-
Enhancement
-
Resolution: Not an Issue
-
P4
-
None
-
16
A DESCRIPTION OF THE PROBLEM :
Request: Add an AccessibleObject method for checking whether `setAccessible()` would succeed with illegal access being denied, regardless of `java` command line flags.
Context: Serialization libraries using reflection might want to help users migrate to strong encapsulation using the JPMS. As part of that, they want to prevent using reflection on classes to which they should have no access to (e.g. internal JDK classes), regardless of how the Java versions treats illegal access (e.g. Java 11 only warns about it), or which `java` command line flags are specified to allow illegal access.
The issue is that the methods currently provided by `AccessibleObject` do not allow this:
- trySetAccessible(): Succeeds when illegal access has been permitted
- canAccess(Object): Requires an instance of the class. This is often not feasible for serialization libraries because they want to fail fast, and when setting up deserializers there won't be an instance present during setup, so this check has to be delayed until the actual deserialization happens, which is too late.
Therefore it would be good to add a method such as `canSetAccessible(): boolean`, which behaves like `canAccess(Object)` except that it checks the declaring type of a field or method instead of requiring a runtime object for them.
(Maybe that is actually a design flaw with `canAccess(Object)` since, based on its implementation, it does not actually require an Object, but providing a Class would suffice as well.)
Request: Add an AccessibleObject method for checking whether `setAccessible()` would succeed with illegal access being denied, regardless of `java` command line flags.
Context: Serialization libraries using reflection might want to help users migrate to strong encapsulation using the JPMS. As part of that, they want to prevent using reflection on classes to which they should have no access to (e.g. internal JDK classes), regardless of how the Java versions treats illegal access (e.g. Java 11 only warns about it), or which `java` command line flags are specified to allow illegal access.
The issue is that the methods currently provided by `AccessibleObject` do not allow this:
- trySetAccessible(): Succeeds when illegal access has been permitted
- canAccess(Object): Requires an instance of the class. This is often not feasible for serialization libraries because they want to fail fast, and when setting up deserializers there won't be an instance present during setup, so this check has to be delayed until the actual deserialization happens, which is too late.
Therefore it would be good to add a method such as `canSetAccessible(): boolean`, which behaves like `canAccess(Object)` except that it checks the declaring type of a field or method instead of requiring a runtime object for them.
(Maybe that is actually a design flaw with `canAccess(Object)` since, based on its implementation, it does not actually require an Object, but providing a Class would suffice as well.)