Menu
I've been reading quite a lot of questions on Stackoverflow about this question but couldn't quit find a solution or answer for my problem. If there is already one I would be grateful if somebody would give a hint ...
My problem/question is if it is possible to completely disable reflection for not trustworthy code? Functions like getDeclaredMethods()(See test.java). I've already got a Java Security Manager which throws Security Exceptions if the code tries to write/read/etc. ...
If it is possible, can somebody show me how?
Bruno
test.java
TestClass cls = new TestClass();
Class c = cls.getClass();
// returns the array of Method objects
Method[] m = c.getDeclaredMethods();
for(int i = 0; i < m.length; i++) {
System.out.println("method = " + m[i].toString());
}
767
One of the main components in the built-in security infrastructure is java.lang SecurityManager. It has several checkXxx methods like checkConnect, which was authorizing our attempt to connect to Google in the test above. All of them delegates to the checkPermission (java.security.Permission) method.
Standard JDK classes create them for all potentially dangerous operations (like reading/writing a file, opening a socket, etc.) and give them over to SecurityManager for proper authorization. 4.3. Configuration We define permissions in a special policy format. These permissions take the form of grant entries: The codeBase rule above is optional.
This security infrastructure has been available since Java 1.0. This was a time where applets – Java applications embedded into the browser – were pretty common. Naturally, it was necessary to constrain their access to system resources. Nowadays, applets are obsolete.
Extend your SecurityManager and have it check for ReflectPermission and RuntimePermission. Then you have to decide whether the caller has permission for Reflection:
@Override
public void checkPermission(Permission perm) {
if (perm instanceof ReflectPermission) {
// called for Method.setAccessible(true)
// determine whether caller is permitted using getClassContext()
}
if (perm instanceof RuntimePermission) {
if (perm.implies(new RuntimePermission("accessDeclaredMembers"))) {
// called for Class.getDeclardFields()
System.out.println("getDeclaredFields() called");
}
}
So I solved the problem not directly with checkPermission(). My workaround is to check if the java.lang.reflect package is accessed.
@Override
public void checkPackageAccess(String pkg){
// don't allow the use of the reflection package
if(pkg.equals("java.lang.reflect")){
throw new SecurityException("Reflection is not allowed!");
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With