On Thu, 6 Apr 2023 17:51:27 GMT, Mandy Chung <mch...@openjdk.org> wrote:
>>> The interface access may be problematic: A non-exported interface Class >>> object can be obtained via Reflection inspection on exported types, such as >>> java packages and jdk.internal packages. >>> >>> * In that case, it might not be of best interest to create an >>> interface, but I don't think the current asInterfaceInstance API rejects >>> such creations either. >> >> See the Javadoc: >> https://github.com/openjdk/jdk/pull/13197/files#diff-6de80127c851b1b0ba6b2ab0a739ffae803187028a721d4a28cd47fb17b1bbcdL64-L65 >> >> As this API was added in Java 7, `public` access was easy. W.R.T. modules, >> no changes have been made to this API. >> The (previously) underlying `java.lang.reflect.Proxy` does not even require >> that. >> >> @liach Can you please test calling >> `MethodHandleProxies.wrapperInstanceTarget(MethodHandleProxies.asInterfaceInstance(Runnable.class, >> MethodHandles.zero(void.class)))` **with an installed `SecurityManager`**? >> Also with an interface in an untrusted protection domain, for example: >> >> >> public interface Test { >> void run(); >> public static void main(String[] args) { >> >> System.out.println(MethodHandleProxies.wrapperInstanceTarget(MethodHandleProxies.asInterfaceInstance(Test.class, >> MethodHandles.zero(void.class)))); >> } >> } >> >> also with a `SecurityManager` (`-Djava.security.manager` as VM argument). > >> @DasBrain Thanks for the recommendation to test with SecurityManager, added >> a test and found two places that needs to do privileged indeed. > > What operations require the security permission check? I suspect some > doPrivileged may be missing in the ClassFile API implementation. Also, @mlchung Mandy, where would jtreg place the dumped class files with the new class file dumper? I didn't find it within test-support directory. ------------- PR Comment: https://git.openjdk.org/jdk/pull/13197#issuecomment-1499435607
