10

Spring newbie here.

I observed that Spring was able to instantiate a non-public class (i.e. a class with default visibility) that I had defined. Can anyone tell me how Spring achieves this? Why is this allowed ?

Sean Patrick Floyd
  • 292,901
  • 67
  • 465
  • 588
Rahul
  • 12,886
  • 13
  • 57
  • 62
  • 2
    http://stackoverflow.com/questions/770635/disable-java-reflection-for-the-current-thread/770672#770672 seems to be a relevant answer that covers some of the core technologies involved. – Donal Fellows Mar 25 '11 at 09:31

2 Answers2

22

OK, here's how they do it. Take this sample class:

package hidden;  

class YouCantInstantiateMe{

    private YouCantInstantiateMe(){
        System.out.println("Damn, you did it!!!");
    }

}

The above is a package-private class with a private constructor in a different package, but we'll still instantiate it:

Code (run from a class in a different package):

public static void main(final String[] args) throws Exception{
    Class<?> clazz = Class.forName("hidden.YouCantInstantiateMe");
                                            // load class by name
    Constructor<?> defaultConstructor = clazz.getDeclaredConstructor();
    // getDeclaredConstructor(paramTypes) finds constructors with
    // all visibility levels, we supply no param types to get the default
    // constructor
    defaultConstructor.setAccessible(true); // set visibility to public
    defaultConstructor.newInstance();       // instantiate the class
}

Output:

Damn, you did it!!!

Of course what Spring does is much more complex, because they also deal with Constructor Injection etc., but this is how to instantiate invisible classes (or invisible constructors).

Sean Patrick Floyd
  • 292,901
  • 67
  • 465
  • 588
  • 1
    Thanks. If the default Java behavior (i.e., without reflection) is to prevent accessing non-public classes from other packages, why does Spring allow it ? – Rahul Mar 26 '11 at 03:35
  • 1
    cause they are not Mockito – krems Sep 10 '14 at 07:36
  • @krems ? can you elaborate? – Sean Patrick Floyd Sep 10 '14 at 07:40
  • @Sean Patrick Floyd , I allude that Mockito group reject to use reflection i.e. to provide ability to mock statics, grounding on the fact that "it's not a clear way". This is all about following one or another conception. – krems Sep 11 '14 at 12:19
  • @SeanPatrickFloyd is spring able to instantiate `private` classes? if yes, then what about security? – atish shimpi Jan 02 '15 at 07:09
  • 1
    @atishshimpi if you don't trust your application, install a [`SecurityManager`](http://docs.oracle.com/javase/7/docs/api/java/lang/SecurityManager.html). Without one, any class can be instantiated through reflection, as long as you know the class name – Sean Patrick Floyd Jan 02 '15 at 07:58
11

The one, who is responsible to check if you (or Spring) is allowed to instantiate class in runtime, is Security Manager . If you are running with simple main class, you probably don't have it at all. If you configure your application to run with Security Manager, and do not grant Spring with special permissions, it won't be able to instantiate non-public classes.

Tarlog
  • 10,024
  • 2
  • 43
  • 67