/ Java Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Reflection and the Missing Security Manager

DZone's Guide to

Reflection and the Missing Security Manager

by
Alosh Bennett
·
Nov. 30, 10 · Java Zone
Free Resource

Comment (5)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Just released, a free O’Reilly book on Reactive Microsystems: The Evolution of Microservices at Scale. Brought to you in partnership with Lightbend.

Here’s an interesting trick that’s been around for a long time: Consider the Person class here, with password as a private data member.

public class Person {
 
   private String name;
   private String password;
 
   public String getName() {
       return name;
   }
 
   public boolean login(String password) {
      if(this.password(equals(password)) {
         ....
      }
   }
   ...
}

The Java scope rules do not allow me to access or modify the password field that’s declared private. All the same, I could do it using reflection as shown below:

   Person person = db.queryPerson("alosh");
   //System.out.println("password: "+person.password); -- won't compile
 
   Field field = person.getClass().getField("password");
   field.setAccessible(true);
   System.out.println("password: "+field.get(person));
   field.set(person, "welcome");
   person.login("welcome");
   ...

It all boils down to this line of code.

   field.setAccessible(true);

All reflection access to an object (methods, fields, constructors) is through the interface AccessibleObject which lets the reflected object suppress the normal access controls. By setting the access flag, the reflected object is now open.
But the access flags are not flipped before it checks with the security manager. Reflection and SecurityManager together provides the power to control access dynamically.

Our little trick could then be attributed to the SecurityManager. Or like in this case, the lack of a SecurityManager.

By default the JVM does not have a SecurityManager available. A security manager could be installed either by passing the following option to the jvm

-Djava.security.manager

or by setting one in the code

System.setSecurityManager(new SecurityManager());

(Now the snippet mentioned in the beginning will not work.)

* SecurityManager is not enabled by default in the JVM.
* Majority of the JEE servers out there don’t run a SecurityManager unless asked for.
* Many applications would not run with SecurityManager in place.

Isn’t it against Java’s principle of ‘Secure by Default’?

From http://www.aloshbennett.in/weblog/2010/java/reflection-and-the-missing-security-manager/

Strategies and techniques for building scalable and resilient microservices to refactor a monolithic application step-by-step, a free O'Reilly book. Brought to you in partnership with Lightbend.

Like This Article? Read More From DZone

Getting Started With Google Sign-In and Spring Boot
Thoughts on Opening Up Java EE
Azure Managed VM Images: Using Premium Data Disks

Free DZone Refcard

Getting Started With Vaadin Framework 8
DOWNLOAD
Topics:

Comment (5)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Opinions expressed by DZone contributors are their own.

Java Partner Resources

Jenkins, Docker and DevOps: The Innovation Catalysts
The Importance of Monitoring Containers
Combine the Innovations of NoSQL with the Critical Capabilities of Relational Databases
Develop and Deploy Microservices with JHipster
We have the data behind great user experiences. Now you can too. Read the infographic.
Play Framework: The JVM Architect's Path to Super-Fast Web Apps
CA App Experience Analytics, a whole new level of visibility. Learn more.
Reactive Microsystems - The Evolution of Microservices at Scale
Headless CMS and Your Business Team
[Tech Guide] OpenStack Deployment Models
Easily Build Continuous Delivery Pipelines with Jenkins and Pipeline Plugin
Microservices for Java Developers: A Hands-On Introduction to Frameworks & Containers

Java Partner Resources

Jenkins, Docker and DevOps: The Innovation Catalysts
The Importance of Monitoring Containers
Combine the Innovations of NoSQL with the Critical Capabilities of Relational Databases
Develop and Deploy Microservices with JHipster
THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone