2

As per understanding its possible to manipulate the general notion of final keyword using reflection.

Also its possible to prevent the same using a security manager.

Is it possible to enable the security manager by default (at the jdk-installation level ) ?

References :

Update 1:

Given that its required to be enabled in order to work, its unlikely that its possible.

The closest I got was by placing System.setSecurityManager(new SecurityManager()) in the static block of a class, bundling it as a jar and placing it in the 'jre/lib/ext', only to find that its not loaded by default and we still need to use Class.forName.

So even otherwise the only options are to either use the -Djava.security.manager flag or add programatically.

Community
  • 1
  • 1
Ravindra HV
  • 2,558
  • 1
  • 17
  • 26

1 Answers1

0

You can set default Java system properties using the _JAVA_OPTIONS environment variable, so you could set _JAVA_OPTIONS="-Djava.security.manager" on your system, and this would ensure that all Java processes would run with the security manager enabled.

Of course this variable could be overwritten, so it might not be sufficiently secure depending on your environment.

If you're trying to ensure a final member of a particular class can't be overridden using reflection, the other option would be to put a static initialization block in that class that checks that the security manager is installed and throws a SecurityException if it's not.

alphaloop
  • 1,127
  • 12
  • 22
  • Guess so. What I am trying to arrive it is to avoid having to rely on programmatic approach since that relies on the class itself being loaded which is not necessarily guaranteed. That's why I am looking for an option that can be guaranteed and applies across the JVM and is preferably not reversible (that is the security manager should not be un-installed once its installed). Thanks for your answer though. – Ravindra HV Jul 01 '16 at 19:50