Bug ID: JDK-6370080 (ann) Method.getAnnotations() sometimes throw SecurityException: doPrivileged or javadoc missing?

JDK-6370080 : (ann) Method.getAnnotations() sometimes throw SecurityException: doPrivileged or javadoc missing?

Type: Bug
Component: core-libs
Sub-Component: java.lang
Affected Version: 5.0,6

Priority: P2
Status: Resolved
Resolution: Fixed
OS: generic,windows_xp
CPU: generic,x86

Submitted: 2006-01-09
Updated: 2010-07-29
Resolved: 2006-07-01

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

Other	JDK 6
5.0u12Fixed	6 b91Fixed

Related Reports

Duplicate :	JDK-6353215 - java.lang.Class.isAnnotationPresent requires accessDeclaredMembers unnecessarily
Duplicate :	JDK-6366543 - A valid MBean is rejected as NotCompliant when some security is in use
Relates :	JDK-6761678 - (ann) SecurityException in AnnotationInvocationHandler.getMemberMethods

Description

The method Method.getAnnotations() sometimes throws a SecurityException.
The security exception is not documented in the Javadoc for this method.
So a) either throws SecurityException is missing from the javadoc,
   b) or a doPriviledge is missing somewhere in the implementation of getAnnotations()
      (e.g. sun.reflect.annotation.AnnotationParser or 
            sun.reflect.annotation.AnnotationType?)

See the stack trace:
java version "1.6.0-rc"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.6.0-rc-b66)
Java HotSpot(TM) Server VM (build 1.6.0-rc-b66, mixed mode)

java.security.AccessControlException: access denied (java.lang.RuntimePermission accessDeclaredMembers)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:321)
        at java.security.AccessController.checkPermission(AccessController.java:546)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662)
        at java.lang.Class.checkMemberAccess(Class.java:2156)
        at java.lang.Class.getDeclaredMethods(Class.java:1789)
        at sun.reflect.annotation.AnnotationType.<init>(AnnotationType.java:81)
        at sun.reflect.annotation.AnnotationType.getInstance(AnnotationType.java:64)
        at sun.reflect.annotation.AnnotationParser.parseAnnotation(AnnotationParser.java:202)
        at sun.reflect.annotation.AnnotationParser.parseAnnotations2(AnnotationParser.java:69)
        at sun.reflect.annotation.AnnotationParser.parseAnnotations(AnnotationParser.java:52)
        at java.lang.reflect.Method.declaredAnnotations(Method.java:687)
        at java.lang.reflect.Method.getDeclaredAnnotations(Method.java:680)
        at java.lang.reflect.AccessibleObject.getAnnotations(AccessibleObject.java:189)

Comments

SUGGESTED FIX src/share/classes/sun/reflect/annotation>sccs sccsdiff -r1.7 -r1.8 AnnotationType.java | more ------- AnnotationType.java ------- 12a13,14 > import java.security.AccessController; > import java.security.PrivilegedAction; 76c78 < private AnnotationType(Class<?> annotationClass) { --- > private AnnotationType(final Class<?> annotationClass) { 80,88c82,88 < // Initialize memberTypes and defaultValues < Method[] methods = annotationClass.getDeclaredMethods(); < for (Method method : methods) { < if (method.getParameterTypes().length != 0) < throw new IllegalArgumentException(method + " has params"); < String name = method.getName(); < Class type = method.getReturnType(); < memberTypes.put(name, invocationHandlerReturnType(type)); < members.put(name, method); --- > Method[] methods = > AccessController.doPrivileged(new PrivilegedAction<Method[]>() { > public Method[] run() { > // Initialize memberTypes and defaultValues > return annotationClass.getDeclaredMethods(); > } > }); 90,92d89 < Object defaultValue = method.getDefaultValue(); < if (defaultValue != null) < memberDefaults.put(name, defaultValue); 94,95c91,101 < members.put(name, method); < } --- > for (Method method : methods) { > if (method.getParameterTypes().length != 0) > throw new IllegalArgumentException(method + " has params"); > String name = method.getName(); > Class type = method.getReturnType(); > memberTypes.put(name, invocationHandlerReturnType(type)); > members.put(name, method); > > Object defaultValue = method.getDefaultValue(); > if (defaultValue != null) > memberDefaults.put(name, defaultValue); 96a103,105 > members.put(name, method); > } >

24-06-2006

EVALUATION After discussion with various parties, the appropriate fix to this issues seems to be adding doPriviledged blocks in our implementation of getAnnotation[s] rather than forcing the client of those methods to add doPriviledged blocks or catch the security exceptions.

18-01-2006