On 11/18/13 8:36 AM, Peter Levart wrote:
On 11/18/2013 04:31 PM, Alan Bateman wrote:
On 18/11/2013 14:59, Jochen Theodorou wrote:
Hi,
java.lang.Class has multiple methods annotated with CallerSensitive
(see
http://hg.openjdk.java.net/jdk8/jdk8-gate/jdk/file/tip/src/share/classes/java/lang/Class.java).
Now if we in Groovy here want to build our runtime structure for
this class, and the security manager is not allowing access to
sun.reflect, then we get into trouble.
https://jira.codehaus.org/browse/GROOVY-6405 is caused by this.
What do you suggest people with this problem, if adding
accessClassInPackage.sun.reflect is no option?
Is it sun.reflect.CallerSensitive.class.getDeclaredMethods that is
failing?
-Alan.
From GROOVY-6405 discussion I think it is, yes.
The work-around suggested in GROOVY-6405 does not work, because it has
a bug. It should be written as:
private static void setAnnotationMetaData(Annotation[] annotations
/*, AnnotatedNode an */) {
for (Annotation annotation : annotations) {
if (annotation*.annotationType()*.getPackage() == null ||
!"sun.reflect".equals(annotation*.annotationType()*.getPackage().getName()))
{
System.out.println("Processing: " +
annotation.annotationType().getName());
} else {
System.out.println("Skipping: " +
annotation.annotationType().getName());
}
}
}
... i.e. don't call annotation.*getClass()* because what you get is a
dynamic Proxy class implementing the annotation interface and such
Proxy class does not live in the same package as the annotation
interface...
Good catch Peter.
There is another such annotation to watch for, in another protected
package: *sun.misc.Contended* ...
sun.reflect.CallerSensitive and sun.misc.Contended are two new
annotations added in jdk8 and they are both restricted packages. sun.*
is only one of the restricted packages and the entire list is in
package.access in java.security property file.
Mandy
