/ Java Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Reflection and the Missing Security Manager

DZone's Guide to

Reflection and the Missing Security Manager

by
Alosh Bennett
·
Nov. 30, 10 · Java Zone
Free Resource

Comment (5)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Build vs Buy a Data Quality Solution: Which is Best for You? Gain insights on a hybrid approach. Download white paper now!

Here’s an interesting trick that’s been around for a long time: Consider the Person class here, with password as a private data member.

public class Person {
 
   private String name;
   private String password;
 
   public String getName() {
       return name;
   }
 
   public boolean login(String password) {
      if(this.password(equals(password)) {
         ....
      }
   }
   ...
}

The Java scope rules do not allow me to access or modify the password field that’s declared private. All the same, I could do it using reflection as shown below:

   Person person = db.queryPerson("alosh");
   //System.out.println("password: "+person.password); -- won't compile
 
   Field field = person.getClass().getField("password");
   field.setAccessible(true);
   System.out.println("password: "+field.get(person));
   field.set(person, "welcome");
   person.login("welcome");
   ...

It all boils down to this line of code.

   field.setAccessible(true);

All reflection access to an object (methods, fields, constructors) is through the interface AccessibleObject which lets the reflected object suppress the normal access controls. By setting the access flag, the reflected object is now open.
But the access flags are not flipped before it checks with the security manager. Reflection and SecurityManager together provides the power to control access dynamically.

Our little trick could then be attributed to the SecurityManager. Or like in this case, the lack of a SecurityManager.

By default the JVM does not have a SecurityManager available. A security manager could be installed either by passing the following option to the jvm

-Djava.security.manager

or by setting one in the code

System.setSecurityManager(new SecurityManager());

(Now the snippet mentioned in the beginning will not work.)

* SecurityManager is not enabled by default in the JVM.
* Majority of the JEE servers out there don’t run a SecurityManager unless asked for.
* Many applications would not run with SecurityManager in place.

Isn’t it against Java’s principle of ‘Secure by Default’?

From http://www.aloshbennett.in/weblog/2010/java/reflection-and-the-missing-security-manager/

Build vs Buy a Data Quality Solution: Which is Best for You? Maintaining high quality data is essential for operational efficiency, meaningful analytics and good long-term customer relationships. But, when dealing with multiple sources of data, data quality becomes complex, so you need to know when you should build a custom data quality tools effort over canned solutions. Download our whitepaper for more insights into a hybrid approach.

Like This Article? Read More From DZone

OAuth Access Tokens or JSON Web Tokens (JWT) for Delivering a Secure API?
Activating Xcode 9 Code Diagnostics Tools on the iOS CI Server
Jersey Client Dependencies for JAX-RS 2.1

Free DZone Refcard

Getting Started With Play Framework
DOWNLOAD
Topics:

Comment (5)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Opinions expressed by DZone contributors are their own.

Java Partner Resources

Advanced Linux Commands [Cheat Sheet]
Modern Java EE Design Patterns: Building Scalable Architecture for Sustainable Enterprise Development
Reactive Microsystems - The Evolution of Microservices at Scale
How To Resolve Network Partitions In Seconds With Lightbend Enterprise Suite
Migrating to Microservice Databases
NoSQL Options for Java Developers | Okta Developer
Headless CMS and Your Business Team | dotCMS eBook
Microservices for Java Developers: A Hands-On Introduction to Frameworks & Containers
Building Reactive Microservices in Java: Asynchronous and Event-Based Application Design
Play Framework: The JVM Architect's Path to Super-Fast Web Apps
Build vs Buy a Data Quality Solution: Which is Best for You?
jQuery UI and Auto-Complete Address Entry

Java Partner Resources

Advanced Linux Commands [Cheat Sheet]
Modern Java EE Design Patterns: Building Scalable Architecture for Sustainable Enterprise Development
Reactive Microsystems - The Evolution of Microservices at Scale
How To Resolve Network Partitions In Seconds With Lightbend Enterprise Suite

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone