Class.getRecordComponents security checks

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Class.getRecordComponents security checks

Attila Szegedi-2
Hey folks,

Why are security checks for Class.getRecordComponents as strict as those for e.g. getDeclaredMethods? I would’ve expected they’d be as strict as those for e.g. getMethods. Specifically, the difference is the:

> “the caller's class loader is not the same as the class loader of this class and invocation of s.checkPermission method with RuntimePermission("accessDeclaredMembers") denies access to the declared methods within this class”

step. Aren’t record accessors supposed to be public?

Attila.
Reply | Threaded
Open this post in threaded view
|

Re: Class.getRecordComponents security checks

Remi Forax
----- Mail original -----
> De: "Attila Szegedi" <[hidden email]>
> À: "core-libs-dev" <[hidden email]>
> Envoyé: Dimanche 21 Février 2021 21:14:48
> Objet: Class.getRecordComponents security checks

> Hey folks,
>
> Why are security checks for Class.getRecordComponents as strict as those for
> e.g. getDeclaredMethods? I would’ve expected they’d be as strict as those for
> e.g. getMethods. Specifically, the difference is the:
>
>> “the caller's class loader is not the same as the class loader of this class and
>> invocation of s.checkPermission method with
>> RuntimePermission("accessDeclaredMembers") denies access to the declared
>> methods within this class”

Good question, getRecordComponents() list the record components not the record accessors,
while each record component has a corresponding accessor method, the reverse is not true.

so here, what you are asking is more like asking fields than methods, so it's more like getDeclaredFields() than getMethods(),
hence the runtime check if there is a SecurityManager enabled.

>
> step. Aren’t record accessors supposed to be public?

yes, at least for the code generated by javac, accessors are always public
(the class itself may be non public, and the package may not be exported).

>
> Attila.

Rémi