DZone
Java Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Research
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Java Zone > Reflection and the Missing Security Manager

Reflection and the Missing Security Manager

Alosh Bennett user avatar by
Alosh Bennett
·
Nov. 30, 10 · Java Zone · Interview
Like (0)
Save
Tweet
7.48K Views

Join the DZone community and get the full member experience.

Join For Free

Here’s an interesting trick that’s been around for a long time: Consider the Person class here, with password as a private data member.

public class Person {
 
   private String name;
   private String password;
 
   public String getName() {
       return name;
   }
 
   public boolean login(String password) {
      if(this.password(equals(password)) {
         ....
      }
   }
   ...
}

The Java scope rules do not allow me to access or modify the password field that’s declared private. All the same, I could do it using reflection as shown below:

   Person person = db.queryPerson("alosh");
   //System.out.println("password: "+person.password); -- won't compile
 
   Field field = person.getClass().getField("password");
   field.setAccessible(true);
   System.out.println("password: "+field.get(person));
   field.set(person, "welcome");
   person.login("welcome");
   ...

It all boils down to this line of code.

   field.setAccessible(true);

All reflection access to an object (methods, fields, constructors) is through the interface AccessibleObject which lets the reflected object suppress the normal access controls. By setting the access flag, the reflected object is now open.
But the access flags are not flipped before it checks with the security manager. Reflection and SecurityManager together provides the power to control access dynamically.

Our little trick could then be attributed to the SecurityManager. Or like in this case, the lack of a SecurityManager.

By default the JVM does not have a SecurityManager available. A security manager could be installed either by passing the following option to the jvm

-Djava.security.manager

or by setting one in the code

System.setSecurityManager(new SecurityManager());

(Now the snippet mentioned in the beginning will not work.)

* SecurityManager is not enabled by default in the JVM.
* Majority of the JEE servers out there don’t run a SecurityManager unless asked for.
* Many applications would not run with SecurityManager in place.

Isn’t it against Java’s principle of ‘Secure by Default’?

From http://www.aloshbennett.in/weblog/2010/java/reflection-and-the-missing-security-manager/

Topics:

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • DZone Cloud Show: KubeCon 2021 Recap
  • Dive Into OAuth Grant Types and OpenID Connect Flows
  • REST Services With Apache Camel
  • Defining the Developer Experience
Comments

Java Partner Resources

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone
  • +1 (919) 238-7100

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo