Best IT Recipes

Why is it allowed to access private Java fields through reflection?

Consider the following example:

import java.lang.reflect.Field; public class Test { public static void main(String[] args) { C c = new C(); try { Field f = C.class.getDeclaredField("a"); f.setAccessible(true); Integer i = (Integer)f.get(c); System.out.println(i); } catch (Exception e) {} } } class C { private Integer a =6; }

It seems illogical that you are allowed access to private fields of classes with reflection. Why is this functionality available? Isn't it "dangerous" to allow such access?

+41
java reflection private-members
Aug 06 '09 at 15:13
source share
7 answers

Private is designed to prevent accidental abuse, and not as a security mechanism. If you decide to get around this, you can do it at your own risk and assumption that you know what you are doing.

+55
Aug 6 '09 at 15:29
source share

Both getDeclaredField() and setAccessible() actually checked by the security manager and throw an exception if your code is not allowed for this. Most often, you will not notice this, because Java code often runs without a security administrator.

One of the important exceptions are applets that always work with a security manager.

+21
Aug 6 '09 at 15:20
source share

Yes, this is not nice, but it allows you to work with angles such as Java Serialization.

Setting an accessible flag in the reflected object allows complex applications with a sufficient degree of privileges, such as serializing Java objects or other storage mechanisms, to manipulate objects in a way that is usually forbidden.

I believe that functionality can be disabled using SecurityManager

http://javabeans.asia/2008/10/12/how_to_set_securitymanager_and_java_security_policy_programmatically.html

+10
Aug 6 '09 at 15:18
source share

Reflection is dangerous. Period.

What is the point of limiting the usefulness of a truly dangerous system for such a slightly increased security?

In addition, automatic serialization requires the ability to "suck out brains" from any class; ignoring access modifiers is a must in this case.

+8
Aug 6 '09 at 15:16
source share

Reflection is a complete API for input within classes. Private members and all.

In cases where you do not trust the code you are running (applets, etc.), you may not use the code at all. See this question for more details.

+4
Aug 6 '09 at 15:22
source share

From: http://java.sun.com/docs/books/tutorial/reflect/

Reflection is typically used by programs that require the ability to examine or modify the behavior of the runtime of applications running on the Java virtual machine.

This is a tool that allows one to break some rules, you can drop it on the foot or use it correctly.

+3
Aug 6 '09 at 15:17
source share

In the java.lang.reflect package description :

The classes in this package along with java.lang.Class host applications such as debuggers, translators, object inspectors, a class of browsers and services such as Object Serialization and JavaBeans that need access to the public target object (based on its runtime class) or members declared by a given class.

Reflection provides a mechanism for accessing class information using tools that are generally not available with regular interaction between classes and objects. One of such methods is access to private fields from external classes and objects.

Yes, reflection can be dangerous in general, because it can expose internal objects of classes and objects.

However, it is also a very powerful tool that can be used to check the internal objects of classes and objects that cannot be accessed using other standard tools.

+3
Aug 06 '09 at 15:18
source share


More articles:


All Articles