P2
Core reflection API is caller-sensitive and bypasses security check if the caller's class loader is an ancestor of the defining class loader of a Class object.
javax.sql.rowset.serial.SerialJavaObject.getFields is made @CallerSensitive and perform the same package access as the core reflection API before it returns Field object with the right caller.
We're exploring John's idea to inject the caller class at link time [1] for better performance and the VM has the infrastructure to support static and final methods. These methods are non-static and non-final that will be very difficult to support.
One proposal is to change the getFields method to perform a stack walk permission check, possibly a new permission. The java policy file will need to be modified while this incompatibility only impacts when applications are run with security manager.
[1] https://bugs.openjdk.java.net/browse/JDK-8020968?focusedCommentId=13611844&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13611844
javax.sql.rowset.serial.SerialJavaObject.getFields is made @CallerSensitive and perform the same package access as the core reflection API before it returns Field object with the right caller.
We're exploring John's idea to inject the caller class at link time [1] for better performance and the VM has the infrastructure to support static and final methods. These methods are non-static and non-final that will be very difficult to support.
One proposal is to change the getFields method to perform a stack walk permission check, possibly a new permission. The java policy file will need to be modified while this incompatibility only impacts when applications are run with security manager.
[1] https://bugs.openjdk.java.net/browse/JDK-8020968?focusedCommentId=13611844&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13611844