On 02/27/2015 01:07 AM, Mandy Chung wrote:
On 2/26/15 2:04 PM, Peter Levart wrote:
I verified this with the following code:
:

... it works without problems and prints the expected:

Thanks for the test. The question is what the spec says about SecurityException, or it should require the value() method be public or there is a reason to support a non-public value() method?

Mandy

Well, currently, with pre-JDK8 APIs, one has access to annotation instances of types that are otherwise inaccessible. For example:

public class Test {
    public static void main(String[] args) throws Exception {
// TestSibling.class.getDeclaredAnnotation(TestSibling.PrivateAnn.class);
        // >>> javac Error: The type TestSibling.PrivateAnn is not visible

        // but:

Annotation privateAnn = TestSibling.class.getDeclaredAnnotations()[0];
        System.out.println(privateAnn);
        // >>> @TestSibling$PrivateAnn()
    }
}

@TestSibling.PrivateAnn()
class TestSibling {
    @Retention(RetentionPolicy.RUNTIME)
    private @interface PrivateAnn {
    }
}

So I don't think we should prevent access to repeatable annotation instances just because the container annotation type of the repeatable annotation is not public.

The call to setAccessible(true) should be wrapped by doPrivileged and should be performed in AnnotationType constructor and not sprinkled in other places that need to invoke the Method(s). This is by no means less secure as it doesn't matter what part of code makes the Method object setAccessible(true) if it is a shared Method object.

Regards, Peter

Reply via email to