Reflection: A New Way to Discover Information about Java classes
By Dan Becker2003-05-24
Security Issues
|
|
As there are security concerns raised when running a Java applet versus running a Java application, there are also security concerns when using Java Reflection. Java Reflection uses two levels of checks to enforce security when using this API:
- The Java class Class is the only source for instantiating the Field, Method, and Constructor classes. Class delegates security checking to the system security manager, which contains the checkMemberAccess(Class,int) method on a class-by-class basis. This methods throws a SecurityException if access is not allowed.
- After satisfying the checks in step one, any code may query the reflected member for its identifying information. However, standard Java language checks are enforced when reflected members are used to operate on the underlying members of objects; that is, to get or set field values, to invoke methods, or to create and initialize new objects. There is no notion of privileged code and no means to override the standard language access control checks.
So, in the class inspector example, you are allowed to query the constructors, methods, and fields of any class. But you might run into IllegalAccessExceptions if you attempt to do one of the following:
- Use the Field class to get or set a field value
- Use the Method class to invoke a method
- Use the Constructor class to create and initialize a new instance of a class
These are points to remember if you wish to go beyond inspecting classes to creating and manipulating classes.
Tutorial Pages:
» Introduction
» Outlining the Class Hierarchy Using Java 1.02
» Querying Interfaces Using Java 1.02
» An Improved Java 1.02 Reflection Program
» Using the Reflection Features of Java 1.1: Modifiers
» Using the Reflection Features of Java 1.1: Fields
» Security Issues
» Conclusion
First published by IBM DeveloperWorks
|
