> On Dec 8, 2015, at 2:05 PM, Peter Levart <[email protected]> wrote:
>
> Hi Mandy,
>
> I don't think such special-casing for proxy classes is warranted and would
> just complicate security-sensitive code.
That was definitely a concern.
Good point. Existing code should use Annotation.annotationType() instead of
Annotation.getClass(). Annotation is an interface. Calling
annotation.getClass() will only return the implementation class that may be
encapsulated and not exported to the caller. This is not specific to proxies.
If the annotation were implemented with some concrete implementation class that
is not-exported to caller to use, annotation.getClass().getMethod(…).invoke(…)
will get IAE in that case.
> Users should learn to reflect over interfaces implemented by proxy class
> instead of over proxy class. In the Stephane's case, for retrieving
> attributes of unknown annotations, instead of doing this:
> :
>
> In general, having a reference to an unknown proxy instance, one can always
> do:
>
> Object proxy = ...
>
> for (Class<?> intf : proxy.getClass().getInterfaces()) {
> for (Method m : intf.getMethods()) {
> ...
> }
> }
One can also check if a given class is a proxy class via Proxy.isProxyClass
method.
Mandy
