Bruno Bruno - 1 month ago 20
Java Question

Java Security Manager completely disable reflection

I've been reading quite a lot of questions on Stackoverflow about this question but couldn't quit find a solution or answer for my problem. If there is already one I would be grateful if somebody would give a hint ...

My problem/question is if it is possible to completely disable reflection for not trustworthy code? Functions like

getDeclaredMethods()
(See test.java). I've already got a Java Security Manager which throws Security Exceptions if the code tries to write/read/etc. ...

If it is possible, can somebody show me how?

Bruno

test.java

TestClass cls = new TestClass();
Class c = cls.getClass();

// returns the array of Method objects
Method[] m = c.getDeclaredMethods();
for(int i = 0; i < m.length; i++) {
System.out.println("method = " + m[i].toString());
}

Answer

So I solved the problem not directly with checkPermission(). My workaround is to check if the java.lang.reflect package is accessed.

@Override
public void checkPackageAccess(String pkg){

    // don't allow the use of the reflection package
    if(pkg.equals("java.lang.reflect")){
        throw new SecurityException("Reflection is not allowed!");
    }
}