || declaringClass == AccessibleObject.class) {
181 int modifiers;
182 if (this instanceof Executable) {
183 modifiers = ((Executable) this).getModifiers();
184 } else {
185 modifiers = ((Field) this).getModifiers();
186 }
187 if (!Modifier.isPublic(modifiers)) {
188 String msg = "Cannot make a non-public member of "
189 + declaringClass + " accessible";
190 Reflection.throwInaccessibleObjectException(msg);
191 }
192 }
193 }
194
195 /**
196 * Returns the package name of the given class.
197 */
198 private static String packageName(Class<?> c) {
199 while (c.isArray()) {
200 c = c.getComponentType();
201 }
202 String pn = c.getPackageName();
203 return (pn != null) ? pn : "";
204 }
205
206 /**
207 * Get the value of the {@code accessible} flag for this object.
208 *
209 * @return the value of the object's {@code accessible} flag
210 */
211 public boolean isAccessible() {
212 return override;
213 }
214
215 /**
216 * Constructor: only used by the Java Virtual Machine.
217 */
218 protected AccessibleObject() {}
219
220 // Indicates whether language-level access checks are overridden
221 // by this object. Initializes to "false". This field is used by
222 // Field, Method, and Constructor.
223 //
224 // NOTE: for security purposes, this field must not be visible
225 // outside this package.
226 boolean override;
227
228 // Reflection factory used by subclasses for creating field,
229 // method, and constructor accessors. Note that this is called
230 // very early in the bootstrapping process.
231 static final ReflectionFactory reflectionFactory =
232 AccessController.doPrivileged(
233 new ReflectionFactory.GetReflectionFactoryAction());
234
235 /**
236 * @throws NullPointerException {@inheritDoc}
237 * @since 1.5
238 */
239 public <T extends Annotation> T getAnnotation(Class<T> annotationClass) {
240 throw new AssertionError("All subclasses should override this method");
241 }
242
243 /**
244 * {@inheritDoc}
245 * @throws NullPointerException {@inheritDoc}
246 * @since 1.5
247 */
248 @Override
249 public boolean isAnnotationPresent(Class<? extends Annotation> annotationClass) {
250 return AnnotatedElement.super.isAnnotationPresent(annotationClass);
251 }
252
253 /**
254 * @throws NullPointerException {@inheritDoc}
255 * @since 1.8
256 */
257 @Override
258 public <T extends Annotation> T[] getAnnotationsByType(Class<T> annotationClass) {
259 throw new AssertionError("All subclasses should override this method");
260 }
261
262 /**
263 * @since 1.5
264 */
265 public Annotation[] getAnnotations() {
266 return getDeclaredAnnotations();
267 }
268
269 /**
270 * @throws NullPointerException {@inheritDoc}
271 * @since 1.8
272 */
273 @Override
274 public <T extends Annotation> T getDeclaredAnnotation(Class<T> annotationClass) {
275 // Only annotations on classes are inherited, for all other
276 // objects getDeclaredAnnotation is the same as
277 // getAnnotation.
278 return getAnnotation(annotationClass);
279 }
280
281 /**
282 * @throws NullPointerException {@inheritDoc}
283 * @since 1.8
284 */
285 @Override
286 public <T extends Annotation> T[] getDeclaredAnnotationsByType(Class<T> annotationClass) {
287 // Only annotations on classes are inherited, for all other
288 // objects getDeclaredAnnotationsByType is the same as
289 // getAnnotationsByType.
290 return getAnnotationsByType(annotationClass);
291 }
292
293 /**
294 * @since 1.5
295 */
296 public Annotation[] getDeclaredAnnotations() {
297 throw new AssertionError("All subclasses should override this method");
298 }
299
300
301 // Shared access checking logic.
302
303 // For non-public members or members in package-private classes,
304 // it is necessary to perform somewhat expensive security checks.
305 // If the security check succeeds for a given class, it will
306 // always succeed (it is not affected by the granting or revoking
307 // of permissions); we speed up the check in the common case by
308 // remembering the last Class for which the check succeeded.
309 //
310 // The simple security check for Constructor is to see if
311 // the caller has already been seen, verified, and cached.
312 // (See also Class.newInstance(), which uses a similar method.)
313 //
314 // A more complicated security check cache is needed for Method and Field
315 // The cache can be either null (empty cache), a 2-array of {caller,target},
316 // or a caller (with target implicitly equal to this.clazz).
317 // In the 2-array case, the target is always different from the clazz.
318 volatile Object securityCheckCache;
319
320 void checkAccess(Class<?> caller, Class<?> clazz, Object obj, int modifiers)
321 throws IllegalAccessException
322 {
323 if (caller == clazz) { // quick check
324 return; // ACCESS IS OK
325 }
326 Object cache = securityCheckCache; // read volatile
327 Class<?> targetClass = clazz;
328 if (obj != null
329 && Modifier.isProtected(modifiers)
330 && ((targetClass = obj.getClass()) != clazz)) {
331 // Must match a 2-list of { caller, targetClass }.
332 if (cache instanceof Class[]) {
333 Class<?>[] cache2 = (Class<?>[]) cache;
334 if (cache2[1] == targetClass &&
335 cache2[0] == caller) {
336 return; // ACCESS IS OK
337 }
338 // (Test cache[1] first since range check for [1]
339 // subsumes range check for [0].)
340 }
341 } else if (cache == caller) {
342 // Non-protected case (or obj.class == this.clazz).
343 return; // ACCESS IS OK
344 }
345
346 // If no return, fall through to the slow path.
347 slowCheckMemberAccess(caller, clazz, obj, modifiers, targetClass);
348 }
349
350 // Keep all this slow stuff out of line:
351 void slowCheckMemberAccess(Class<?> caller, Class<?> clazz, Object obj, int modifiers,
352 Class<?> targetClass)
353 throws IllegalAccessException
354 {
355 Reflection.ensureMemberAccess(caller, clazz, obj, modifiers);
356
357 // Success: Update the cache.
358 Object cache = ((targetClass == clazz)
359 ? caller
360 : new Class<?>[] { caller, targetClass });
361
362 // Note: The two cache elements are not volatile,
363 // but they are effectively final. The Java memory model
364 // guarantees that the initializing stores for the cache
365 // elements will occur before the volatile write.
366 securityCheckCache = cache; // write volatile
367 }
368 }