View Javadoc
1   /*
2    * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
3    * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4    *
5    * This code is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU General Public License version 2 only, as
7    * published by the Free Software Foundation.  Oracle designates this
8    * particular file as subject to the "Classpath" exception as provided
9    * by Oracle in the LICENSE file that accompanied this code.
10   *
11   * This code is distributed in the hope that it will be useful, but WITHOUT
12   * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13   * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14   * version 2 for more details (a copy is included in the LICENSE file that
15   * accompanied this code).
16   *
17   * You should have received a copy of the GNU General Public License version
18   * 2 along with this work; if not, write to the Free Software Foundation,
19   * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20   *
21   * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22   * or visit www.oracle.com if you need additional information or have any
23   * questions.
24   */
25  
26  package java.lang.reflect;
27  
28  import java.security.AccessController;
29  import sun.reflect.Reflection;
30  import sun.reflect.ReflectionFactory;
31  import java.lang.annotation.Annotation;
32  
33  /**
34   * The AccessibleObject class is the base class for Field, Method and
35   * Constructor objects.  It provides the ability to flag a reflected
36   * object as suppressing default Java language access control checks
37   * when it is used.  The access checks--for public, default (package)
38   * access, protected, and private members--are performed when Fields,
39   * Methods or Constructors are used to set or get fields, to invoke
40   * methods, or to create and initialize new instances of classes,
41   * respectively.
42   *
43   * <p>Setting the {@code accessible} flag in a reflected object
44   * permits sophisticated applications with sufficient privilege, such
45   * as Java Object Serialization or other persistence mechanisms, to
46   * manipulate objects in a manner that would normally be prohibited.
47   *
48   * <p>By default, a reflected object is <em>not</em> accessible.
49   *
50   * @see Field
51   * @see Method
52   * @see Constructor
53   * @see ReflectPermission
54   *
55   * @since 1.2
56   */
57  public class AccessibleObject implements AnnotatedElement {
58  
59      /**
60       * The Permission object that is used to check whether a client
61       * has sufficient privilege to defeat Java language access
62       * control checks.
63       */
64      static final private java.security.Permission ACCESS_PERMISSION =
65          new ReflectPermission("suppressAccessChecks");
66  
67      /**
68       * Convenience method to set the {@code accessible} flag for an
69       * array of objects with a single security check (for efficiency).
70       *
71       * <p>First, if there is a security manager, its
72       * {@code checkPermission} method is called with a
73       * {@code ReflectPermission("suppressAccessChecks")} permission.
74       *
75       * <p>A {@code SecurityException} is raised if {@code flag} is
76       * {@code true} but accessibility of any of the elements of the input
77       * {@code array} may not be changed (for example, if the element
78       * object is a {@link Constructor} object for the class {@link
79       * java.lang.Class}).  In the event of such a SecurityException, the
80       * accessibility of objects is set to {@code flag} for array elements
81       * upto (and excluding) the element for which the exception occurred; the
82       * accessibility of elements beyond (and including) the element for which
83       * the exception occurred is unchanged.
84       *
85       * @param array the array of AccessibleObjects
86       * @param flag  the new value for the {@code accessible} flag
87       *              in each object
88       * @throws SecurityException if the request is denied.
89       * @see SecurityManager#checkPermission
90       * @see java.lang.RuntimePermission
91       */
92      public static void setAccessible(AccessibleObject[] array, boolean flag)
93          throws SecurityException {
94          SecurityManager sm = System.getSecurityManager();
95          if (sm != null) sm.checkPermission(ACCESS_PERMISSION);
96          for (int i = 0; i < array.length; i++) {
97              setAccessible0(array[i], flag);
98          }
99      }
100 
101     /**
102      * Set the {@code accessible} flag for this object to
103      * the indicated boolean value.  A value of {@code true} indicates that
104      * the reflected object should suppress Java language access
105      * checking when it is used.  A value of {@code false} indicates
106      * that the reflected object should enforce Java language access checks.
107      *
108      * <p>First, if there is a security manager, its
109      * {@code checkPermission} method is called with a
110      * {@code ReflectPermission("suppressAccessChecks")} permission.
111      *
112      * <p>A {@code SecurityException} is raised if {@code flag} is
113      * {@code true} but accessibility of this object may not be changed
114      * (for example, if this element object is a {@link Constructor} object for
115      * the class {@link java.lang.Class}).
116      *
117      * <p>A {@code SecurityException} is raised if this object is a {@link
118      * java.lang.reflect.Constructor} object for the class
119      * {@code java.lang.Class}, and {@code flag} is true.
120      *
121      * @param flag the new value for the {@code accessible} flag
122      * @throws SecurityException if the request is denied.
123      * @see SecurityManager#checkPermission
124      * @see java.lang.RuntimePermission
125      */
126     public void setAccessible(boolean flag) throws SecurityException {
127         SecurityManager sm = System.getSecurityManager();
128         if (sm != null) sm.checkPermission(ACCESS_PERMISSION);
129         setAccessible0(this, flag);
130     }
131 
132     /* Check that you aren't exposing java.lang.Class.<init>. */
133     private static void setAccessible0(AccessibleObject obj, boolean flag)
134         throws SecurityException
135     {
136         if (obj instanceof Constructor && flag == true) {
137             Constructor<?> c = (Constructor<?>)obj;
138             if (c.getDeclaringClass() == Class.class) {
139                 throw new SecurityException("Can not make a java.lang.Class" +
140                                             " constructor accessible");
141             }
142         }
143         obj.override = flag;
144     }
145 
146     /**
147      * Get the value of the {@code accessible} flag for this object.
148      *
149      * @return the value of the object's {@code accessible} flag
150      */
151     public boolean isAccessible() {
152         return override;
153     }
154 
155     /**
156      * Constructor: only used by the Java Virtual Machine.
157      */
158     protected AccessibleObject() {}
159 
160     // Indicates whether language-level access checks are overridden
161     // by this object. Initializes to "false". This field is used by
162     // Field, Method, and Constructor.
163     //
164     // NOTE: for security purposes, this field must not be visible
165     // outside this package.
166     boolean override;
167 
168     // Reflection factory used by subclasses for creating field,
169     // method, and constructor accessors. Note that this is called
170     // very early in the bootstrapping process.
171     static final ReflectionFactory reflectionFactory =
172         AccessController.doPrivileged(
173             new sun.reflect.ReflectionFactory.GetReflectionFactoryAction());
174 
175     /**
176      * @throws NullPointerException {@inheritDoc}
177      * @since 1.5
178      */
179     public <T extends Annotation> T getAnnotation(Class<T> annotationClass) {
180         throw new AssertionError("All subclasses should override this method");
181     }
182 
183     /**
184      * {@inheritDoc}
185      * @throws NullPointerException {@inheritDoc}
186      * @since 1.5
187      */
188     @Override
189     public boolean isAnnotationPresent(Class<? extends Annotation> annotationClass) {
190         return AnnotatedElement.super.isAnnotationPresent(annotationClass);
191     }
192 
193    /**
194      * @throws NullPointerException {@inheritDoc}
195      * @since 1.8
196      */
197     @Override
198     public <T extends Annotation> T[] getAnnotationsByType(Class<T> annotationClass) {
199         throw new AssertionError("All subclasses should override this method");
200     }
201 
202     /**
203      * @since 1.5
204      */
205     public Annotation[] getAnnotations() {
206         return getDeclaredAnnotations();
207     }
208 
209     /**
210      * @throws NullPointerException {@inheritDoc}
211      * @since 1.8
212      */
213     @Override
214     public <T extends Annotation> T getDeclaredAnnotation(Class<T> annotationClass) {
215         // Only annotations on classes are inherited, for all other
216         // objects getDeclaredAnnotation is the same as
217         // getAnnotation.
218         return getAnnotation(annotationClass);
219     }
220 
221     /**
222      * @throws NullPointerException {@inheritDoc}
223      * @since 1.8
224      */
225     @Override
226     public <T extends Annotation> T[] getDeclaredAnnotationsByType(Class<T> annotationClass) {
227         // Only annotations on classes are inherited, for all other
228         // objects getDeclaredAnnotationsByType is the same as
229         // getAnnotationsByType.
230         return getAnnotationsByType(annotationClass);
231     }
232 
233     /**
234      * @since 1.5
235      */
236     public Annotation[] getDeclaredAnnotations()  {
237         throw new AssertionError("All subclasses should override this method");
238     }
239 
240 
241     // Shared access checking logic.
242 
243     // For non-public members or members in package-private classes,
244     // it is necessary to perform somewhat expensive security checks.
245     // If the security check succeeds for a given class, it will
246     // always succeed (it is not affected by the granting or revoking
247     // of permissions); we speed up the check in the common case by
248     // remembering the last Class for which the check succeeded.
249     //
250     // The simple security check for Constructor is to see if
251     // the caller has already been seen, verified, and cached.
252     // (See also Class.newInstance(), which uses a similar method.)
253     //
254     // A more complicated security check cache is needed for Method and Field
255     // The cache can be either null (empty cache), a 2-array of {caller,target},
256     // or a caller (with target implicitly equal to this.clazz).
257     // In the 2-array case, the target is always different from the clazz.
258     volatile Object securityCheckCache;
259 
260     void checkAccess(Class<?> caller, Class<?> clazz, Object obj, int modifiers)
261         throws IllegalAccessException
262     {
263         if (caller == clazz) {  // quick check
264             return;             // ACCESS IS OK
265         }
266         Object cache = securityCheckCache;  // read volatile
267         Class<?> targetClass = clazz;
268         if (obj != null
269             && Modifier.isProtected(modifiers)
270             && ((targetClass = obj.getClass()) != clazz)) {
271             // Must match a 2-list of { caller, targetClass }.
272             if (cache instanceof Class[]) {
273                 Class<?>[] cache2 = (Class<?>[]) cache;
274                 if (cache2[1] == targetClass &&
275                     cache2[0] == caller) {
276                     return;     // ACCESS IS OK
277                 }
278                 // (Test cache[1] first since range check for [1]
279                 // subsumes range check for [0].)
280             }
281         } else if (cache == caller) {
282             // Non-protected case (or obj.class == this.clazz).
283             return;             // ACCESS IS OK
284         }
285 
286         // If no return, fall through to the slow path.
287         slowCheckMemberAccess(caller, clazz, obj, modifiers, targetClass);
288     }
289 
290     // Keep all this slow stuff out of line:
291     void slowCheckMemberAccess(Class<?> caller, Class<?> clazz, Object obj, int modifiers,
292                                Class<?> targetClass)
293         throws IllegalAccessException
294     {
295         Reflection.ensureMemberAccess(caller, clazz, obj, modifiers);
296 
297         // Success: Update the cache.
298         Object cache = ((targetClass == clazz)
299                         ? caller
300                         : new Class<?>[] { caller, targetClass });
301 
302         // Note:  The two cache elements are not volatile,
303         // but they are effectively final.  The Java memory model
304         // guarantees that the initializing stores for the cache
305         // elements will occur before the volatile write.
306         securityCheckCache = cache;         // write volatile
307     }
308 }