Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8087164

Re-examine caller-sensitiveness of javax.sql.rowset.serial.SerialJavaObject.getFields

    XMLWordPrintable

    Details

    • Type: Enhancement
    • Status: New
    • Priority: P2
    • Resolution: Unresolved
    • Affects Version/s: 9
    • Fix Version/s: None
    • Component/s: core-libs
    • Labels:
      None

      Description

      Core reflection API is caller-sensitive and bypasses security check if the caller's class loader is an ancestor of the defining class loader of a Class object.

      javax.sql.rowset.serial.SerialJavaObject.getFields is made @CallerSensitive and perform the same package access as the core reflection API before it returns Field object with the right caller.

      We're exploring John's idea to inject the caller class at link time [1] for better performance and the VM has the infrastructure to support static and final methods. These methods are non-static and non-final that will be very difficult to support.

      One proposal is to change the getFields method to perform a stack walk permission check, possibly a new permission. The java policy file will need to be modified while this incompatibility only impacts when applications are run with security manager.

      [1] https://bugs.openjdk.java.net/browse/JDK-8020968?focusedCommentId=13611844&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13611844

        Attachments

          Activity

            People

            • Assignee:
              lancea Lance Andersen
              Reporter:
              mchung Mandy Chung
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: