wood burning stoves 2.0*
The moose likes Security and the fly likes default security: access private methods through reflection Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "default security: access private methods through reflection" Watch "default security: access private methods through reflection" New topic
Author

default security: access private methods through reflection

manuel aldana
Ranch Hand

Joined: Dec 29, 2005
Posts: 308
i read, that default security settings allow invoking private methods through reflection. couldn't that be a big security hole?

for instance:
-you guarantee through public/protected/default access modifiers, that your fields are in a valid state.
-your private methods if single-called break class valid state, even worse if you can change private fields directly.

so with reflection you call/change private methods/fields and can break this way an application, you break especially encapsulation from security view .

so my questions are:
-i think this can be a severe security flaw, so why does default security allow this (there must be a reason)?
-or maybe i read things wrong and default security does not allow private access?

thank you.
[ March 23, 2006: Message edited by: manuel aldana ]

aldana software engineering blog & .more
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41034
    
  43
By 'default' I assume that you mean running without a SecurityManager. Yes, without a SecurityManager you can write a program that relies on its accessors being used, and then you can include code that circumvents them, thus proving that you can shoot yourself in the foot if you want to.

But in circumstances where someone elses code might be involved (e.g. applets, web applications, applications using 3rd party plugins), there is sure to be a SecurityManager active which will prohibit this kind of access.

So I think the default is reasonable, especially since it's easy to run in a more secure way if you need to.


Ping & DNS - my free Android networking tools app
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 9912
    
158

You can find a related discussion here:

http://www.coderanch.com/t/379246/java/java/there-any-security-left-if


[My Blog] [JavaRanch Journal]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: default security: access private methods through reflection
 
Similar Threads
subclass calling private variable
simple doubts, please explain.
Performance issue with synthetic accessor method
String.length() vs. Arrays.length
Disallowing private method invocation by Reflection