8011139: (reflect) Revise checking in getEnclosingClass
authorjfranck
Tue, 07 May 2013 13:23:08 +0200
changeset 18263 69df685432b7
parent 18262 ee7c925ab7ed
child 18264 286a7973575a
8011139: (reflect) Revise checking in getEnclosingClass Reviewed-by: darcy, mchung, ahgross
jdk/src/share/classes/java/lang/Class.java
--- a/jdk/src/share/classes/java/lang/Class.java	Mon May 06 16:12:55 2013 +0400
+++ b/jdk/src/share/classes/java/lang/Class.java	Tue May 07 13:23:08 2013 +0200
@@ -970,7 +970,7 @@
      *
      *             <li> invocation of
      *             {@link SecurityManager#checkMemberAccess
-     *             s.checkMemberAccess(enclosingClass, Member.PUBLIC)} denies
+     *             s.checkMemberAccess(enclosingClass, Member.DECLARED)} denies
      *             access to the methods within the enclosing class
      *
      *             <li> the caller's class loader is not the same as or an
@@ -1126,7 +1126,7 @@
      *
      *             <li> invocation of
      *             {@link SecurityManager#checkMemberAccess
-     *             s.checkMemberAccess(enclosingClass, Member.PUBLIC)} denies
+     *             s.checkMemberAccess(enclosingClass, Member.DECLARED)} denies
      *             access to the constructors within the enclosing class
      *
      *             <li> the caller's class loader is not the same as or an
@@ -1248,13 +1248,9 @@
                 enclosingCandidate = enclosingClass;
         }
 
-        // be very careful not to change the stack depth of this
-        // checkMemberAccess call for security reasons
-        // see java.lang.SecurityManager.checkMemberAccess
-        if (enclosingCandidate != null) {
-            enclosingCandidate.checkMemberAccess(Member.DECLARED,
-                                                 Reflection.getCallerClass(), true);
-        }
+        if (enclosingCandidate != null)
+            enclosingCandidate.checkPackageAccess(
+                    ClassLoader.getClassLoader(Reflection.getCallerClass()), true);
         return enclosingCandidate;
     }
 
@@ -2303,6 +2299,8 @@
      * Check if client is allowed to access members.  If access is denied,
      * throw a SecurityException.
      *
+     * This method also enforces package access.
+     *
      * <p> Default policy: allow all clients access with normal Java access
      * control.
      */
@@ -2323,7 +2321,19 @@
                 // checkMemberAccess of subclasses of SecurityManager as specified.
                 s.checkMemberAccess(this, which);
             }
+            this.checkPackageAccess(ccl, checkProxyInterfaces);
+        }
+    }
 
+    /*
+     * Checks if a client loaded in ClassLoader ccl is allowed to access this
+     * class under the current package access policy. If access is denied,
+     * throw a SecurityException.
+     */
+    private void checkPackageAccess(final ClassLoader ccl, boolean checkProxyInterfaces) {
+        final SecurityManager s = System.getSecurityManager();
+        if (s != null) {
+            final ClassLoader cl = getClassLoader0();
 
             if (ReflectUtil.needsPackageAccessCheck(ccl, cl)) {
                 String name = this.getName();