stackoom
  简体   繁体   中英

How to restrict developers to use reflection to access private methods and constructors in Java?

 原文  2011-09-27 09:07:25       java/ security/ reflection

Question

How to restrict developers to use reflection to access private methods and constructors in Java?

Using normal Java code we can't access private constructors or private methods outside of a class. But by using reflection we can access any private methods and constructors in a Java class.

So how can we give security to our Java code?

3 answers

solution1
 20 ACCPTED  2011-09-27 09:08:54

Run your application using a SecurityManager and a sufficiently restrictive security policy .

There's a short summary in the tutorial and extensive information in the security documentation .

solution2
 7  2011-09-27 09:47:36

Add checkPermission() method in all of your private method/constructor. checkPermission using sun.reflect.Reflection.getCallerClass(int n) by assert callerClass=selfClass .

The getCallerClass returns the class of the method realFramesToSkip frames up the stack (zero-based), ignoring frames associated with java.lang.reflect.Method.invoke() and its implementation. The first frame is that associated with this method, so getCallerClass(0) returns the Class object for sun.reflect.Reflection . 

public class PrivateConstructorClass {

    private PrivateConstructorClass() {
        checkPerMission();
              //you own code go below
    }

    void checkPerMission() {
        Class self = sun.reflect.Reflection.getCallerClass(1);
        Class caller = sun.reflect.Reflection.getCallerClass(3);
        if (self != caller) {
            throw new java.lang.IllegalAccessError();
        }
    }
}

You can try to test reflect, it will fail: 

public class TestPrivateMain {

    Object newInstance() throws Exception {

        final Class<?> c = Class.forName("package.TestPrivate");

        final Constructor<?> constructor = c.getDeclaredConstructor();
        constructor.setAccessible(true);
        return constructor.newInstance();

    }

    public static void main(String[] args) throws Exception {
        Object t = new TestPrivateMain().newInstance();
    }
}

solution3
 1  2011-09-27 09:09:21

You (as the developer of the code in question) cannot do that.

The end user, who runs the application, could install a SecurityManager that forbids reflection.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How access private methods in abstract class using reflection in Java? How can I get access to a private array using Java reflection? How to access a private field of the super class of the super class with reflection in Java? How do I access private methods and private data members via reflection? How do I use reflection to access a private method? How to properly use reflection to access hidden methods in Telephony Manager Java Reflection constructors orders Constructors that use <Class>… with reflection How to use constructors in Java How to use constructors in Java?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM