1. /*
  2. * @(#)AccessibleObject.java 1.23 03/01/23
  3. *
  4. * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
  5. * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
  6. */
  7. package java.lang.reflect;
  8. import java.security.AccessController;
  9. import sun.reflect.ReflectionFactory;
  10. /**
  11. * The AccessibleObject class is the base class for Field, Method and
  12. * Constructor objects. It provides the ability to flag a reflected
  13. * object as suppressing default Java language access control checks
  14. * when it is used. The access checks--for public, default (package)
  15. * access, protected, and private members--are performed when Fields,
  16. * Methods or Constructors are used to set or get fields, to invoke
  17. * methods, or to create and initialize new instances of classes,
  18. * respectively.
  19. *
  20. * <p>Setting the <tt>accessible</tt> flag in a reflected object
  21. * permits sophisticated applications with sufficient privilege, such
  22. * as Java Object Serialization or other persistence mechanisms, to
  23. * manipulate objects in a manner that would normally be prohibited.
  24. *
  25. * @see Field
  26. * @see Method
  27. * @see Constructor
  28. * @see ReflectPermission
  29. *
  30. * @since 1.2
  31. */
  32. public
  33. class AccessibleObject {
  34. /**
  35. * The Permission object that is used to check whether a client
  36. * has sufficient privilege to defeat Java language access
  37. * control checks.
  38. */
  39. static final private java.security.Permission ACCESS_PERMISSION =
  40. new ReflectPermission("suppressAccessChecks");
  41. /**
  42. * Convenience method to set the <tt>accessible</tt> flag for an
  43. * array of objects with a single security check (for efficiency).
  44. *
  45. * <p>First, if there is a security manager, its
  46. * <code>checkPermission</code> method is called with a
  47. * <code>ReflectPermission("suppressAccessChecks")</code> permission.
  48. *
  49. * <p>A <code>SecurityException</code> is raised if <code>flag</code> is
  50. * <code>true</code> but accessibility of any of the elements of the input
  51. * <code>array</code> may not be changed (for example, if the element
  52. * object is a {@link Constructor} object for the class {@link
  53. * java.lang.Class}). In the event of such a SecurityException, the
  54. * accessiblity of objects is set to <code>flag</code> for array elements
  55. * upto (and excluding) the element for which the exception occurred; the
  56. * accessiblity of elements beyond (and including) the element for which
  57. * the exception occurred is unchanged.
  58. *
  59. * @param array the array of AccessibleObjects
  60. * @param flag the new value for the <tt>accessible</tt> flag
  61. * in each object
  62. * @throws SecurityException if the request is denied.
  63. * @see SecurityManager#checkPermission
  64. * @see java.lang.RuntimePermission
  65. */
  66. public static void setAccessible(AccessibleObject[] array, boolean flag)
  67. throws SecurityException {
  68. SecurityManager sm = System.getSecurityManager();
  69. if (sm != null) sm.checkPermission(ACCESS_PERMISSION);
  70. for (int i = 0; i < array.length; i++) {
  71. setAccessible0(array[i], flag);
  72. }
  73. }
  74. /**
  75. * Set the <tt>accessible</tt> flag for this object to
  76. * the indicated boolean value. A value of <tt>true</tt> indicates that
  77. * the reflected object should suppress Java language access
  78. * checking when it is used. A value of <tt>false</tt> indicates
  79. * that the reflected object should enforce Java language access checks.
  80. *
  81. * <p>First, if there is a security manager, its
  82. * <code>checkPermission</code> method is called with a
  83. * <code>ReflectPermission("suppressAccessChecks")</code> permission.
  84. *
  85. * <p>A <code>SecurityException</code> is raised if <code>flag</code> is
  86. * <code>true</code> but accessibility of this object may not be changed
  87. * (for example, if this element object is a {@link Constructor} object for
  88. * the class {@link java.lang.Class}).
  89. *
  90. * <p>A <code>SecurityException</code> is raised if this object is a {@link
  91. * java.lang.reflect.Constructor} object for the class
  92. * <code>java.lang.Class</code>, and <code>flag</code> is true.
  93. *
  94. * @param flag the new value for the <tt>accessible</tt> flag
  95. * @throws SecurityException if the request is denied.
  96. * @see SecurityManager#checkPermission
  97. * @see java.lang.RuntimePermission
  98. */
  99. public void setAccessible(boolean flag) throws SecurityException {
  100. SecurityManager sm = System.getSecurityManager();
  101. if (sm != null) sm.checkPermission(ACCESS_PERMISSION);
  102. setAccessible0(this, flag);
  103. }
  104. /* Check that you aren't exposing java.lang.Class.<init>. */
  105. private static void setAccessible0(AccessibleObject obj, boolean flag)
  106. throws SecurityException
  107. {
  108. if (obj instanceof Constructor && flag == true) {
  109. Constructor c = (Constructor)obj;
  110. if (c.getDeclaringClass() == Class.class) {
  111. throw new SecurityException("Can not make a java.lang.Class" +
  112. " constructor accessible");
  113. }
  114. }
  115. obj.override = flag;
  116. }
  117. /**
  118. * Get the value of the <tt>accessible</tt> flag for this object.
  119. *
  120. * @return the value of the object's <tt>accessible</tt> flag
  121. */
  122. public boolean isAccessible() {
  123. return override;
  124. }
  125. /**
  126. * Constructor: only used by the Java Virtual Machine.
  127. */
  128. protected AccessibleObject() {}
  129. // Cache for security checks.
  130. // For non-public members or members in package-private classes,
  131. // it is necessary to perform somewhat expensive security checks.
  132. // If the security check succeeds for a given class, it will
  133. // always succeed (it is not affected by the granting or revoking
  134. // of permissions); we speed up the check in the common case by
  135. // remembering the last Class for which the check succeeded. This
  136. // field is used by Field, Method, and Constructor.
  137. //
  138. // NOTE: for security purposes, this field must not be visible
  139. // outside this package.
  140. volatile Class securityCheckCache;
  141. // Indicates whether language-level access checks are overridden
  142. // by this object. Initializes to "false". This field is used by
  143. // Field, Method, and Constructor.
  144. //
  145. // NOTE: for security purposes, this field must not be visible
  146. // outside this package.
  147. boolean override;
  148. // Reflection factory used by subclasses for creating field,
  149. // method, and constructor accessors. Note that this is called
  150. // very early in the bootstrapping process.
  151. static final ReflectionFactory reflectionFactory = (ReflectionFactory)
  152. AccessController.doPrivileged
  153. (new sun.reflect.ReflectionFactory.GetReflectionFactoryAction());
  154. }