[Tcl Java] Re: [Tcl Java] Re: [Tcl Java] Re: [Tcl Java] Re: [Tcl Java] Re: [Tcl Java] Small test case

Thu, 29 Jun 2000 17:00:24 -0700 

On Thu, 29 Jun 2000, Jeff Sturm wrote:

> Mo DeJong wrote:
> > Here is another example:
> > 
> > import java.util.Hashtable;
> > public class Hashtable2 extends Hashtable
> > {
> >   public static Hashtable get() {
> >     return new Hashtable2();
> >   }
> >   public void NEVER_CALL() {
> >     System.out.println("NEVER_CALL");
> >   }
> > }
> > 
> > % set h [java::call Hashtable2 get]
> > 
> > ( Here is what would happen if you called getClass() )
> > % java::info class $h
> > Hashtable2
> > 
> > This means you would be able to invoke "$h NEVER_CALL"
> > which is not possible from regular Java code.
> 
> Sure it's possible:
> 
> ((Hashtable2)h).NEVER_CALL();

Ahh, but you don't know that it is a Hashtable2. Well, in this simple
example you do, but in the more general case you could have
a function with a signature like "Hashtable get()" that
could return Hashtable2, Hashtable3, Hashtable4, and so on.
The is no way to "cast up" to all of these derived types outside
of using the reflection API. Also keep in mind that the method
could return an interface, so you would expect to only be able
to invoke methods made available through the interface.
 
> If Hashtable2 were not public, that cast could be prevented, but this
> specific example would break since it relies on a public static method
> of Hashtable2.
> 
> Are you trying to say that java.lang.reflect introduces security holes
> in Java?  I don't think that it does, though it does not do a good job
> of enforcing package-level access rights.

Is it a bug or a feature? That is what it all comes down to. I think
the reflection API is a great feature. It means I can create objects
and invoke methods at runtime. It does have some problems, but you
just need to use it correctly to avoid them (for instance, don't
call getClass()).

Mo DeJong
Red Hat Inc

----------------------------------------------------------------
The TclJava mailing list is sponsored by Scriptics Corporation.
To subscribe:    send mail to [EMAIL PROTECTED]  
                 with the word SUBSCRIBE as the subject.
To unsubscribe:  send mail to [EMAIL PROTECTED] 
                 with the word UNSUBSCRIBE as the subject.
To send to the list, send email to '[EMAIL PROTECTED]'. 
An archive is available at http://www.mail-archive.com/tcljava@scriptics.com

Reply via email to