Replacement for Security Manager checkMemberAccess()

Question

The Java Security Manager method checkMemberAccess() had a parameter that contained the class that Reflection was being called on. This method was deprecated, with a description saying to use checkPermission() instead. There are no parameters in checkPermission() that are similar to those in checkMemberAccess().

In a Security Manager, how do I get the Reflection target class without the checkMemberAccess() method?

i.e. if Class A performs reflection on Class B, I want to know that the target was Class B.

Answer 1

When you install the default security manager - application then uses the default security policy. In case you want to provide our own policy, you can do it in a policy file written as:

grant {
   permission java.lang.RuntimePermission "accessDeclaredMembers.{class name}";
   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

CheckMemberAccess have default policy - to allow access to PUBLIC members, as well as access to classes that have the same class loader as the caller. In all other cases, this method calls checkPermission() with the RuntimePermission("accessDeclaredMembers") permission

For reflective operations use a ReflectPermission class and suppressAccessChecks which allows suppressing the standard java access checks - for public, default (package) access, protected, and private members - performed by reflected objects at their point of use.

But this is dangerous in that information (possibly confidential) and methods normally unavailable would be accessible to malicious code.

Once you have provided the policy file - you can check it as follows:

 try {
   ReflectPermission permission = new ReflectPermission("suppressAccessChecks");
   permission.checkGuard(null);
   System.out.println("Permission granted");
 } catch (SecurityException e) {
   System.out.println("Permission denied");
 }